My customers security officer has stated that an encrypted connection of the wild internet is not secure because they say that it can be decrypted easily. This is not my area of expertise.
I see my customer starting to explore lifting and shifting application workloads to multiple clouds.
My question: what security token(s) should we aim for for protecting integration services such as web services (both ingress as well as call-outs) in a multi-cloud world?
My personal expectation is that the ESB as a pattern will be moved to the cloud in chunks per business domain.
It might very well be that a work load will be transferred from one cloud to the other in the future.
My customers security officer has expressed concerns with user name password type of access tokens:
HTTPS over not trusted internet is not considered to be secure, and that means that user name password type of access tokens can be intercepted.
Password can "travel" with persons when they leave the company. Especially for application and administrative logins where our customer has not posed a limit to the valid life of a password.
It is possible to duplicate user and password entries over the various clouds, that is cumbersome (perhaps a nightmare). Providing straight access to the central on premise LDAP server is probably a no go, even when the access is over secure LDAP for the reason of interception,
I made the following picture to help us THINK:
What should I be looking for when it comes to application security?
Software Defined Perimeters? Message Signing with private keys?
2 Way authentication? If so, how do I package the private key in the container image securely in a multi-cloud world?
Am I missing important aspects?
Thank you for reading and please share your opinions.
------------------------------
Best Regards,
RONALD van de KUIL
------------------------------