In this article
CloudAlarm saves you from undesirable and surprising Azure expenses by:
- Alerting if you appear to breach your budget based on your current daily spend. It’s unlike Azure, which alerts you only when you’ve consumed a specified percentage of your budget amount. In latter case, you’re likely going to receive alert emails every month and you’ve to manually calculate whether or not your current spend is within the budget based on the formula, numberOfDaysLeft * currentDailySpend + totalConsumedThusFar. With CloudAlarm, this calculation happens automatically daily and you just specify the budget amount.
- Alerting if undesirable usage is detected. You can for example setup a New Resource alarm to notify when any resource is created or when any resource higher than the specified service tier is created. Resource alarms are instant when compared to budget alarms as the latter depends on Azure Usage API which doesn’t provide latest usage data in real-time.
Learn More how CloudAlarm is much faster and useful than Azure cost alerts.
Watch the Demo
- CloudAlarm is built on ASP.NET Core using ASPSecurityKit.NetCore framework. Every request goes through the multi-stage security pipeline and every request that requires access to protected data, goes through ASK’s activity-data authorization (ADA) checks, ensuring absolute isolation of customers data from each other.
- Additionally, CloudAlarm leveraged Premium source package and got following features out-of-the-box as source code, saving considerable development time:
- Two-factor – we have kept the simple email-based 2FA that comes with the package as is, considering the validation (product-market fit ) stage of the product CloudAlarm. It’s not difficult to add other mediums like TOTP/SMS/Call based methods when needed as the overall 2FA workflow is in place.
- Account Management – We only needed to add the business/organization tab (for people signing up to represent their orgs) to the existing account management feature which already came with tabs for changing password/email/personal details/firewall/2FA settings. If we need to collect more personal/etc info, we can modify the existing tabs or add new ones.
- Email Verification (upon sign up and change of email) and Forgot Password. Even Sign up and Sign in also got reused with little modification – added the Type of Account field (individual/business) and fields to collect additional info if of type business, to the sign up page.
- CloudAlarm supports two kinds of account – individual and business/organization. For the latter it supports a team feature which lets businesses setup users and grant access to Azure subscriptions so they can manage alarms and receive alerts for them. This feature is built leveraging the user management and permit management features that come with the Premium source package.
SuperFinance (SF) is a multi-tenant SaaS web platform prototype that offers following capabilities to bank institutions and customers:
- Self-service interfaces for banking institutions to setup the bank – including account types, branches, branch staff, and also create and manage customer accounts, perform cash deposit and withdrawal requests.
- Self-service interfaces for banking customers to register, open accounts in any available banks, perform transfers, view transactions, manage account nominees (beneficiaries), etc.
Watch the Demo
Being a financial app, the importance of security for SF can’t be overstated because leakage of data can result in people losing real money. Leveraging ASK’s various features, in this first iteration of the prototype, we employ the following security controls:
- Credentials based authentication leveraging safe AuthCookie token based sessions. Being an MVC web app, this is the most obvious choice. In case SF is built as API-backend, we would use HMAC token instead.
- If the bank detects a suspicious activity like the hijacking of a customer account, it can block password and the customer will need to reset password to login.
- Bank can impose a password expiration policy by specifying the desired duration (in days) after which all users are required to change password after login before continuing with their activities.
Users and Access Control
SF has different kinds of user roles such as Bank Owner, Branch Manager, Branch Staff, Account Holder, Nominee (Beneficiary). It employs Activity-Data Authorization (ADA) to securely serve these users as per their privileges, and to isolate and protect data of banks and customers.
- SF leverages ASK’s IP firewall feature to give the ability to banks to restrict access to staff portal from only white-listed networks or IPs.
- Account holders also gets the firewall feature for their individual user contexts.
For the sake of keeping things simple for the prototype, SF implements a simple email-based 2FA mechanism that leverages ASK’s MFA feature. In the real-world application, you can change the 2FA method to SMS or TOTP based – the MFA checks of ASK’s pipeline are agnostic of the method used for multi-factor token delivery.
While 2FA is available for both customers and banking staff users, banks have an option to enforce 2FA on their staff users.
Cross-Site Scripting (XSS)
Leveraging ASK’s XSS feature, SuperFinance will deny all requests that contain potentially dangerous characters. Following the guidelines user data (such as name) in emails are injected after proper escaping of potential XSS characters.
- Bank can suspend their staff users and the system will deny login to such users. Since account holders are independent from the ownership of any particular bank on the platform, banks cannot suspend them.
- Leveraging entity suspension feature, the bank can however suspend individual bank accounts for reasons such as KYC required, suspicious transaction, and the owning customer cannot perform transfers or create nominee for a suspended account. But customers can view the account and upload required docs for the bank to request removal of suspension. exclusion rules help in configuring which level of employee at the bank can lift a particular kind of suspension. For example, if
KYCRequiredis the reason, suspension can be lifted even by the
Freezedaccounts require the head office to lift the suspension.
Other Controls and Workflows
Following features implemented based on Premium source package.
- Account Management – Came with tabs for changing password/email/personal details/firewall/2FA settings. If we need to collect more personal/etc info, we can modify the existing tabs or add new ones.
- Email Verification (upon sign up and change of email) and Forgot Password. Even Sign up and Sign in also got reused with little modification .