Cloud Zone is brought to you in partnership with:

Ofir is a DZone MVB and is not an employee of DZone and has posted 29 posts at DZone. You can read more from them at their website. View Full User Profile

Secure Your Cloud Building Blocks: Overview and a Few Tips

06.13.2013
| 1983 views |
  • submit to reddit

AWS Cloud Security TipsThe cloud enables great agility and can reduce costs if used right. But does it also manage risk? In fact, the cloud contains the same traditional hosting risks as well as specific related risks to your production environment running on the cloud.

With IaaS dynamic environment you pay only for what you use enabling alignment with actual real-time demand. The cloud instance is a temporary resource that is created from a gold master image automatically and on demand. This basic cloud automation capability makes traditional patching redundant and fast provisioning extremely easy. It is an important consideration that changes some basic security deployment perceptions when moving from traditional infrastructure to the cloud.

Cloud security acts against the traditional IT users expectations. The system is not static, there is no access to the hypervisor and the hybrid environment assembled from multiple IT environments should be treated differently. New adopters of the public cloud find that deployments are pretty easy however, when it comes to secure deployments, there is still great knowledge gap.

The Responsibility

In the cloud, responsibility is shared. While the infrastructure and virtualization layers are in the hands of the IaaS vendor, IaaS users are responsible for utilizing the “building blocks” – the virtual compute resources to deploy and maintain best practice architectures that support HA and DR. Service Architecture must solve security problems in public, private, and hybrid cloud deployments, specifically with regards to:

  1. Perimeter & Access Control
  2. Server Integrity & Intrusion Detection
The Cloud Firewall

Traditional data centers enjoyed the transparency of a static capacity and secure deployment and configuration was comparatively simpler (as opposed to in the cloud). In traditional DC’s, the firewall served as the gate for groups of servers or clusters. Each group included servers that held the security appliances.

Moving to a cloud environment and deploying in the same static manner is an option as an initial phase.  In order to enhance and enjoy the dynamic features of the cloud however, the security configuration should be replicated automatically taking into consideration the deep granularity of the cloud environment. That supports the dynamic cloud benefits, such as cost and agility that were mentioned above. In the public cloud, each server can have its own firewall and security configuration. The multi-tenant SaaS architecture standard best practice consists of 3 three layers – the Load balancers and front-end/webservers, the app and middle tier servers and DB servers. In this case the connection and data transfer between layers and servers generates an extreme complexity with regards to access control and server protection.

A Few Important Tips

  1. Whatever firewall options you have, use them and make sure your firewall rules are updated quickly.
  2. Secure your server integrity by keeping images up-to-date and monitoring them closely for changes.
  3. You will be a multi-cloud, so architect for multi-cloud availability, including the “least common denominator”.
  4. Embrace the flexibility of the cloud; re-think operations – understand, embrace, and secure the new cloud operational model.
  5. It’s possible to meet regulatory compliance requirements in the cloud, just know what you’re responsible for. Know exactly what your cloud provider takes responsibility for and what they don’t.
  6. Automate management and monitoring – Monitor your businesses application and support files for subtle changes which could indicate tampering by an intruder.
  7. Ensure software packages are up-to-date and have no known remote exploit vulnerabilities.
  8. Avoid OS and application mis-configurations that can lead to remote compromise.

The picture above were taken from a live Newvem account. Newvem scans and identifies the status of your security group configurations, continuously monitors their status, and alerts you of vulnerabilities. It is also automatically recognizes your database servers,analyzes their vulnerability, and provides you with drill downs covering insights on specific instances for a quick fix turnaround. 

Published at DZone with permission of Ofir Nachmani, author and DZone MVB. (source)

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)