Thursday, January 25, 2024

Tutorial on cloud end-to-end security - an overview

Cloud solution architecture

Recently, my team updated our tutorial on applying end-to-end security to a cloud application. The tutorial features a typical app with an attached NoSQL database and object storage. Moreover, it leverages other services for increased security and to provide observability. Even better, all components can be automatically deployed, including a Tekton-based delivery pipeline. In this blog post, I am going to provide an overview and discuss some implementation details.


The tutorial Apply end to end security to a cloud application features a file sharing solution. It is a typical cloud application consisting of a containerized app deployed to a Kubernetes cluster (IBM Cloud Kubernetes Service or Red Hat OpenShift on IBM Cloud) and connected to backing services like a NoSQL database (Cloudant), object storage (S3-compatible Cloud Object Storage) for media files, and App ID to authenticate users. Additional components are used to further secure the solution. A crypto service (Key Protect) handles customer-managed encryption keys, a Secrets Manager takes care of TLS certificates and Ingress secrets. An Activity Tracker logs security-related events. With those components, the architecture (see the diagram above) is similar to many other cloud solutions. 

Node.js app

The containerized application is a Node.js app based on the Express web framework and uses Passport for authentication based on the OpenID Connect (OIDC) standard. It integrates with App ID for user management and uses the method of OIDC discovery document to automatically configure for the deployed App ID service instance.
The app serves an HTML index page which loads a single page (JavaScript) app. The latter acts with the Node.js application via API calls served on routes. You can find more details in the public GitHub repository.


The tutorial showcases what makes up a cloud application with a focus on security. The solution uses:
  • Identity and Access Management (IAM) to authorize access to all deployed resources,
  • customer-managed encryption keys based on BYOK or KYOK to control encryption for data at rest,
  • an activity tracker to log all security-related events for auditing purposes,
  • OpenID Connect-based user authentication flow with App ID which also to set up federated logins,
  • a secrets manager to protect access to TLS certificates and other secrets,
  • optionally context-based restrictions (CBR) to even more restrict access to the services deployed as part of the solution.

Deployment Automation

In addition to the above security features, the entire solution can be created by utilizing Infrastructure as Code (IaC). Thereby, it is possible to reduce risk and configuration drift. An administrator can leverage Schematics (IaC as service) workspaces to centrally create all components based on the provided Terraform configuration. The Terraform code even establishes a Tekton-based CI/CD pipeline. It allows to build a new container image after code changes and deploy the container.


A simple file sharing app is the core for the tutorial Apply end to end security to a cloud application. Yet, it allows to demonstrate many cloud security features and also show full automation by leveraging Infrastructure as Code and a CI/CD pipeline. The entire source code, app and automation, is available in the secure-file-storage GitHub repository. Take a look, feedback welcome.

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik), Mastodon (, or LinkedIn.