IT departments worldwide face a dizzying array of security threats, whether they manage traditional or NextGen/cloud based environments. IT security experts report some very frightening statics:
- Approximately 400,000 new malware instances are recognised daily
- New kinds of malware are gaining prominence including Ransomware, Scareware, and banking malware.
- New attack vectors include public cloud, software-as-a-service provider environments, third party services providers and mobile devices.
- Reports of politically or cause sponsored terrorism and corporate espionage are on the rise globally
- Increased use by hackers, of Botnets and other automated attack tools
- Recently a number of “foundational internet technology” based attacks have had a rebirth, including Heartbleed, ShellShock and Poodle.
- The targets seem to get bigger and the damage more costly as time goes by (ex. Sony, Target and Ebay)
The question is: how can today’s cloud service providers protect themselves and their customers while enabling technology innovation, data access, performance, scalability, flexibility and elasticity that are the hallmark of the NextGen/cloud world?
One of the great martial arts movies of all time has the main character, played by Bruce Lee, explaining that his style of martial arts is fighting without fighting, and then talking his would-be opponent into a small boat. Cloud providers would do well to emulate the intent of this “style” of combat.
Cloud service providers need to be ever mindful that they are targets and must monitor network traffic, application activity and data movement at all levels of the cloud environment without being intrusive or over-burdening the customer environments. For example, as in any technical environment keeping operating system and patch levels up to date is critical, but doing so in an efficient and non-customer-impacting manner is the trick.
Another important item to keep in mind is speed of reaction. In a cloud environment, more so than in traditional IT environments, the speed of discovery and closure of vulnerabilities as well as reaction to monitored attacks, is critical.
Identify the layers
The first step in architecting a cloud security solution is to identify the layers of the environment to be protected. The following diagram shows the layers of a generalised cloud environment.
The layers of the environment mostly look like any tiered infrastructure, but the contents and components, as shown above, are quite different. Some of these areas, specific to cloud environments are:
- Virtual networking
- Virtual storage
- Orchestration and automation control plane
- Software defined networking (SDN) components
- Self service portal
Choose your protection methodology and tools
The next step is to determine how to provide protection for each layer. As an overall methodology the cloud instance should be considered a contained secure zone, as defined by firewall or proxy boundaries (virtual or physical). Once the secure boundaries are defined the majority of the remaining methods encompass monitoring and remediation of suspicious activity and malware protection.
An important point to keep in mind is that as service providers we cannot use tools or methods that access the customers VMs. The best example of this is malware protection. Hypervisor based malware protection is critical but actually touching the customer VMs breaches the boundary between provider and customer. There exist many options for the choice of the tool or configuration of the solutions presented below.
- VIP: Providing a Virtual IP Addresses allows for network address separation between the external and internal net.
- SSL: Secure Socket Layer provides encrypted transport of HTTP network packets.
- Perimeter security (firewalls, load balancers, proxies): Creation of the boundaries of the secure zone and control of traffic flow between the external and internal networks. Firewalls, load balancers and proxy servers can be physical devices, physical appliances or virtual devices.
- Virtual services: This secure appliance or virtual machine provides update, patch and deployment services from within the secure zone.
- Network activity monitoring/IDS: Monitoring of traffic flows for intrusion detection purposes. In the cloud environment specialised tools to collect network data on a VM by VM basis need to be acquired or developed.
- File change tracking: Tracking of changes to important configuration files on the control plane and hypervisor layers.
- Log tracking and analysis: Centralised tracking of events from log files (ex. Syslog, cloud management component logs etc.), and analysis of those events for trending and detection of malicious activity.
- Hypervisor based malware protection: Specialised software (many on the market already) to detect and clean malware on the Hypervisor and on the physical device layers.
Looking at the above diagram and list of concepts, the reader may notice that there is no mention of inter-layer firewalls (e.g. between the control plane and the compute layer). This is because of the need to reduce intrusion and reduce performance impacts in the customer’s environment.
Developing a security management strategy
The most important element of securing any environment, not just a cloud environment, is an ongoing and ever evolving plan for maintaining the security aspects of the environment. This includes:
- Regular software updates – software vendors, including cloud management hypervisor, and security component providers will update their software regularly. These changes must be evaluated and appropriate updates implemented in an expedient manner
- Regular patching – As security patches and bug fixes are released from the software vendors, these must be a high priority for evaluation and implementation into your cloud environment.
- Centralised activity and security components monitoring – A centralised team of people, processes and tools to monitor and evaluate activity, and security alerts, in the environment. Centralisation allows for rapid event recognition and remediation.
- Scheduled and post-update vulnerability testing – Never rest of your laurels. An environment that is deemed secure today can be attacked in a whole new way tomorrow. Regularly scheduled vulnerability testing and testing after an update is applied can be critical in keeping the environment secure.
- Change management procedures and tracking – Tracking changes and comparing them to the results of file change scans is one step in identifying malicious updates. This will also assist in general issue resolution as well as remediation of a security event.
- Proper governance of the overall environment requires that processes and procedures especially around security are reviewed regularly and adjustments made as appropriate.
There are three key steps to preventing security vulnerabilities in a cloud environment:
- Identification of the layers of a cloud environment that could be vulnerable to attack
- Definition of methodologies and tools to monitor, manage and secure each of the identified layers
- Creation of a management environment to maintain the secure implementation of the cloud provision environment
No environment can be completely secure forever. Our goal is to reach a high level of security through the above methods and implement new policies and methodologies as time goes by, to attempt to keep up with the ever-changing threat landscape.