Security Best of Breed Practices and Realities

 

A longer paper on security best of breed practices following on from a previous article on the same topic.

 

Network Level:

 

ASSET AND CONFIGURATION MANAGEMENT

A key to security success is to make sure that your IaaS, PaaS provider allows you to automate the updating of asset and configuration databases.  You control your data and OSes [in most cases].  The provider needs to allow you to power to configure the cloud management platform, which controls and initiates automation, to immediately log the new VM, application, or software upgrade into the asset and configuration databases.

Here are some considerations:

 

MONITORING AND DETECTION OUTSIDE YOUR NETWORK PERIMETER

Traditional datacenter and IT security had a focus on monitoring for threats and attacks of the private network, datacenter, and everything inside your perimeter. Cloud providers need to assure you the client and consumer that the radius of monitoring and detection to find threats before they even find or hit your VPC network. Here are some things to keep in mind:

 

Example of a Shared Cloud Client and Cloud provider architecture from AWS:

 

CONSOLIDATED DATA IN THE CLOUD

Many customers are concerned that data consolidated and hosted in the cloud might be less secure. The truth is that having centralized cloud services hosted by a cloud provider or your own IT organization enables a consolidation of all the top-level security personnel and security tools. Most organizations would rather have this concentration of expertise and security tools than a widely distributed group of legacy or mediocre tools and skillsets. Here are some considerations:

 

CONTINUOUS MONITORING

As soon as new systems are brought online and added to the asset and configuration management databases (as described earlier), the security management systems should immediately be triggered to launch any system scans and start routine monitoring. There should be little or no delay between a new system being provisioned in the cloud and the beginning of security scans and continuous monitoring.  Monitoring of the automated provisioning, customer orders, system capacity, system performance, and security are critical in a 24-7, on-demand cloud environment.

 

Here are some considerations:

 

Example of Agile method and Security [source]

There are three key tenets of continuous monitoring:

Aggregate diverse data

Combine data from multiple sources generated by different products/vendors and organizations in real time.

Maintain real-time awareness

Utilize real-time dashboards to identify and track statistics and attacks. Use real time alerting for anomalies and system changes.

Create real time data searches

Develop and automate searches across unrelated datasets to identify the IP addresses from which attacks were originating. Transform data into actionable intelligence by analyzing data to identify specific IP addresses from which attacks originated and terminated hostile traffic.

 

DENIAL-OF-SERVICE PLAN

Denial-of-Service (DoS) attacks are so common that it is a matter of when and how often, not if, your cloud is attacked. Here are some recommendations:

 

GLOBAL THREAT MONITORING

Consider implementing security tools, firewalls, and intrusion detection systems that subscribe to a reputable worldwide threat management service or matrix. These services detect new and zero-day attacks that might start somewhere across the globe and then transmit the patch, fix, or mitigation of that new threat to all worldwide subscribers immediately. Thus, everyone subscribed to the service is “immediately” immune from the attack even before the attack or intrusion attempt was ever made to your specific network. These services utilize some of the world’s best security experts to identify and mitigate threats. No individual cloud provider or consuming organization can afford the quantity and level of skills as these providers have.

 

CHANGE CONTROL

Legacy change control processes need to evolve in an automated cloud environment. When each new cloud service is ordered and automated provisioning is completed, an automated process should also be utilized to process change controls that can also feed or monitor be security operations. Here are some recommendations:

 

Remember to record all VMs, OS, and application patching, updates and restores in the change control database. Finally, also remember that the change control and inventory databases should also be immediately updated when a cloud service is stopped or a subscription is cancelled.