Case Study: Secured Data Storage

Issue:

The client wanted to create a system of secured file storage for financial items. Also, the system should be accessible to the end-users in an easy-to-use manner. The problem was that all current Cloud apps like Google Drive, One Drive, etc failed to meet the custom requirements of data storage for the client. Plus, the storage cost was very high based on the number of users. The client first created an application based on a local storage system, but the mechanism of file retrieval was archival and responded slowly. The client also wanted this to be able to a SAAS application rather than a singular use website. But the segregation of data between clients was very necessary.

Approach:

NBL’s approach to the solution was keeping security at the forefront and device and selecting the best possible services from the cloud that can be cost effective yet scalable as per clients’ demand. We first throttled through the type of device required for the application to be run smoothly and without hiccups. The first part of the solution was to ascertain the hosting provider and then deciding on the fastest possible technology to render documents. Once the provider was finalised, we finalized the cloud storage which was cost effective and secured. Security being the forefront, most emphasis was given on the cloud infrastructure security and Application security.

Cloud Infra Finalized

AWS EC2 instances behind Load Balancer to mitigate spikes

AWS S3 for storage, inaccessible from public access and with additional fields in place to check integrity and compliance with client standards

Angular-9 as the frontend tech stack for faster and easy to use Client Application

Dotnet Core for secured API environment with Middleware in place to check out unauthorized access.

AWS RDS – MySQL for storing access to the Files

Trend Micro Cloud One – For Endpoint security and Storage Security

AWS WAF – Web Application Firewall from AWS to secure unauthorised access from the internet and blocking known offenders.

Deployment and Testing:

The first steps were taken at the application level to ensure optimal security is in place for multi-tenant architecture. Once the application was secured then settings were put up on AWS S3 to allow only access from whitelisted domains. Also, for each request from whitelisted domains only users with read access can open the files, this was ensured using additional fields put up on S3 objects and compared at API environment. Once the storage security was in place then we ensured security on the Load balancer. No access was allowed on to the production server except for the bastion server for mitigating risks and uniformity of future changes. Devops plan was devised to move from development to staging to production. Security groups were put in place to ensure no open ports are available for hijacking, only allowed ports were HTTP and HTTPS, with all HTTP requests being auto redirected to HTTPS. Once the deployment was complete, we started testing the feasibility of the infrastructure with Load Testing, Vulnerability and Penetration Testing, Devops Testing and other Application security testing. To further secure the instances, TrendMicro Cloud Security was deployed along with AWS WAF with secured rules to mitigate DDOS and other known malicious attacks. To ensure no malicious file is uploaded even by a secured and authorised user, only certain type of file extensions was allowed and the allowed file were scanned by the antivirus before being uploaded to S3.

Launch:

Once the testing was complete the maintenance of the project was handed over to the client. Tools were put in place to keep us and the client notified on any security breach or error logging on the application on daily interval. Cloud monitoring and alarms were put up to monitor the infrastructure kept running in a smooth and secured manner. As of writing the software hosts more than a million secured documents and more than 50K users.