QCloud is committed to providing a secure and resilient environment and a robust architecture for its customers through the implementation of comprehensive security measures. This article serves as a guide for organizations to understand the architecture and security features of QCloud, empowering them to implement effective security strategies tailored to their specific needs.
Deployment & Services Architecture #
Deployment Model #
QCloud is designed to be deployed as an on-premises solution, ensuring that customers have full control over their infrastructure, data, and security policies. This deployment model guarantees that all customer data remains within the customer’s environment, complying with data sovereignty regulations and providing complete control over security practices.
The QCloud platform is deployed on Kubernetes clusters within the customer’s datacentre, leveraging a containerized and microservices architecture to provide high scalability, availability, and isolation between services. This architecture enables seamless integration with existing IT environments while maintaining strict security controls.
On-premises deployment brings the following benefits:
Customer-Owned Data
Since QCloud is deployed on-premises, all customer data is stored locally within the customer’s infrastructure. Unlike cloud-based SaaS solutions, QCloud ensures that customer data never leaves the organization’s environment unless explicitly permitted. This deployment model provides:
- Compliance with local, national, or industry-specific data residency regulations.
- Customers retain complete control over their data, network security, and infrastructure.
Security Boundaries
The on-premises deployment model creates a strong security boundary, isolating QCloud from external, cloud-based risks. This ensures that:
- QCloud operates within the customer’s trusted network, protected by the organization’s firewalls, VPNs, and other network security appliances.
- External access to the QCloud platform can be tightly controlled, with all traffic passing through customer-defined security gateways.
Customer-Controlled Network Security
As QCloud is deployed within the customer’s data center, all network security measures are managed by the customer. This includes:
- Customers can define firewall rules, ensuring that only authorized traffic flows in and out of the QCloud platform.
- For remote access or multi-site deployment scenarios, customers can leverage secure VPN tunnels or dedicated connections to enforce encrypted communication between different locations.
Services Architecture #
QCloud is designed using a microservices architecture, with each service playing a distinct role in the overall operation of the platform. These services are containerized and deployed over Kubernetes, ensuring scalability, modularity, and secure communication between components.
Below is a high-level overview of the core services that make up the QCloud platform:
- Frontend: The user interface that provides a seamless experience for managing cloud resources, billing, and settings.
- Backend: The core engine that processes user requests and orchestrates communication between all services.
- API Gateway: The centralized entry point for all API requests, responsible for routing, load balancing, and enforcing security policies.
- Payment Gateway: Manages all financial transactions, including billing, invoicing, and integration with external payment providers.
- Help Desk: The support system that allows users to raise tickets and receive assistance from the support team.
- Vault: Powered by HashiCorp Vault, this service securely manages secrets, such as passwords and API keys, ensuring they are protected and only accessible by authorized services.
- Identity: Built on Keycloak, this service handles authentication and authorization, providing secure identity management and role-based access control (RBAC).
- Billing Cron: Automates the billing process, ensuring accurate calculation of usage and timely generation of invoices for both recurring and one-time charges.
Security Architecture #
Traffic Flow #
The traffic flow within the QCloud environment is designed to ensure secure, efficient communication between clients and the various microservices that constitute the platform. Customers have the flexibility to enhance their security posture by integrating their perimeter security appliances, including firewalls and Web Application Firewalls (WAFs), to protect the QCloud deployment.
- Client Requests: User traffic initiates from client applications or end-users, directed toward the QCloud platform.
- Perimeter Security: Before reaching QCloud, client requests pass through the customer’s integrated security appliances, such as firewalls and WAFs. This setup allows organizations to enforce their security policies, perform traffic inspection, and mitigate threats before they access the QCloud environment.
- NGINX Load Balancer: Once requests clear the perimeter security checks, they reach the NGINX load balancer. NGINX is responsible for distributing incoming traffic efficiently across multiple instances of the QCloud services, ensuring optimal resource utilization and high availability. This load balancing mechanism improves performance and provides resilience against potential service disruptions.
- Kubernetes Ingress Controller: After passing through the load balancer, requests are directed to the Kubernetes ingress controller. The ingress controller routes traffic to the appropriate microservices based on the defined rules, ensuring that requests are processed by the correct service within the QCloud architecture.
- Service Communication: Finally, the ingress controller forwards requests to the relevant backend services within the QCloud platform, enabling seamless communication between the frontend, backend, API gateway, and other services.
This layered approach to traffic flow not only enhances the security of the QCloud environment but also allows for flexibility in integrating existing security solutions that customers may already have in place.
Implementing TLS/SSL #
When implementing TLS (Transport Layer Security) and SSL (Secure Sockets Layer) for QCloud, the strategy depends on the specific security requirements, performance considerations, and infrastructure setup of the customer. Below is a breakdown of the different options for where to offload TLS/SSL and their pros and cons.
TLS/SSL Offloading on Kubernetes Ingress Controller
One effective method for securing QCloud is to offload TLS/SSL at the Kubernetes Ingress Controller. In this configuration, the ingress controller is responsible for terminating TLS/SSL connections and forwarding unencrypted traffic to the internal services.
This method simplifies management by integrating well with Kubernetes-native tools like Cert-Manager for automating certificate management, centralizes certificate handling within the Kubernetes cluster, and allows for easy automation of certificate provisioning and rotation.
TLS/SSL Offloading on NGINX Load Balancer
Another option for securing QCloud is to implement an NGINX Load Balancer in front of the Kubernetes ingress controller, which will handle TLS/SSL termination.
This setup provides an additional layer of security, allowing for advanced features like rate limiting and DDoS protection while reducing the load on the Kubernetes ingress controller, thus enhancing performance. Additionally, it offers more granular control over TLS/SSL settings, including cipher suites and protocol versions.
TLS/SSL Offloading at Customer’s Firewall or WAF
Offloading TLS/SSL at the customer’s firewall or Web Application Firewall (WAF) allows the customer to handle encryption and decryption at the perimeter before traffic reaches the QCloud platform.
This method centralizes security management and enables comprehensive traffic inspection, ensuring compliance with internal security policies. It also allows for a unified control of TLS/SSL settings for all traffic entering the infrastructure.
Data Security #
Data security is a critical component of the QCloud architecture, ensuring that customer data, sensitive information, and cryptographic keys are well-protected throughout their lifecycle. By leveraging advanced security practices and technologies, QCloud aims to provide a robust framework that mitigates the risks of data breaches and unauthorized access.
Key-Based Decryption with HashiCorp Vault
At the core of QCloud’s data security strategy is HashiCorp Vault, a leading solution for secure key management. HashiCorp Vault allows QCloud to securely store, manage, and control access to sensitive data, including encryption keys and credentials.
HashiCorp Vault centralizes the management of secrets, ensuring that sensitive information is stored in a secure and controlled environment. This reduces the risk of exposure by eliminating the need to hard-code secrets within application code.
Data Encryption at Rest
Before storing sensitive customer data, QCloud applies a salting process using the keys obtained from HashiCorp Vault. This involves adding a unique, random salt value to the data, which is then encrypted using strong encryption algorithms. This method adds an additional layer of security by making it significantly more challenging for unauthorized parties to decipher the data.
Data Encryption in Transit
Data transmitted to and from QCloud externally is secured using TLS/SSL protocols. This protects data from interception during transmission and ensures that only authorized entities can access the information.
API Security #
API security is a critical aspect of the QCloud architecture, ensuring that data and resources are protected from unauthorized access while maintaining the performance and usability of the platform. QCloud employs several key security measures, including JSON Web Tokens (JWT), API rate limiting, and a clear segregation of access between administrative and customer-facing portals.
JSON Web Tokens (JWT)
QCloud utilizes JSON Web Tokens (JWT) as a secure mechanism for authentication and authorization between clients and servers. JWTs enable the following benefits:
- Stateless Authentication: JWTs are self-contained tokens that encapsulate user identity and claims in a compact format. This allows the server to authenticate users without maintaining session state, improving scalability and performance.
- Secure Information Exchange: Each JWT is digitally signed, ensuring the integrity of the data it carries. This prevents tampering and guarantees that the information within the token is trusted. Additionally, JWTs can be encrypted to protect sensitive information.
- Role-Based Access Control: JWTs can carry claims that specify the user’s role, enabling QCloud to implement role-based access control. This ensures that users only have access to the APIs and resources permitted for their specific role, enhancing security.
API Rate Limiting
To protect QCloud against abusive behaviors, such as denial-of-service attacks or excessive API calls, the platform implements API rate limiting. This feature provides several advantages:
- Prevention of Abuse: By restricting the number of API requests a user or IP address can make within a specified time frame, rate limiting helps prevent misuse and protects the availability of the services.
- Quality of Service: Rate limiting ensures that all users have equitable access to resources, preventing a single user from monopolizing bandwidth and causing performance degradation for others.
- Customizable Policies: QCloud allows administrators to define customizable rate limiting policies based on specific API endpoints, user roles, or client applications, providing flexibility in managing API usage.
Audit Logs in QCloud #
Audit logs play a crucial role in maintaining the integrity, security, and accountability of the QCloud environment. By capturing detailed records of system activities and user interactions, QCloud ensures that organizations have the necessary visibility to monitor access, detect anomalies, and comply with regulatory requirements.
Built-in Audit Logs
QCloud features a robust built-in audit logging mechanism designed to provide comprehensive tracking of all critical operations within the system. These logs capture various activities including audit trails. Every action performed by users (administrators, resellers or customers) in QCloud portal is recorded, detailing the identity of the user, the nature of the request, and the outcome (successful or failed). This information is vital for identifying unauthorized access attempts and ensuring that audit.
Access Logs & History
In addition to audit logs, QCloud includes a dedicated access logs feature that tracks all user authentication activities. This component is essential for monitoring user behavior and maintaining a secure environment. Each login attempt is logged, including details such as the username, timestamp, IP address, and the success or failure of the authentication. This information is crucial for detecting potential security threats, such as brute-force attacks or unauthorized access attempts.
Access Control Lists (ACLs) in QCloud #
Access Control Lists (ACLs) are a fundamental component of the QCloud security framework, ensuring that users have appropriate levels of access based on their roles and responsibilities. By implementing a structured access control model, QCloud enables organizations to maintain security, data integrity, and operational efficiency.
Tiered Account Structure
QCloud employs a tiered account structure that consists of three distinct tiers: Cloud-Admins, Resellers, and Customers. Each tier has specific privileges and access levels tailored to their roles:
- Cloud-Admins: As the highest level of access, Cloud-Admins possess comprehensive control over the entire QCloud environment. They can manage system configurations, create and manage accounts for Resellers and Customers, and oversee security policies. This tier is responsible for ensuring that the platform operates smoothly and securely.
- Resellers: Resellers have access to manage the accounts of their own Customers. They can create and configure Customer accounts, monitor usage, and provide support within their purview. Resellers act as intermediaries, offering their clients the benefits of QCloud while maintaining a level of oversight.
- Customers: Customers have access to their own resources within QCloud, allowing them to manage their accounts, services, and data. They can also create and manage staff accounts within their organization, granting varying privileges based on individual roles.
For further details on user structure and hierarchy of QCloud accounts, please QCloud User Tiers & Structure article.
Granular User Privileges
Within each tier, QCloud allows for the creation of individual staff member accounts, enabling organizations to define specific privileges and access levels based on the needs of their users. This granular approach to access control ensures that users can perform their tasks without exposing sensitive data or compromising security.
Built-in MFA Feature
QCloud includes a robust, built-in MFA mechanism that can be easily implemented across the platform. One of the key advantages of the MFA feature in QCloud is the flexibility it offers to Cloud-Admins. They have the authority to enforce MFA based on their organization’s security policies. Key aspects of this feature include:
- Selective Enforcement: Cloud-Admins can choose to enforce MFA for all users or target specific user groups based on their roles and access levels. For example, administrators and high-privilege users may be required to use MFA, while other users may be exempted.
- User-Friendly Setup: QCloud provides a streamlined process for users to set up MFA during their initial account configuration or upon their next login. The intuitive interface guides users through the process, ensuring a smooth experience while maximizing security.