In this article we will describe 8 main technologies that allow us to reliably protect our clients’ data against illegal access, modification, and loss.
1. Intel SGX
Intel SGX is a set of processor instructions that allow applications to allocate private areas of code and data. The user code is placed into special enclaves, i.e., private memory areas. The data located in the enclaves are reliably protected against any external influence and software running at more privileged levels, such as OS and hypervisors.
Your data get additional protection against disclosure and modification. Even if the cloud servers get hacked, neither the cloud provider nor any third parties will be able to access your data.
- SGX enclave design
We’ve integrated Intel SGX into our cloud using the SCONE platform meant for confidential computing. It encrypts network traffic, files, input and output streams. It also provides protection against illegal access through the OS, hypervisors, or any other software. This platform also certifies applications to ensure current code authenticity and allows you to safely configure applications containing confidential data.
You can read more about this technology in our article “Why did we integrate Intel SGX into Gcore Cloud”.
In May 2021, we launched our first virtual instances supporting the Intel SGX technology. At first, the instances were available for rent only in Luxembourg but now you can rent a virtual machine supporting this technology in any of our core locations.
Such virtual instances will be especially important for projects with increased security requirements. Any confidential information, including your clients’ payment data, can be placed into enclaves.
2. Isolated secure network
- Gcore Cloud private network
Each server in the network has a private IP address that cannot be connected to from the outside. To connect with the Internet, all machines are assigned a floating IP, i.e., a special address on behalf of which the server interacts with the Internet.
To increase fault tolerance and network security, we apply the following measures:
- All our components are duplicated.
- Network interfaces on our servers are aggregated by default.
- Access switchboards’ security settings include protection against ARP spoofing and other network attacks.
3. Cloud firewall
All virtual instances in our Cloud can be protected against network threats using a firewall. It is a special network security system that regulates incoming and outgoing traffic based on specially configured rules.
These rules specify what type of traffic can be sent to the server, which ports it can go through, and which sources it can come from. All other traffic types will be blocked.
You can use the default firewall, with the rules already set, or customize this protection feature on your own taking into account your project specifics.
You can enable and configure the firewall for free in the control panel. Read more about it in our knowledge base.
Our cloud firewall provides basic protection against network threats. To ensure a reliable protection of web applications against hacking and unauthorized access to your data, we offer our clients a smart network security system called WAF (Web Application Firewall).
This firewall reliably hides all vulnerable places of your web applications from malicious users. It has its own vulnerability detection system, warns you about any weaknesses revealed, and gives recommendations for their elimination.
WAF can work with large traffic volumes. It doesn’t just block traffic according to the established rules. This firewall is equipped with self-learning algorithms. These prevent it from getting activated when not necessary. Only suspicious requests get blocked, while legitimate traffic remains unaffected.
All attacks get blocked in real time, and stopping the web application is not required.
5. DDoS protection
We protect virtual instances and bare metal servers against all known DDoS attacks at the network (L3) and transport (L4) layers.
All your resources’ incoming traffic gets filtered while going through a special platform. The system analyzes each of the packets, compares them with the current signatures, and blocks suspicious elements.
As a result, only legitimate traffic reaches your resource, while malicious packets are stopped when approaching.
- How DDoS protection works
This protection model is effective even against low-frequency attacks. Any malicious traffic gets blocked from the very first packet.
In our Cloud, DDoS protection is free and available by default on all virtual machines and dedicated servers.
6. Secrets management
This feature allows you to securely store SSL certificates and keys in the system, as well as to establish a secure HTTPS connection between your load balancers and clients.
Secrets are PKCS12 files, i.e., special files in the binary format that allow us to securely store and transfer certificates. These files include:
- the main SSL certificate—a website’s digital signature confirming that it belongs to you;
- the certificate chain—information about the certifying centers that were involved in issuing the certificate and can confirm its authenticity;
- the private key—a unique set of characters used to encrypt the transmitted data.
The file is added to our cloud’s control panel. After that, you can create a load balancer with an HTTPS listener, i.e., a load balancer that can establish a secure connection with your clients.
Read more in our knowledge base about how to use this feature.
7. Secure access to resources
In our Cloud, data access is fully controlled by the clients.
1. Two-factor authentication. You can enable it in the control panel. It will ensure additional protection of your account against hacking.
2. Access control. You can grant your team members different levels of access and differentiate access levels for various projects. As a result, the cloud resources will be available only to those people who are entitled to it.
3. API tokens are a special code with a certain expiration period used to access your account via the API and configure the automated operation of your application with the cloud.
We use permanent API tokens. When creating them, you can set their expiration date on your own or even leave it unlimited. This allows you to set up a more convenient logic for automatic operation and minimize the cases when you have to pass on your username and password to others, which increases the security level.
8. Data loss prevention
We protect our clients’ data not only against unauthorized access and modification. We also guarantee data safety in case of various failures.
To achieve this, we use different tools.
For example, three-factor replication in the data storage system (DSS) is available for all our clients by default. All information in the cloud gets copied thrice, with all the copies being distributed across the DSS. Even if something happens, and some of the files get lost, you will be able to easily restore them using the copies.
Moreover, we have a disaster recovery service. A hot backup is formed in the cloud: this is a backup copy of your entire infrastructure. This copy is created in the background mode and doesn’t affect the performance rate.
In case of a failure, all your traffic is automatically redirected to the backup copy. The traffic redirection time will be equal to RTO—the acceptable data recovery time that is discussed and fixed in advance. We can guarantee an RTO of at least 3 minutes.
The following technologies and features make our Cloud a secure platform fully compliant with PCI DSS and ISO 27001 requirements:
- Intel SGX—a set of processor instructions that allow you to place some part of your code and confidential data into enclaves, thus ensuring their reliable protection against any external influences.
- Isolated secure networks that virtual instances and bare metal servers can be integrated into.
- Cloud firewall ensuring protection against network threats.
- WAF—a smart and reliable security system that hides all vulnerable places of web applications from malicious users.
- DDoS protection—filtering requests with the help of a special platform and blocking illegitimate traffic.
- Secrets management—storing SSL certificates and keys in a reliable system and creating a secure HTTPS connection between load balancers and clients.
- Secure access to your resources—two-factor authentication, full control over the users that can access the panel, and API tokens for connecting via the API.
- Data loss prevention—three-factor replication in the DSS and a disaster recovery service.