IaaS provider and security issues

IT companies from all over the world face security risks every day, and the infrastructure they use does not matter here: be it a traditional environment or cloud technology. According to statistics, about 400 thousand malicious objects are recorded every day, the problem acquires global proportions: both small and large companies suffer, and the attack vector is often directed towards public clouds and the infrastructure of SaaS and IaaS providers.

How can a cloud provider protect itself and its customers from all sorts of threats in the face of increasing performance and scalability requirements? Vendors should remember that they are a potential target, so they should be attentive to network traffic, and also monitor application activity at all levels of the cloud infrastructure.
')
The first step to implement cloud security is to identify the environmental levels that need protection. The diagram below illustrates the generalized levels of the cloud environment.



After the security boundaries have been determined, attention should be paid to methods aimed at monitoring, analyzing suspicious activity and protecting against malware. Various tools or configuration options help with this.

Using virtual IP addresses allows you to divide networks into internal and external, and firewalls, load balancers and proxies define the boundaries of security zones and allow you to manage traffic. It makes sense to use SSL to encrypt HTTP traffic and monitor network activity to detect intrusions in a timely manner. It is also worthwhile to organize anti-malware protection at the hypervisor level, when specialized software detects and neutralizes malware and applications.

It should be noted that one of the most important aspects of the work of any environment, not only cloudy, is a developed plan to maintain the safety of the infrastructure. Very often, part of it is regular software updates and patching, monitoring security components, and conducting vulnerability tests. These simple procedures can prevent many problems.

Do not forget that when moving to the cloud, the client transfers its resources to the hosting provider, thereby becoming dependent on the performance and bandwidth of the communication channels. Ideally, the interaction with the cloud should be effective, and the response time should be minimal. The use of various encryption mechanisms and the use of a web interface to access applications make it difficult to classify network traffic.

In such cases, it is best to use the DPI (Deep Packet Inspection) deep packet inspection technology, which can not only filter traffic using standard methods, but also conduct behavioral analysis of passing packets. This method has simple logic, which is based on the analysis of protocols, ports, signatures, and so on. Based on the obtained results, the package is determined to belong to one of certain types of traffic, and appropriate measures are taken.



Another task that DPI solves is related to the division of the channel between different applications (QOS) - this gives cloud providers the opportunity to distribute the channel according to predetermined conditions and criteria, for example, allow any application to capture more band at a certain point in time.

Today, cloud services are increasingly being targeted by various attacks, including DDoS. According to reports received, the scale of the largest DDoS attacks over the past decade has increased about 50 times. “Today organizations are suffering from a wide and wide range of threats, which is certainly a cause for concern. Successfully implemented attacks have a direct impact on the clients' business and have destructive consequences, ” comments Darren Anstee, a representative of Arbor Networks.

Cloud providers are increasingly faced with the problem of DDoS attacks. Arbor Networks in one of its studies, which was attended by about 130 experts, showed that 76% of respondents were faced with DDoS-attacks, which were hit by customers, and 43% of respondents recorded partial or complete loss of cloud services.

Attacks are often aimed at limiting bandwidth in order to make the transfer of “useful” traffic as limited as possible or completely impossible. Consider several options for attacks and find out what they can counter DPI.

The first type of attack is called TCP Syn Flood, a feature of which is the violation of the “three-time handshake”. A SYN packet is sent to the node in the cloud, to which it responds with a SYN-ACK packet, but does not receive the mandatory acknowledgment required to establish the session. The result is the opening of a huge number of connections that are closed after a certain time. If the number of requests / responses is exceeded, the machine in the cloud stops accepting any other type of packets and becomes unavailable.

DPI intercepts SYN requests directed to protected resources in the cloud. In the normal mode of operation of the device, a white list of addresses from which legitimate requests are received is formed. If there is a surge of activity that exceeds the norm, then the DPI intercepts and blocks such traffic.

The second type of attack is UDP Flood: here the ports of the remote node in the cloud are attacked by sending a huge amount of data packets. The machine starts to check if the port to which the parcel has been used is used, but it does not cope with the task and stops responding. In this case, the DPI solves the problem by discarding the irrelevant set of protocols for the protected source. For example, for sites, working protocols are considered HTTP and HTTPS - DPI will process only them, but discard the rest.

Undoubtedly, cloud technologies are useful, but the reality is that cloud services must be accessible to clients from the outside, and this has always been and will be associated with certain risks. Obviously, cloud services are addressed both by legitimate and benevolent users, and by intruders who pursue their own goals: to derange the organization out of balance, to break the usual functionality, to cause material damage.

However, the stronger the attacks become, the more progressive are the ways to protect against them: many companies, including Russian ones, are trying to use all the necessary technologies and best practices to reduce security risks and stop the attempts of intruders to interfere with the normal functioning of services.

PS Other interesting materials on the topic from our blog on Habré:

• Cloud provider crashes: how to treat this
• Interview with Grigori Kornilov (Kaspersky Lab)
• How to keep secret correspondence in a world where you are constantly monitored: the methods of Edward Snowden. Part 1
• How to keep secret correspondence in a world where you are constantly monitored: the methods of Edward Snowden. Part 2