Infrastructure as a Service (IaaS) clouds present a somewhat unique set of security challenges and risks. Public clouds make high-profile targets, so it is critically important for resources in the cloud to be hardened to the maximum extent possible. While the same could conceivably also be said for any large enterprise’s on-premises resources, security within the cloud requires a somewhat different approach than what might be used for on-premises resources.
For example, there are certain infrastructure layers that cloud providers do not expose to tenants. At the same time, cloud providers might also supply tenants with tools that are specifically designed to help improve the security of resources in the cloud.
Whatever the specific configuration of your infrastructure, there are a number of things that IT pros can do right now to mitigate the security vulnerabilities of the cloud and keep data and applications secure from intruders.
Port Rules for Cloud Workloads
One of the easiest things that you can do to help reduce cloud threat risks is to secure virtual machine instances in the cloud is to pay close attention to port rules. Most modern operating systems have a built-in firewall, and configuring that firewall has long been a standard practice. In addition, however, cloud providers commonly provide software firewalls that reside outside of a virtual machine’s operating system.
AWS, for example, allows a security group to be associated with every virtual machine instance. Although the phrase “security group” has long been associated with access control lists, AWS security groups are collections of port rules.
From a security standpoint, it is a good idea to group your virtual machine instances into roles, and then create a security group for each role. As an example, you might create one security group for domain controllers, another security group for web servers, and so on.
Multi-Factor Authentication in Your Cloud
Although cloud providers will allow users to log in using nothing more than a username and password, the major cloud providers also support multi-factor authentication. Even if logistical constraints prevent you from using multi-factor authentication to secure end user accounts, administrators should definitely require multi-factor authentication for the root account.
Cloud Security: Take Another Look at Access Control
Another thing to consider when it comes to the hardening of cloud resources is that cloud providers might enhance access controls beyond what you are used to on-premises. Let me give you an example.
In a Windows Server environment, administrators have long been discouraged from directly granting a user access to a resource. Instead, users should be added to security groups. These groups can then be granted permission to access various resources. While you can still use this approach to provide users with access to cloud resources, there are sometimes additional access control options available. The AWS Identity and Access Management feature, for instance, lets you set up conditional access to resources. As one example, users can be restricted from accessing resources based on their IP address, the time of day, and even whether or not their connection is SSL enabled.
Review Cloud Storage Permissions
One of the big differences between cloud storage, and storage arrays that are located on-premises, is that cloud storage is directly accessible from the Internet. Sure, enterprise networks are attached to the Internet, and it may therefore be possible for someone on the Internet to work their way through your network, and eventually gain access to a storage array. In the case of cloud storage, however, there is often a URL that can act as a direct point of entry into your storage.
Because it is so easy to gain access to cloud storage, it is essential for admins to take the time to make sure that storage level permissions have been set up correctly. Specifically, the permissions should be set to deny public access, unless there is a compelling reason to do otherwise. If public access is required, then it is best to create a separate storage bucket for those resources, rather than mixing public and private data within a single storage bucket.
Take Advantage of Cloud Security Tools and Reports
The major cloud providers take security very seriously. These providers know that big clouds make for big targets. Because security is such a high priority for cloud providers, they often provide subscribers with tools and reports that can be used to ensure the security of resources within the cloud.
Cloud security reports are fairly standard. Such reports might be used to see who has been accessing what, or how permissions are being applied.
The availability of security tools can vary widely from one cloud provider to the next. Amazon, for example, has a tool called Trusted Advisor that can perform a security audit to make sure that cloud resources are being secured in accordance with Amazon’s best practices.
The key to establishing good cloud security is to take the time to explore the security mechanisms that are available to you, and learn how to use those mechanisms effectively. It is also important to understand that no matter how good a provider’s available security mechanisms may be, they do not negate the need for proper OS-level security within virtual machine instances.
Related Cloud Security Posts:
- 7 Must-Have Skills of a Cloud Security Professional
- The Business Value of Cloud Native Cybersecurity
- The Continuum of Cloud Native Topologies
Follow us on Twitter
Keep up to date with the latest news from TwistlockLabs and TwistlockTeam.
Twistlock Releases Serverless Runtime Defense
A few months ago, we wrote a piece on “The Continuum of Cloud Native...
Why DevSecOps is No Longer Optional
DevSecOps has been a hot topic within tech conversations for a few yea...
Better Together: Announcing The Twistlock Advantage Program
It’s been about three years since we exited stealth with the first g...
My Security Toolset Today Vs 10 Years Ago
It can be easy to forget how sophisticated IT security tools are today...
How to crash the Linux Kernel with a CDROM interaction – CVE-2018-11506
I’ve recently discovered and reported a buffer overflow vulnerabilit...