Instead of internal users connecting to internal systems that rely on virtual private network (VPN), remote access, and security paradigms, CIOs are beginning to understand the value of moving content to trusted cloud-service providers or private clouds.
With a corporate trusted network, everyone authenticated through the VPN has overly permissive access to a vast array of corporate information. As an alternative, CIOs are looking to application-layer security to provide granular access to data and applications on a per app, per file, and per folder basis.
Such a move allows CIOs and their teams to future-proof their networks for cloud capabilities. In cases that involve cloud adoption, mitigate risks by first preparing your network for the move with network segmentation, detection mechanisms, and an incident response plan.
Techniques and technologies for virtualized infrastructures are similar to those of traditional networks. Best practices include isolating network segments by each of these three groupings:
- Category: There are three primary categories by which to isolate segments. The first encompasses network production, management, and specialized traffic to and from virtual machines. The second category is virtualization operations traffic, which should be isolated on a separate virtual switch and NIC. The third category that should be separate is virtual machine production traffic.
- Switch: Virtualization platforms support Layer 2 virtual LAN tags (which separate broadcast domains) and can be applied in a number of places, such as separate port groups on each virtual switch that connect to a physical switch trunk port.
- Layer: Using IP addresses, isolation is achieved with router access control lists (ACLs), firewall rule sets, and load balancers.
Cloud Security Alliance (CSA) recommendations for cloud migrations, released earlier this year, include a defense-in-depth strategy, including multifactor authentication on all hosts, host-based, and network-based intrusion detection systems, applying the concept of least privilege, network segmentation, and patching shared resources. These recommendations are based on results from a CSA survey conducted on cloud security concerns.
The top 12 security issues identified by the CSA were detailed in a recent InfoWorld article, and are as follows: 1) data breaches, 2) weak identity, credential, and access management, 3) insecure APIs, 4) system and applications vulnerabilities, 5) account hijacking, 6) malicious insiders, 7) advanced persistent threats, 8) data loss, 9) insufficient due diligence, 10) abuse and nefarious use of cloud services, 11) denial of service, and 12) shared technology issues.
Incident Response Plan:
Incident response in the cloud is a whole different animal than it is when you have control over your physical infrastructure. With the cloud, systems and data may be shared with other customers of your cloud provider (depending on the provider), adding complexity to response plans. Additionally, you don’t have network logs or root access to install a patch, and you can’t simply hit reboot if you’re using your provider’s pre-packaged stack.
Your preparation for moving to the cloud should ideally include meeting with your provider’s incident response team right off the bat. Map out a joint response process for incidents. Write into your service-level agreement how incidents will be managed, including what initiates an incident response. If circumstances don’t allow for such clarity, at least learn the response processes of your provider, know how to get ahold of your contact person, and vice versa, and exchange emails to confirm your messages will reach their destination in an emergency.