Introduction
At Nightborn, we follow the best practices regarding GDPR & Security to keep your app & data safe! Apps are stored on phones & move data from your phone to a server & back, that's why we need to be acutely aware of our responsibility as app developers to handle this data with care.
💡 GDPR?
👉 GDPR or General Data Protection Regulation is a globally-influential data & privacy law from the European Union. It applies to apps or companies that collect & process the personal data of EU citizens. NOTE: Even if an app is operated from outside of the EU, the GDPR will still apply!
👉 The purpose of the GDPR is to provide improved privacy protection & control for EU citizens. It protects individuals' fundamental rights & freedoms, particularly their right to the protection of their personal data. It's also designed to improve how businesses manage personal consumer data.
Application security is always top of mind when our team starts a new project, especially with a growing number of security threats. By improving the security of your app, we also help preserve user trust & device integrity.
HOW? 🤔
For us, it's the process of finding & fixing security vulnerabilities by enforcing software security practices & using app the best security testing tools! We use various tools to store your data safely as your project progresses. In this blog, we share with you 5 application security practices & tools you should consider using.
Enjoy reading!
1. Database Encryption in Azure
Database Encryption comes in 2 forms:
- At-rest, where data is stored on a physical device
- In-transit, which is a communication flow between services or between a user & a service.
💡 Encryption At-rest is like storing your data in a vault, while encryption In-transit is like putting it in an armored vehicle for transport.
Let's dig a little deeper into these different levels...
👉 Database Encryption At-rest
Makes sure that stored data isn't easily accessible in the event that malicious users obtain access to the drive or device. Because without decrypting the data, they'll be unable to read the content of the drives.
Storage services in Azure are using a service called Azure Storage Service Encryption (SSE) that uses AES-256 encryption 🤓 . This feature is enabled by default for storage accounts, cannot be disabled & is transparent for users. All storage within Azure is independent of computer clusters.
👉 Database Encryption In-Transit
The term encryption in transit is pretty obvious. It concerns safeguarding the data which is being transferred from one component or layer to another. It's achieved by enabling Transport Layer Security (TLS) for HTTP-based services. Using the HTTPS protocol to ensure that data cannot be read while on the wire.
TLS makes sure that no one can listen in on or tamper with the messages as they are being transmitted over a wire. As a result, it contributes to maintaining data integrity in addition to ensuring that the data is protected. 🔐
Most of the Azure services provide configuration settings to enable TLS. This option is also by default enabled and users can disable it if for any reason they no longer need it.
2. Multiple data back-ups
❗ Any business continuity & disaster recovery strategy must include multiple database backups as they protect your data from loss or corruption.
Backups enable database restoration to a point in time within the defined retention period. This action creates a new database with a different name on the same server. It uses a different name to avoid overwriting the original database.
Because of ransomware, data centers had to increase the frequency of backups. Once a night like the good old days is no longer enough! Nope, all data sets have to be protected multiple times per day.
At Nightborn, we run data back-ups every 30 minutes with the automated backup feature for Azure SQL Database.
💡 Azure SQL Database creates:
👉 Full backups every week.
👉 Differential backups every 12 or 24 hours.
👉 Transaction log backups approximately every 30 minutes.
The exact frequency of transaction log backups is based on the compute size & the amount of database activity. When you restore a database, the service determines which full, differential & transaction log backups need to be restored.
Azure SQL Database stores backups in storage blobs that are replicated to a paired region. The storage redundancy mechanism stores multiple copies of your data, protecting it from planned & unplanned events (hardware failures, network or power outages,... ) that could harm the backup storage of the primary region. In the event of a regional outage, it also allows you to restore your databases in a different region.
3. Data Geo-Replication
Data Geo-what?! 🤔
💡 Data Geo-Replication is a feature that lets you create a continuously synchronized readable secondary database for a primary database.
It's intended to serve as a business continuity solution that enables speedy disaster recovery of specific databases in the event of a local incident or large-scale outage.
What does it do?
Transaction logs created on the primary replica are asynchronously replicated to all geo-replicas using active geo-replication, which makes use of the Always On availability group technology.
The data on a secondary database is guaranteed to be transactionally consistent, even if it may occasionally lag behind the primary database.
In other words, changes made by uncommitted transactions aren't visible & allow apps to quickly recover from a complete or partial loss of an Azure region due to a natural disaster, severe human error, or criminal activity.
4. Safe authentication protocols
Azure Active Directory B2C (Azure AD B2C) provides identity as a service for your apps by supporting two man industry-standard protocols: OpenID Connect and OAuth 2.0.
💡 The OAuth 2.0 protocol, which is the industry-standard protocol for authorization. It controls authorization to access a protected resource & focuses on client developer simplicity while providing specific authorization flows for web & desktop apps, mobile phones & other devices.
💡 OpenID is a simple identity layer on top of the OAuth 2.0 protocol & allows you to use an existing account to sign in to multiple websites, without needing to create new passwords.
Safe authentication protocols allow clients to:
👉 Verify the End-User’s identity based on the authentication performed by the Microsoft identity platform
👉 Obtain the End-User’s basic profile info in an interoperable & REST-like manner. Representational state transfer (REST) is a software architectural style that describes a uniform interface between physically separate components, often across the Internet in a client-server architecture.
Azure AD B2C is standards-compliant, but any two implementations of these protocols can have subtle differences. Every app that uses Azure AD B2C needs to be registered in your B2C directory in the Azure portal.
5. Data Anonymization
The General Data Protection Regulation (GDPR) outlines a specific set of rules that protect user data & create transparency. Despite being strict, it allows businesses to gather anonymized data without constent, use it for any purpose, and store it for as long as they like. As long as businesses cleanse the data of all identifiers. That's where data anonymization comes in...
💡 Data anonymization is the process of protecting private information (Personally Identifiable Information (PII)) by erasing or encrypting identifiers that connect an individual to stored data. Meaning, you're able to run names, social security numbers or addresses through this process & retaining this data while keeping the source anonymous.
How it works
Once we uploaded the data log to the Microsoft Defender for Cloud Apps portal, the log is sanitized & all username information is replaced with encrypted usernames. This way, all cloud activities are kept anonymous.
🙌 Data anonymization enables us to protect your & your users privacy.
Conclusion