Deployment Security

This section covers infrastructure and deployment security measures, including network security, transport security, container security, and infrastructure hardening.

Transport Security

TLS/SSL Requirements

• TLS 1.2+ Required: All communications must use TLS 1.2 or higher

• Certificate Management: SSL certificates managed via cloud certificate services or on-premises PKI

• HSTS Headers: HTTP Strict Transport Security headers enabled

• HTTPS Enforcement: All client-to-backend and backend-to-FIDO2-server communications use HTTPS in production

For deployment-specific certificate management, see:

• 3.1 AWS ECS Configuration - AWS Certificate Manager (ACM)

• 3.2 Docker Configuration - Certificate configuration

Certificate Management

SSL/TLS certificates should be managed through:

• Cloud Certificate Services: AWS Certificate Manager (ACM), Azure Key Vault, Google Cloud Certificate Manager

• On-Premises PKI: Enterprise PKI infrastructure for internal deployments

• Certificate Rotation: Automated certificate rotation and renewal

• Certificate Validation: Proper certificate chain validation

Network Security

Network Architecture

• Private Subnets: Compute resources deployed in private subnets

• Network Security Groups/Firewalls: Minimal access rules

• Load Balancer: SSL/TLS termination and traffic routing

• No Direct Internet Access: Backend services not directly exposed to internet

• FIDO2 Server Binding: FIDO2 server should bind to localhost/127.0.0.1 only (not exposed to internet)

Firewall Configuration

Configure firewalls and security groups with minimal required access:

• Load Balancer: Only allow HTTPS (443) from internet

• Backend Services: Only allow traffic from load balancer

• FIDO2 Server: Only allow traffic from backend services (localhost/127.0.0.1)

• Database: Only allow traffic from application containers

• No Public IPs: Backend services should not have public IP addresses

For deployment-specific network security, see:

• 3.1 AWS ECS Configuration - AWS security groups and VPC configuration

• 3.2 Docker Configuration - Docker network security

Container Security

Container Hardening

• Non-Root Execution: Containers run as non-root user

• Minimal Base Images: Reduced attack surface (use official minimal images)

• Read-Only Filesystems: Optional read-only root filesystem

• Resource Limits: CPU and memory limits configured

• No Privileged Mode: Containers should not run in privileged mode

• Seccomp Profiles: Use security profiles to restrict system calls

Container Image Security

• Image Scanning: Regular vulnerability scanning of container images

• Base Image Updates: Keep base images updated with security patches

• Minimal Dependencies: Only include required dependencies

• Multi-Stage Builds: Use multi-stage builds to reduce final image size

• Image Signing: Sign container images for integrity verification

For container security best practices, see 3.2 Docker Configuration.

Data Security

Credential Storage

• Encrypted Storage: FIDO2 credentials stored in MongoDB with encryption at rest

• No Password Storage: Only public keys and credential metadata stored

• Secure Element: Private keys never leave the hardware authenticator

• Database Encryption: Database connections use TLS, data encrypted at rest

Secrets Management

Sensitive configuration stored in secrets management services:

• Database Credentials: Connection strings and authentication credentials

• API Keys: External service API keys

• JWT Signing Secrets: JWT token signing keys

• Certificate Private Keys: SSL/TLS certificate private keys

• FIDO2 Server Configuration: Sensitive FIDO2 server settings

Best Practices:

• Never hardcode secrets in code or configuration files

• Use secrets management services (AWS Secrets Manager, Azure Key Vault, HashiCorp Vault)

• Rotate secrets regularly

• Use least-privilege access for secrets

• Audit secret access

For deployment-specific secrets management, see:

• 3.1 AWS ECS Configuration - AWS Secrets Manager

• 3.2 Docker Configuration - Docker secrets

Infrastructure Security

Compute Security

• Auto-Scaling: Configure auto-scaling to handle load spikes

• Health Checks: Enable health checks for all services

• Resource Limits: Configure CPU and memory limits

• Instance Hardening: Apply OS-level security hardening

• Patch Management: Regular security patch updates

Monitoring and Logging

• Security Event Logging: Log all security-relevant events

• Access Logging: Log all access attempts and authentication events

• Error Logging: Log errors without exposing sensitive data

• Monitoring: Real-time monitoring of security metrics

• Alerting: Configure alerts for security incidents

• Log Retention: Appropriate log retention policies

Backup and Recovery

• Regular Backups: Automated backups of database and configuration

• Backup Encryption: Encrypt backups at rest

• Recovery Testing: Regular testing of backup and recovery procedures

• Disaster Recovery: Documented disaster recovery procedures

Deployment Security Best Practices

General Deployment

• Deploy in Private Subnets: Backend services in private subnets

• Use Network Security Groups/Firewalls: Minimal access rules

• Enable SSL/TLS Termination: At load balancer

• Use Secrets Management Services: Never hardcode secrets

• Configure Resource Limits: CPU and memory limits for containers

• Enable Monitoring and Alerting: Comprehensive monitoring and security alerting

• FIDO2 Server Binding: Bind FIDO2 server to localhost/127.0.0.1 only

• Container Security: Use non-root containers, minimal base images, read-only filesystems

Cloud-Specific Security

AWS:

• Use AWS Security Groups with least-privilege rules

• Enable AWS CloudTrail for audit logging

• Use AWS WAF for web application firewall

• Enable AWS GuardDuty for threat detection

• Use AWS Secrets Manager for secrets

Azure:

• Use Network Security Groups (NSG) with minimal rules

• Enable Azure Monitor and Azure Security Center

• Use Azure Key Vault for secrets

• Enable Azure DDoS Protection

Google Cloud:

• Use VPC firewall rules with least-privilege

• Enable Cloud Security Command Center

• Use Google Secret Manager for secrets

• Enable Cloud Armor for DDoS protection

For deployment-specific security configurations, see:

• 3.1 AWS ECS Configuration

• 3.2 Docker Configuration

Security Compliance

The Arculus Authentication system supports:

• FIDO2/WebAuthn Level 2: Full compliance with WebAuthn specification

• FIDO L1+ Certification: Hardware authenticator certification

• Industry Standards: Adherence to security best practices