Managing Cloud Infrastructure to Prevent Security Gaps
by Vikram Chabra
In many respects, IT managers of midsize to large companies are experiencing a renaissance. No longer tied to the cost and headaches of managing all of the company’s servers, appliances, and network technologies, they can rely upon cloud providers to ease the burden and deliver more flexibility to boot. This allows IT to be more closely linked to the business, developing strategy and oversight that helps their companies compete more effectively. IT can also lower Capex and Opex spending, through the efficiencies of shared cloud computing.
Of course, shared infrastructure brings about new security considerations. Corporate IT has lost some control and visibility, making it harder to meet compliance requirements and customize security for individual applications. Promisingly, security features and protections in the major public cloud platforms (AWS, Azure and GCP) have come a long way.
While there is scant evidence that using the public cloud is less secure for companies than managing systems internally, there are limitations, as follows:
Auditing challenges: Unlike with your own internal data center, it’s difficult to track specific data pathways in the cloud to understand how or why a breach or suspicious activity occurred or to assess security needs for highly-sensitive applications. In the on-premise world, you know exactly where your application sits – which data center and even the exact location of the server. In the cloud, you really don’t know where your instance is being hosted at any given moment. It’s also impossible to get log data in real time for any sort of monitoring or analytical needs. One must place a request with the cloud provider and wait.
Compliance challenges: As relates to the aforementioned issue with log data access, meeting compliance requirements for cloud systems is not straightforward for companies in certain regulated industries such as healthcare, financial services and retail. Many companies in high-risk sectors will purchase cyber security insurance to protect in the aftermath of a breach. Yet in order to file a claim, you must collect a high volume of log data, which may be difficult to retrieve quickly from the cloud provider. Often, regulated companies need to provide log data for customer-facing transactions on a yearly basis. Retrieving all of that data in a timely manner from Azure, AWS and others can be laborious, time-consuming and expensive, since you typically pay a fee for the data.
Security testing issues: IT managers frequently conduct application security tests, especially after a new release. This is usually a relatively simple process, yet in the cloud, it is less so. Some cloud providers won’t allow for penetration testing or will limit what you can do; occasionally, testing causes issues with VMs and performance problems affecting other customers.
Security customization: With an on-premise application, IT can “harden” it by applying different benchmarks like NIST, CIS and DISA-STIG. This will ensure that there are no misconfigurations in the application which would lead to security issues. With a cloud-based application, that is not possible because it is a shared environment. Therefore, if you’ve got an application requiring special security considerations it may be safer to run it internally – and incur the higher costs of doing so.
Virtual private clouds aren’t a slam-dunk: The major public cloud platforms offer VPC services which ensure dedicated VMs and connections to mitigate security concerns of shared resources. Yet we’ve seen a number of customer issues with VPCs around compatibility. For instance, there are some limitations to the kind of VM image that can be ported to a provider’s VPC environment. Use with caution.
Getting ahead of the game
As always, a company’s security needs in the cloud are company, industry and application-dependent. We find that more often than not, midsize to large companies desire a hybrid environment. They often wish to host core or sensitive business applications internally, while using the cloud for email and productivity applications. Here are some pointers for managing security appropriately in the cloud:
- Determine cloud and non-cloud ready applications. Be selective about which apps and infrastructure should move to the cloud, and which could stay internal. Hire outside expertise to evaluate and assess your environment, if needed.
- Assign an asset value for applications on security. This will help determine which environment or platform is most appropriate, setting forth specific requirements for monitoring, access and security, as well as performance and availability. Categorize applications into different “buckets” for these areas and develop a plan to manage them accordingly.
- Invest in predictive tools. Companies often overspend on security protection, such as firewalls and intrusion protection systems. That’s the foundation. To be hyper-security-aware, companies should also invest in predictive analytics. This requires, in part, proactively monitoring log data for trends. You can obtain log reports from the cloud provider, yet the data is high level. Through an MSP service, you gain another set of eyes and more granular data to cover your bases thoroughly. MSPs can also offer in-depth knowledge about predictive analytics for security to optimize results.
- Use an on-premise security system to monitor everything. In recent years, there have been a slew of new SaaS security tools. Most of those systems are not as mature as on-premise offerings. While you still need to work with your cloud provider to ensure proper encryption and policies around the data they are hosting for you, use your on-premise tools to monitor and manage the entire security environment. The on-premise security management system can scan your cloud assets, import data, and monitor 24/7 for any troubling indicators. Then, when needed, you have all that log data in one place.
- Follow industry best practices on security. We recommend implementation of SANS 20 Critical Security Controls on the infrastructure. The SANS-CIS Critical Security Controls are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks. A principal benefit of the Controls is that they prioritize and focus a smaller number of actions with high pay-off results. The Controls are effective because they are derived from the most common attack patterns highlighted in the leading threat reports and vetted across a very broad community of government and industry practitioners. We also recommend OWASP Top Ten Proactive Controls 2016, a list of security techniques that should be included in every application development project.
Cloud technologies and tools are changing all the time. You can bet that given enterprise concerns around security, vendors will continue to drive innovation and better options for companies looking to have it all – the flexibility, agility and cost advantages of the cloud while maintaining the best possible security profile for corporate IT and data assets.
Vikram Chabra is a solution architect in Cyber Security Services at NetEnrich.