Recently I was invited to be part of a panel on Microservice Security. The fools! Normally on these panels they want you to talk for 5-ish minutes; unfortunately I came up with about 15 minutes worth of material! That’s perfect for a blog :-) Older designs Before I talk about microservices I want to take a look at older designs Monoliths. A “monolith” is pretty much an “all in one” application.
I got asked another question. I’m going to paraphrase the question for this blog entry. Given the Russian invasion of Ukraine and the response of other nations (sanctions, asset confiscation, withdrawal of services, isolation of the Russian banking system…) there is a chance of enhanced cyber attacks against Western banking infrastructure in retaliation. How can we be 100% sure our cloud environments are secure from this? Firstly, I want to dispel the “100%” myth.
I got asked a question… this gives me a chance to write an opinion. I have lots of them! If I redirect my port 80 traffic to another site, do I need to get a TLS cert? The question here is related to if a bank (or other service) has changed their name, then do they still need to maintain a TLS site for the old name? Can’t they just have http://mybank.
I got asked a question… this gives me a chance to write an opinion. I have lots of them! Is it reasonable to just stick with a single cloud provider, or is it better to go multi-cloud? It think it seems reasonable. I expect very few places are true multi-cloud, as in a given app runs in two clouds. That becomes challenging if trying to use cloud native services ‘cos how you access RDS would be different to how you access Azure SQL, so writing a true multi-cloud application isn’t so simple.
A while back I wrote about some basic usage of SSH certificates as an authentication system. I only described the core, but the comments went into some further detail. I thought it time to write a follow up post describing some of the more advanced features. Quick recap To handle cert based authentication you need a CA certificate. This is created with the ssh-keygen command. e.g. $ mkdir ssh-ca $ cd ssh-ca $ ssh-keygen -f server_ca Server certificates are similarly signed with the same command.
What is IP Allow-Listing Typically when you want to access a remote resource (e.g. login to a server) you need to provide credentials. It might be a simple username/password, it could be via SSH keys, it could use Mutual TLS with client-side certificates… doesn’t really matter. One concern is “what happens if the credential is stolen”. IP allow-listing is a way of restricting where you can use that credential from.
When people ask me something technical, I frequently find it useful to tell the basics as a story or an analogy. Obviously all these stories have limitations to how accurate they can get, but it’s surprising how well it gets people to understand what you mean. So this post is part of a series of “explaining technology as a story” TLS Certificates One of the challenges, on the internet, is to know who you are talking to.
When people ask me something technical, I frequently find it useful to tell the basics as a story or an analogy. Obviously all these stories have limitations to how accurate they can get, but it’s surprising how well it gets people to understand what you mean. So this post is part of a series of “explaining technology as a story” DHCP For a machine to be able to talk over IP it, naturally, needs an IP address.
When people ask me something technical, I frequently find it useful to tell the basics as a story or an analogy. Obviously all these stories have limitations to how accurate they can get, but it’s surprising how well it gets people to understand what you mean. So this post is part of a series of “explaining technology as a story” DNS The internet basically runs on numbers (either IPv4 or IPv6).
When people ask me something technical, I frequently find it useful to tell the basics as a story or an analogy. Obviously all these stories have limitations to how accurate they can get, but it’s surprising how well it gets people to understand what you mean. So this post is part of a series of “explaining technology as a story” Routing Far too frequently there are internet routing issues. Sometimes it gets bad that a large fraction of people can’t work (e.
