Based on lessons learned and experience from across the cloud industry, you should consider the following best practices for your organization’s planning.
As an organization plans for transitioning to a cloud service or deploying a private or hybrid cloud, the first step from a security standpoint is to consider what IT systems, applications, and data should or must remain within a legacy enterprise datacenter. Here are some considerations:
- Perform assessments of each application and data repository to determine the security posture, suitability, and priority to transition to the cloud. Match security postures to the cloud architecture, controls, and target security compliance standard.
- Develop your IAM - Identity Access Management system, based on role and permissions; by application type.
- To construct your IAM model, work with application and business owners to determine which applications and data you can move easily to a cloud and which you should evaluate further or delay moving to a cloud. Repeat this assessment on all key applications and data repositories to develop and priority list with specific notations on the desired sensitivity, regulatory, or other security classifications.
Consider the cloud model(s) to be procured or deployed internally:
- Although public cloud services provide solid infrastructure security, they often do not have the level of security or customization you may need.
- A private cloud can be heavily customized to meet security or feature requirements, but you need to control costs, scope creep, and over-building your initial cloud.
Determine who the consumers of the cloud services will be. If multiple departments or peer agencies will be using the cloud service, determine which security team or organization controls the standards for the overall cloud or each application workload:
- Adopt a baseline security posture so that individual consumers or peer agencies will be more involved in settings the security standards for their unique applications and mission critical workloads.
- Publish the security operational processes, ownership, and visibility or statistics, events, and reports to ensure acceptance of the cloud by consuming agencies and users.
Most clouds use software-based access controls and permissions to isolate customers from one another in a multitenant cloud environment. Hardware isolation is an option for private clouds and some virtual private clouds, but at additional cost.
- Understand how multitenancy is configured so that each consuming organization is isolated from all the others. In a public cloud, the use of software-based access controls, roles-based permissions, storage, and hypervisor separation is commonplace. If more levels of isolation or separation of workloads and data between customers is required, other options such as a virtual private cloud or a private cloud are often more suitable.
- Implement or connect an enterprise identity management system such as Active Directory, LDAP, or SAML service. Some cloud providers and management platforms can optionally connect to multiple directory or LDAP services—one for each consuming organization.
AUTOMATION IN A CLOUD
The first rule in an automated cloud is to plan and design a cloud system with as few manual processes as possible. This might be contrary to ingrained principles of the past, but you must avoid any security processes or policies that delay or prevent automation. Here are some considerations:
- Adopt the theme “relentless pursuit of automation.”
- Eliminate any legacy security processes that inhibit rapid provisioning and automation.
Experience has shown that traditional security processes have tended to be manual approvals, after-provisioning audits, and slow methodical assessments— tendencies that must change when building or operating a cloud. Precertify everything to allow automated deployment—avoid forcing any manual security assessments in the provisioning process.
- Have IT security teams precertify all “gold images” or templates that can be launched within new VMs. Certification of gold images is not just an initial step when using or deploying a new cloud.
- Have security experts perform scans and assessments of every new or modified gold image before loading it into the cloud management platform and presenting it for customers to order.
- Understand that when a new gold image is accepted and added to the cloud, the cloud operational personnel (provider or support contractor, depending on contractual terms) might now be responsible for all future patches, upgrades, and support of the template.
- Have security precertify all applications and future updates that will be available on the cloud. You should configure applications automated installation packages whereby any combination of application packages can be ordered and provisioned on top of a VM gold image. Additional packages for upgrades and patching of the OS and apps will also be deployed in an automated fashion to ensure efficiency, consistency, and configuration management.
- Realize that this precertification is not so difficult of a task but will be an ongoing effort as new applications and update packages are introduced to the cloud often and continuously. Finally, understand that more complex multitiered applications (e.g., multitiered PaaS applications) will require significantly more security assessment and involvement during the initial application design.
It is common for customers to request additional network configurations or opening of firewall ports. These can be handled through a manual vetting, approval, and configuration process, but you might want to charge extra for this service. Here are some things to keep in mind:
- Segment the network so that each customer (not VM, which is often over- kill), at a minimum, has its own virtual network. This is better than physical networks for each customer which is difficult to automate and more expensive.
- You can offer additional network segmentation as an option for each tenant or customer organization by using virtual firewalls to isolate networks. Applications that need to be Internet-facing should be further segmented and firewalled from the rest of the production cloud VMs and applications.
- Avoid overdoing the default segmentation of networks, because this only complicates the offerings and usefulness of the cloud environment, and increases operational management. Stick with some basic level of network segmentation such as the one virtual network per customer by default and then offer upgrades only when necessary to create additional virtual networks.
- Consider precertifying a pool of additional VLANs, firewall port rules, load balancers, and storage options and make these available to cloud consumers via the self-service control panel.