“Cloud for beginners”: How to protect IaaS infrastructure
Today, a third of United States companies use the cloud in their work. It is expected that by 2020 the number of cloud consumers will at least double. According to the survey , which was attended by more than 250 thousand representatives of the information security community, 71% of respondents plan to switch to cloud technologies or are already actively using them.
A similar situation is observed in Russia. The focus is gradually shifting towards the clouds, so companies have to pay attention to security issues. In our today's article, we would like to dwell on this point in more detail and provide a few recommendations that will help protect the cloud environment.
/ photo by Henri Bergius CC
')
Since this is a cloud infrastructure, the task of controlling physical access falls on the shoulders of the cloud provider. Therefore, it is worth making sure that outsiders are not allowed to host. If you are denied a tour or do not provide important information about how the infrastructure is protected from unauthorized access, then this is a reason to get worried.
If the provider demonstrates the engine rooms, engineering and other service rooms, allowing you to look at the "kitchen" from the inside, then this is a good sign. For example, the provider, whose services are used by IT-GRAD, provided comprehensive information on where the cloud is located, how communication systems work, and provides security at the facility. We described all this in one of our materials.
It is worth noting that you need to trust your data only to certified data centers. It is possible to assess the state of the data center independently, but this can take a lot of time. Additionally, you should examine the legal status of the data center and find out whether the provider has all the necessary state licenses and contracts to support the systems in case of an emergency.
“Organizations suffer from a wide and wide range of threats, which, of course, is a cause for concern. Successfully implemented attacks have a direct impact on clients' business and are destructive in nature, ” says Arbor Networks spokesman Darren Anstee.
Therefore, the data transmitted to the cloud provider must be protected. You need to know who got access to the information, what operations were performed with it, from what address the request came. All these issues can be resolved with the help of rights-based access rights to business critical data. It is also worth thinking about creating a policy of “self-destruction” for important information that does not need to “live” indefinitely outside the corporate data center.
One of the ways to protect transmitted data is encryption. To protect information properly, it is worth implementing encryption at each stage of the data life cycle. If applications on mobile corporate devices are caching data, this approach will prevent leakage in case of loss of the gadget.
There are many solutions on the market to provide data encryption in the cloud. For example, Trend Micro SecureCloud is one of them. The system encrypts virtual machine disks using encryption keys stored in SecureCloud, which initiates the encryption / decryption processes of protected storage modules. Architecturally, the solution consists of a management system, provided as a service with access via the console and agents installed on the protected virtual machines.
Several other popular services for encrypting data in the cloud were offered by users of Reddit.
It is necessary to limit access to the web console, since unauthorized access via API can be extremely destructive for systems. Those who use the application programming interfaces should use the access configuration and authentication control functions.
Perhaps the most powerful tool is the “white list” of IP addresses, which allows you to designate a limited number of addresses for each API call. In addition, it makes sense to use other ways to connect to the API. For example, you can use a combination of UUID / API keys instead of a login and password to separate access to the API and the web console.
The use of multi-factor authentication types should be considered here. The introduction of an additional level of security provides a more efficient protection of systems against unauthorized access.
At the same time, cloud providers should provide their customers with the ability to configure access levels for each user in accordance with company security policies. For example, one employee may generate purchase requests for goods, and another, having other access rights, can confirm them.
When virtual machines are created and transferred between servers automatically, you cannot know for sure where your information is located. Therefore, for efficient operation of the cloud environment, it is necessary to configure logging and reporting systems.
Such systems are important for service management and optimization. Make sure that all storage and memory operations are recorded in event logs that are stored in several protected places with limited access.
It also makes sense to pay attention to the DPI traffic analysis (Deep Packet Inspection) technology and CASB (Cloud Access Security Broker) technology. As for the DPI-solutions, they are able to conduct behavioral analysis of packets. Studying protocols, ports and signatures, such a system categorizes incoming packets and applies appropriate measures to them.
CASB is a security tool for administrators to identify potential system risks and provide a high level of protection. The solution is a single point of control for cloud applications used by the company, and works in conjunction with the IT infrastructure of the provider, offering opportunities for monitoring shared files. This gives administrators all the information about when and to whom content is transmitted.
A list of other monitoring tools was offered by Quora and Reddit users. They can be found at the links here and here .
As a conclusion, we note that the most important aspect of the work of any environment, not only the cloud, is an evolving plan to maintain the safety of the infrastructure. The image below shows a diagram that highlights the main components of cloud security. Among them are several of the most important.
Source : Gartner
Proper management of the environment as a whole requires proper management of all these processes in order to minimize risks and keep the infrastructure safe.
A similar situation is observed in Russia. The focus is gradually shifting towards the clouds, so companies have to pay attention to security issues. In our today's article, we would like to dwell on this point in more detail and provide a few recommendations that will help protect the cloud environment.
/ photo by Henri Bergius CC')
Physical cloud protection
Since this is a cloud infrastructure, the task of controlling physical access falls on the shoulders of the cloud provider. Therefore, it is worth making sure that outsiders are not allowed to host. If you are denied a tour or do not provide important information about how the infrastructure is protected from unauthorized access, then this is a reason to get worried.
If the provider demonstrates the engine rooms, engineering and other service rooms, allowing you to look at the "kitchen" from the inside, then this is a good sign. For example, the provider, whose services are used by IT-GRAD, provided comprehensive information on where the cloud is located, how communication systems work, and provides security at the facility. We described all this in one of our materials.
It is worth noting that you need to trust your data only to certified data centers. It is possible to assess the state of the data center independently, but this can take a lot of time. Additionally, you should examine the legal status of the data center and find out whether the provider has all the necessary state licenses and contracts to support the systems in case of an emergency.
Our materials on the topic
Data leakage protection
“Organizations suffer from a wide and wide range of threats, which, of course, is a cause for concern. Successfully implemented attacks have a direct impact on clients' business and are destructive in nature, ” says Arbor Networks spokesman Darren Anstee.
Therefore, the data transmitted to the cloud provider must be protected. You need to know who got access to the information, what operations were performed with it, from what address the request came. All these issues can be resolved with the help of rights-based access rights to business critical data. It is also worth thinking about creating a policy of “self-destruction” for important information that does not need to “live” indefinitely outside the corporate data center.
One of the ways to protect transmitted data is encryption. To protect information properly, it is worth implementing encryption at each stage of the data life cycle. If applications on mobile corporate devices are caching data, this approach will prevent leakage in case of loss of the gadget.
There are many solutions on the market to provide data encryption in the cloud. For example, Trend Micro SecureCloud is one of them. The system encrypts virtual machine disks using encryption keys stored in SecureCloud, which initiates the encryption / decryption processes of protected storage modules. Architecturally, the solution consists of a management system, provided as a service with access via the console and agents installed on the protected virtual machines.
Several other popular services for encrypting data in the cloud were offered by users of Reddit.
API access protection
It is necessary to limit access to the web console, since unauthorized access via API can be extremely destructive for systems. Those who use the application programming interfaces should use the access configuration and authentication control functions.
Perhaps the most powerful tool is the “white list” of IP addresses, which allows you to designate a limited number of addresses for each API call. In addition, it makes sense to use other ways to connect to the API. For example, you can use a combination of UUID / API keys instead of a login and password to separate access to the API and the web console.
Authentication and authorization
The use of multi-factor authentication types should be considered here. The introduction of an additional level of security provides a more efficient protection of systems against unauthorized access.
At the same time, cloud providers should provide their customers with the ability to configure access levels for each user in accordance with company security policies. For example, one employee may generate purchase requests for goods, and another, having other access rights, can confirm them.
Our materials on the topic
Activity monitoring
When virtual machines are created and transferred between servers automatically, you cannot know for sure where your information is located. Therefore, for efficient operation of the cloud environment, it is necessary to configure logging and reporting systems.
Such systems are important for service management and optimization. Make sure that all storage and memory operations are recorded in event logs that are stored in several protected places with limited access.
It also makes sense to pay attention to the DPI traffic analysis (Deep Packet Inspection) technology and CASB (Cloud Access Security Broker) technology. As for the DPI-solutions, they are able to conduct behavioral analysis of packets. Studying protocols, ports and signatures, such a system categorizes incoming packets and applies appropriate measures to them.
Our materials on the topic
CASB is a security tool for administrators to identify potential system risks and provide a high level of protection. The solution is a single point of control for cloud applications used by the company, and works in conjunction with the IT infrastructure of the provider, offering opportunities for monitoring shared files. This gives administrators all the information about when and to whom content is transmitted.
A list of other monitoring tools was offered by Quora and Reddit users. They can be found at the links here and here .
Security strategy
As a conclusion, we note that the most important aspect of the work of any environment, not only the cloud, is an evolving plan to maintain the safety of the infrastructure. The image below shows a diagram that highlights the main components of cloud security. Among them are several of the most important.
- This is a physical access control to ensure the security of the environment in which the hardware is located.
- This is a regular software update. Software supplied by vendors, hypervisors, components of security systems must have the latest version. In this case, any changes must be recorded and analyzed.
- This is a centralized monitoring of system components: the presence of a team of specialists, the use of monitoring tools (for example, DPI systems), the assessment of the activity of solutions. All this will allow you to quickly respond to emerging threats and problems.
- This is a vulnerability test.
Proper management of the environment as a whole requires proper management of all these processes in order to minimize risks and keep the infrastructure safe.
Source: https://habr.com/ru/post/322306/
All Articles