Cloud7 is committed to providing a secure and resilient environment and a robust architecture for its customers through the implementation of comprehensive security measures. This article serves as a guide for organizations to understand the architecture and security features of Cloud7, empowering them to implement effective security strategies tailored to their specific needs.

---

Deployment & Services Architecture #

 

Deployment Model #

Cloud7 is designed to be deployed as an on-premises solution, ensuring that customers have full control over their infrastructure, data, and security policies. This deployment model guarantees that all customer data remains within the customer’s environment, complying with data sovereignty regulations and providing complete control over security practices.

The Cloud7 platform is deployed on Kubernetes clusters within the customer’s datacentre, leveraging a containerized and microservices architecture to provide high scalability, availability, and isolation between services. This architecture enables seamless integration with existing IT environments while maintaining strict security controls.

On-premises deployment brings the following benefits:

Customer-Owned Data

Since Cloud7 is deployed on-premises, all customer data is stored locally within the customer’s infrastructure. Unlike cloud-based SaaS solutions, Cloud7 ensures that customer data never leaves the organization’s environment unless explicitly permitted. This deployment model provides:

• Compliance with local, national, or industry-specific data residency regulations.
• Customers retain complete control over their data, network security, and infrastructure.

Security Boundaries

The on-premises deployment model creates a strong security boundary, isolating Cloud7 from external, cloud-based risks. This ensures that:

• Cloud7 operates within the customer’s trusted network, protected by the organization’s firewalls, VPNs, and other network security appliances.
• External access to the Cloud7 platform can be tightly controlled, with all traffic passing through customer-defined security gateways.

Customer-Controlled Network Security

As Cloud7 is deployed within the customer’s data center, all network security measures are managed by the customer. This includes:

• Customers can define firewall rules, ensuring that only authorized traffic flows in and out of the Cloud7 platform.
• For remote access or multi-site deployment scenarios, customers can leverage secure VPN tunnels or dedicated connections to enforce encrypted communication between different locations.

Services Architecture #

Cloud7 is designed using a microservices architecture, with each service playing a distinct role in the overall operation of the platform. These services are containerized and deployed over Kubernetes, ensuring scalability, modularity, and secure communication between components.

Below is a high-level overview of the core services that make up the Cloud7 platform:

• Frontend: The user interface that provides a seamless experience for managing cloud resources, billing, and settings.
• Backend: The core engine that processes user requests and orchestrates communication between all services.
• API Gateway: The centralized entry point for all API requests, responsible for routing, load balancing, and enforcing security policies.
• Payment Gateway: Manages all financial transactions, including billing, invoicing, and integration with external payment providers.
• Help Desk: The support system that allows users to raise tickets and receive assistance from the support team.
• Vault: Powered by HashiCorp Vault, this service securely manages secrets, such as passwords and API keys, ensuring they are protected and only accessible by authorized services.
• Identity: Built on Keycloak, this service handles authentication and authorization, providing secure identity management and role-based access control (RBAC).
• Billing Cron: Automates the billing process, ensuring accurate calculation of usage and timely generation of invoices for both recurring and one-time charges.

---

Security Architecture #

 

Traffic Flow #

The traffic flow within the Cloud7 environment is designed to ensure secure, efficient communication between clients and the various microservices that constitute the platform. Customers have the flexibility to enhance their security posture by integrating their perimeter security appliances, including firewalls and Web Application Firewalls (WAFs), to protect the Cloud7 deployment.

1. Client Requests: User traffic initiates from client applications or end-users, directed toward the Cloud7 platform.
2. Perimeter Security: Before reaching Cloud7, client requests pass through the customer’s integrated security appliances, such as firewalls and WAFs. This setup allows organizations to enforce their security policies, perform traffic inspection, and mitigate threats before they access the Cloud7 environment.
3. NGINX Load Balancer: Once requests clear the perimeter security checks, they reach the NGINX load balancer. NGINX is responsible for distributing incoming traffic efficiently across multiple instances of the Cloud7 services, ensuring optimal resource utilization and high availability. This load balancing mechanism improves performance and provides resilience against potential service disruptions.
4. Kubernetes Ingress Controller: After passing through the load balancer, requests are directed to the Kubernetes ingress controller. The ingress controller routes traffic to the appropriate microservices based on the defined rules, ensuring that requests are processed by the correct service within the Cloud7 architecture.
5. Service Communication: Finally, the ingress controller forwards requests to the relevant backend services within the Cloud7 platform, enabling seamless communication between the frontend, backend, API gateway, and other services.

This layered approach to traffic flow not only enhances the security of the Cloud7 environment but also allows for flexibility in integrating existing security solutions that customers may already have in place.

Implementing TLS/SSL #

When implementing TLS (Transport Layer Security) and SSL (Secure Sockets Layer) for Cloud7, the strategy depends on the specific security requirements, performance considerations, and infrastructure setup of the customer. Below is a breakdown of the different options for where to offload TLS/SSL and their pros and cons.

TLS/SSL Offloading on Kubernetes Ingress Controller

One effective method for securing Cloud7 is to offload TLS/SSL at the Kubernetes Ingress Controller. In this configuration, the ingress controller is responsible for terminating TLS/SSL connections and forwarding unencrypted traffic to the internal services.

This method simplifies management by integrating well with Kubernetes-native tools like Cert-Manager for automating certificate management, centralizes certificate handling within the Kubernetes cluster, and allows for easy automation of certificate provisioning and rotation.

TLS/SSL Offloading on NGINX Load Balancer

Another option for securing Cloud7 is to implement an NGINX Load Balancer in front of the Kubernetes ingress controller, which will handle TLS/SSL termination.

This setup provides an additional layer of security, allowing for advanced features like rate limiting and DDoS protection while reducing the load on the Kubernetes ingress controller, thus enhancing performance. Additionally, it offers more granular control over TLS/SSL settings, including cipher suites and protocol versions.

TLS/SSL Offloading at Customer’s Firewall or WAF

Offloading TLS/SSL at the customer’s firewall or Web Application Firewall (WAF) allows the customer to handle encryption and decryption at the perimeter before traffic reaches the Cloud7 platform.

This method centralizes security management and enables comprehensive traffic inspection, ensuring compliance with internal security policies. It also allows for a unified control of TLS/SSL settings for all traffic entering the infrastructure.

Data Security #

Data security is a critical component of the Cloud7 architecture, ensuring that customer data, sensitive information, and cryptographic keys are well-protected throughout their lifecycle. By leveraging advanced security practices and technologies, Cloud7 aims to provide a robust framework that mitigates the risks of data breaches and unauthorized access.

Key-Based Decryption with HashiCorp Vault

At the core of Cloud7’s data security strategy is HashiCorp Vault, a leading solution for secure key management. HashiCorp Vault allows Cloud7 to securely store, manage, and control access to sensitive data, including encryption keys and credentials.

HashiCorp Vault centralizes the management of secrets, ensuring that sensitive information is stored in a secure and controlled environment. This reduces the risk of exposure by eliminating the need to hard-code secrets within application code.

Data Encryption at Rest

Before storing sensitive customer data, Cloud7 applies a salting process using the keys obtained from HashiCorp Vault. This involves adding a unique, random salt value to the data, which is then encrypted using strong encryption algorithms. This method adds an additional layer of security by making it significantly more challenging for unauthorized parties to decipher the data.

Data Encryption in Transit

Data transmitted to and from Cloud7 externally is secured using TLS/SSL protocols. This protects data from interception during transmission and ensures that only authorized entities can access the information.

API Security #

API security is a critical aspect of the Cloud7 architecture, ensuring that data and resources are protected from unauthorized access while maintaining the performance and usability of the platform. Cloud7 employs several key security measures, including JSON Web Tokens (JWT), API rate limiting, and a clear segregation of access between administrative and customer-facing portals.

JSON Web Tokens (JWT)

Cloud7 utilizes JSON Web Tokens (JWT) as a secure mechanism for authentication and authorization between clients and servers. JWTs enable the following benefits:

• Stateless Authentication: JWTs are self-contained tokens that encapsulate user identity and claims in a compact format. This allows the server to authenticate users without maintaining session state, improving scalability and performance.
• Secure Information Exchange: Each JWT is digitally signed, ensuring the integrity of the data it carries. This prevents tampering and guarantees that the information within the token is trusted. Additionally, JWTs can be encrypted to protect sensitive information.
• Role-Based Access Control: JWTs can carry claims that specify the user’s role, enabling Cloud7 to implement role-based access control. This ensures that users only have access to the APIs and resources permitted for their specific role, enhancing security.

API Rate Limiting

To protect Cloud7 against abusive behaviors, such as denial-of-service attacks or excessive API calls, the platform implements API rate limiting. This feature provides several advantages:

• Prevention of Abuse: By restricting the number of API requests a user or IP address can make within a specified time frame, rate limiting helps prevent misuse and protects the availability of the services.
• Quality of Service: Rate limiting ensures that all users have equitable access to resources, preventing a single user from monopolizing bandwidth and causing performance degradation for others.
• Customizable Policies: Cloud7 allows administrators to define customizable rate limiting policies based on specific API endpoints, user roles, or client applications, providing flexibility in managing API usage.

Audit Logs in C7 #

Audit logs play a crucial role in maintaining the integrity, security, and accountability of the Cloud7 environment. By capturing detailed records of system activities and user interactions, Cloud7 ensures that organizations have the necessary visibility to monitor access, detect anomalies, and comply with regulatory requirements.

Built-in Audit Logs

Cloud7 features a robust built-in audit logging mechanism designed to provide comprehensive tracking of all critical operations within the system. These logs capture various activities including audit trails. Every action performed by users (administrators, resellers or customers) in Cloud7 portal is recorded, detailing the identity of the user, the nature of the request, and the outcome (successful or failed). This information is vital for identifying unauthorized access attempts and ensuring that audit.

Access Logs & History

In addition to audit logs, Cloud7 includes a dedicated access logs feature that tracks all user authentication activities. This component is essential for monitoring user behavior and maintaining a secure environment. Each login attempt is logged, including details such as the username, timestamp, IP address, and the success or failure of the authentication. This information is crucial for detecting potential security threats, such as brute-force attacks or unauthorized access attempts.

Access Control Lists (ACLs) in C7 #

Access Control Lists (ACLs) are a fundamental component of the Cloud7 security framework, ensuring that users have appropriate levels of access based on their roles and responsibilities. By implementing a structured access control model, Cloud7 enables organizations to maintain security, data integrity, and operational efficiency.

Tiered Account Structure

Cloud7 employs a tiered account structure that consists of three distinct tiers: Cloud-Admins, Resellers, and Customers. Each tier has specific privileges and access levels tailored to their roles:

• Cloud-Admins: As the highest level of access, Cloud-Admins possess comprehensive control over the entire Cloud7 environment. They can manage system configurations, create and manage accounts for Resellers and Customers, and oversee security policies. This tier is responsible for ensuring that the platform operates smoothly and securely.
• Resellers: Resellers have access to manage the accounts of their own Customers. They can create and configure Customer accounts, monitor usage, and provide support within their purview. Resellers act as intermediaries, offering their clients the benefits of Cloud7 while maintaining a level of oversight.
• Customers: Customers have access to their own resources within Cloud7, allowing them to manage their accounts, services, and data. They can also create and manage staff accounts within their organization, granting varying privileges based on individual roles.

For further details on user structure and hierarchy of Cloud7 accounts, please C7 User Tiers & Structure article.

Granular User Privileges

Within each tier, Cloud7 allows for the creation of individual staff member accounts, enabling organizations to define specific privileges and access levels based on the needs of their users. This granular approach to access control ensures that users can perform their tasks without exposing sensitive data or compromising security.

Built-in MFA Feature

Cloud7 includes a robust, built-in MFA mechanism that can be easily implemented across the platform. One of the key advantages of the MFA feature in Cloud7 is the flexibility it offers to Cloud-Admins. They have the authority to enforce MFA based on their organization’s security policies. Key aspects of this feature include:

• Selective Enforcement: Cloud-Admins can choose to enforce MFA for all users or target specific user groups based on their roles and access levels. For example, administrators and high-privilege users may be required to use MFA, while other users may be exempted.
• User-Friendly Setup: Cloud7 provides a streamlined process for users to set up MFA during their initial account configuration or upon their next login. The intuitive interface guides users through the process, ensuring a smooth experience while maximizing security.