Friday, October 18, 2019

My passwordless app on IBM Cloud thanks to FIDO2

Passwordless login for cloud app
In my recent post I discussed how I could use a FIDO2 dongle as second factor for an app on IBM Cloud. Today, I want to give you an update because I managed to go passwordless. With the latest October update Cloud Identity started to offer passwordless login with either FIDO2 or QR code (using the IBM Verify app). I put that to a quick test for my secure file storage app. Here is what I did to go passwordless.

Monday, October 7, 2019

Quick notes on using FIDO2 security keys on Linux

Using FIDO2 keys for 2FA
Most of you know that I am using a Linux laptop. Thus, experimenting with FIDO2 hardware security keys as discussed in the earlier blog post requires some extra setup. But fortunately, most steps are documented somewhere and can be easily found. Here is my writeup for my own benefit...

Using your FIDO2 key for 2FA on IBM Cloud apps

Architecture: End-to-end security
Last week I read the blog on how to protect cloud apps with App ID by using the IBM Cloud Identity user directory. That blog discusses how to configure IBM Cloud Identity as SAML-based identity source for IBM Cloud App ID. Because Cloud Identity supports FIDO2 devices for second factor authentication (2FA) as beta feature, I wanted to test how easy it is to use my USB FIDO2 devices for securing my web apps. For that purpose I picked the app from the solution tutorial discussing end-to-end security for an application on IBM Cloud. App ID is part of the solution architecture (see the diagram).

Friday, October 4, 2019

New tutorial discuss how to enhance cloud app security

Recently, I wrote a new tutorial as part of the IBM Cloud solution tutorials. Have you already developed and deployed an application on IBM Cloud? Then, may be, you followed the introductory tutorial on how to apply end-to-end security to an application. Following "security by design," you are now starting to look into the design of a new application, or perhaps you need to adapt an older application to new security requirements. If that is the case, the new tutorial on how to enhance the security of your deployed application is exactly right for you.

An existing solution is extended for enhanced security

Isolate resources

One of the fundamental principles of cloud computing is the sharing of resources. This could be the sharing of a machine—applications from many users running on the same computer—or just sharing the data center and parts of the infrastructure.
In the new tutorial, you'll learn how you can isolate runtime environments, network traffic, and stored data to increase application security. Some options include the use of dedicated resources or virtual private clouds.

Hyper-protect your data

Almost all services on IBM Cloud that store data use encryption to protect the data against unauthorized access. When using database services or object storage, by default, the encryption key is system-generated. You can increase data protection by controlling the encryption keys. IBM Key Protect and Hyper Protect Crypto Services help you provision encrypted keys for storage services as well as apps.

In the new tutorial, you learn how to control and even bring your own encryption keys. You also find out about the LinuxONE-based Hyper Protect services on IBM Cloud. They provide an extra layer of protection and the highest level of isolation.

Evaluate and monitor app security

Events related to IBM Cloud account activities—such as logging in or provisioning a service—are logged to Activity Tracker with LogDNA. In the tutorial, you learn how to enhance your app to send security or audit messages and integrate them across the stack. Use security advisors and set up notifications to stay ahead and informed.

Get started with the tutorial

The tutorial on how to enhance security of your deployed application is part of the IBM Cloud solution tutorials. It helps you learn about enhanced data encryption options, isolate your application runtime for extended security, and use activity logs and security advisors to evaluate app security.

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.