5

Background

In a normal bare metal hosting (IIS) we can use Integrated Security(eg : With AD) and hence, the config entry do not contain the connection string's plain text password. Or we can encrypt the connection string and can use a secure key store to secure the encryption key.

Question

In a cloud hosting environment( eg: Azure, AWS), how we can secure this connection string ? Normally we do have only a control panel to upload required files and ability to perform other minimal configurations. And most of the time, we do need to access a DB in a different location with credentials. How can we secure our connection string in the config file without using plain text credentials. If we encrypt the connection string, how can we secure the key?

user3496510
  • 1,257
  • 2
  • 12
  • 26

1 Answers1

4

In Azure, you have several options. One is Azure Key Vault which is an HSM-backed secret storage service. Another, if you're using Azure Web Applications or App Services, there's a configuration section in the portal specifically for storing application settings and connection strings.

I know AWS also offers HSM as a Service products, and I imagine they have analogous configuration management tools as well.

The other option you have if you're using IaaS instead of PaaS, is to continue using integrated authentication. When your environment is simply a bunch of VMs in the cloud, you can set them up just as you would a bunch of VMs in your data center.

Xander
  • 35,525
  • 27
  • 113
  • 141
  • Doesn't integrated security require an Active Directory domain? – oɔɯǝɹ Jul 14 '17 at 07:29
  • 1
    It isn't required, just preferable. Even at that, setting up a domain and DC in the cloud for you app servers is straightforward and common. – Xander Jul 14 '17 at 11:03