Security Best of Breed Practices and Realities
A longer paper on security best of breed practices following on from a previous article on the same topic.
- If you are a cloud consumer or user, ensure you’re your provider segments the network so that each customer (not VM, which is often over- kill), at a minimum, has its own virtual network.
- Applications that need to be Internet-facing should be further segmented and firewalled from the rest of the production cloud VMs and applications. You can do this yourself through a self-service portal.
- Avoid overdoing the default segmentation of networks, because this only complicates the offerings and usefulness of the cloud environment, and increases operational management.
- Your cloud vendor [IaaS, PaaS provider] should provide a pool of pre-certified additional VLANs, firewall port rules, load balancers, and storage options made available via the self-service control panel. These options allow you to control your VPCs and extended VLANs or VPNs.
ASSET AND CONFIGURATION MANAGEMENT
A key to security success is to make sure that your IaaS, PaaS provider allows you to automate the updating of asset and configuration databases. You control your data and OSes [in most cases]. The provider needs to allow you to power to configure the cloud management platform, which controls and initiates automation, to immediately log the new VM, application, or software upgrade into the asset and configuration databases.
Here are some considerations:
- End and reform all manual approval processes and committees that are contrary to cloud automation and rapid provisioning (which includes routine software updates).
- Update the legacy change control process by preapproving new application patches, upgrades, gold images, and so on so that the cloud automation system can perform rapid provisioning.
- Integrate the cloud management system to automatically update the configuration log/database in real-time as any new systems are provisioned and launched. These automated configuration changes, which are based on preapproved packages or configurations, should be marked as “automatically approved” in the change control log.
MONITORING AND DETECTION OUTSIDE YOUR NETWORK PERIMETER
Traditional datacenter and IT security had a focus on monitoring for threats and attacks of the private network, datacenter, and everything inside your perimeter. Cloud providers need to assure you the client and consumer that the radius of monitoring and detection to find threats before they even find or hit your VPC network. Here are some things to keep in mind:
- Traditional web hosting services and content delivery networks (CDNs) are a good fit to host, protect, and cache static web content, but many of these providers do not protect dynamic web content (logons, database queries, searches) so all inbound attackers need to do is perform a repetitive search every millisecond and your CDN network can do little about it because it must forward all requests to your backend application or database.
- The provider network hosting should have network filters. The provider will first take the attacks from the Internet and forward only legitimate traffic to your network. There is a significant number of configurable filtering and monitoring options available from these providers. In addition, consider using these providers for all outbound traffic from your cloud—thus, truly hiding all of your network addresses and services from the public Internet.
- Consider a third-party provider of secure DNS services that has the necessary security and denial-of-service protections in place. As this provider hosts your DNS services, your internal DNS servers are not the attack vector by having this third-party DNS provider take the brunt of an attack and forward only legitimate traffic.
Example of a Shared Cloud Client and Cloud provider architecture from AWS:
CONSOLIDATED DATA IN THE CLOUD
Many customers are concerned that data consolidated and hosted in the cloud might be less secure. The truth is that having centralized cloud services hosted by a cloud provider or your own IT organization enables a consolidation of all the top-level security personnel and security tools. Most organizations would rather have this concentration of expertise and security tools than a widely distributed group of legacy or mediocre tools and skillsets. Here are some considerations:
- Technically, a cloud service has no extra vulnerabilities compared to a traditional datacenter, given the same applications and use cases. The cloud might represent a bigger target because data is more consolidated, but you can offset this by deploying the newest security technologies and skilled security personnel.
- Continuous monitoring is the key to good security. Continuous monitoring in the cloud might mean protecting and monitoring multiple cloud service providers, network zones and segments, and applications.
- Focus monitoring and protections not only at your network or cloud perimeter, but begin protections before your perimeter. Don’t for- get monitoring your internal network, because a significant number of vulnerabilities still come from internal sources.
- Focus on zero-day attacks and potential threats rather than relying solely on pattern or signature-based security that only contains past threats. Sophisticated attackers know that the best chance of success is to find a new vector into your network, not an older vulnerability that you’ve probably already remedied.
As soon as new systems are brought online and added to the asset and configuration management databases (as described earlier), the security management systems should immediately be triggered to launch any system scans and start routine monitoring. There should be little or no delay between a new system being provisioned in the cloud and the beginning of security scans and continuous monitoring. Monitoring of the automated provisioning, customer orders, system capacity, system performance, and security are critical in a 24-7, on-demand cloud environment.
Here are some considerations:
- All new applications, servers/virtual servers, network segments, and so on should be automatically registered to a universal configuration database and trigger immediate scans and monitoring. Avoid manually adding new applications or servers to the security, capacity, or monitoring tools to ensure that continuous monitoring begins immediately when services are brought online through the automation processes.
- Monitoring of automated provisioning and customer orders is critical in an on-demand cloud environment. Particularly during the initial months of a private cloud launch, there will be numerous tweaks and improvements needed to the automation tools and scripts to continuously remove manual processes, error handling, and resource allocation.
- Clouds often support multiple tenants or consuming organizations. Monitoring and security tools often consolidate or aggregate statistics and sys- tem events to a centralized console, database, and support staff. When tracking, resolving, and reporting events and statistics, the data must be segmented and reported back to each tenant such that they only see their private information—often the software tools used by the cloud provider have limitations in maintaining sovereignty of customer reports to multiple tenants.
Example of Agile method and Security [source]
There are three key tenets of continuous monitoring:
Aggregate diverse data
Combine data from multiple sources generated by different products/vendors and organizations in real time.
Maintain real-time awareness
Utilize real-time dashboards to identify and track statistics and attacks. Use real time alerting for anomalies and system changes.
Create real time data searches
Develop and automate searches across unrelated datasets to identify the IP addresses from which attacks were originating. Transform data into actionable intelligence by analyzing data to identify specific IP addresses from which attacks originated and terminated hostile traffic.
Denial-of-Service (DoS) attacks are so common that it is a matter of when and how often, not if, your cloud is attacked. Here are some recommendations:
- Try to isolate your inbound and outbound network traffic behind a third- party provider that has DoS protections, honey pots, and dark networks that can absorb an attack and effectively hide your network addresses and services from public visibility.
- Have a plan for when a DoS attack against your network occurs. Perhaps you will initiate further traffic filters or blocks to try and redirect or block the harmful traffic. Maybe you have another network or virtual private net- work (VPN) that employees and partners can revert to during the attack and still access your cloud-based services. Remember that the time to find a solution for a DoS attack is before one occurs—after you are experiencing a DoS attack, your network and services are already so disrupted that it is much more difficult to recover.
GLOBAL THREAT MONITORING
Consider implementing security tools, firewalls, and intrusion detection systems that subscribe to a reputable worldwide threat management service or matrix. These services detect new and zero-day attacks that might start somewhere across the globe and then transmit the patch, fix, or mitigation of that new threat to all worldwide subscribers immediately. Thus, everyone subscribed to the service is “immediately” immune from the attack even before the attack or intrusion attempt was ever made to your specific network. These services utilize some of the world’s best security experts to identify and mitigate threats. No individual cloud provider or consuming organization can afford the quantity and level of skills as these providers have.
Legacy change control processes need to evolve in an automated cloud environment. When each new cloud service is ordered and automated provisioning is completed, an automated process should also be utilized to process change controls that can also feed or monitor be security operations. Here are some recommendations:
- Avoid all manual processes that might slow or inhibit the automated ordering and provisioning capabilities of the cloud platform.
- When new IaaS VMs are brought online, for example, configure the cloud management platform to automatically enter an entry into the organizations change control system as an “automatic approval.” This immediately adds the change to the database and can be used to trigger further notifications to appropriate operational staff or trigger automatic security or inventory scanning tools.
- Utilize preapproved VM templates, applications, and network configurations for all automatically provisioned cloud services. Avoid manual change control processes and approvals in the cloud ordering process.
Remember to record all VMs, OS, and application patching, updates and restores in the change control database. Finally, also remember that the change control and inventory databases should also be immediately updated when a cloud service is stopped or a subscription is cancelled.