Pages 10 (2269 words)
This paper reviews the impact of adaptation of cloud infrastructure on network security of an application. We have seen in the recent years that there has been a shift towards adopting cloud infrastructure and distributed systems over in house centralized systems. This paper would be discussing how such infrastructure is different and how network security over such applications forces us to share the security responsibilities with our network security providers.
This paper discusses the changes between traditional in house infrastructure for an application against the cloud bases infrastructure and how applications are moving towards implementing cloud bases distributed architectures.
The purpose of this paper is provide clarity on how the network security best practices and guidelines are shared between both the organization using cloud infrastructure and cloud service providers. We would be using examples of the services provided by Amazon’s AWS services to critique on how the organization using AWS would share any security responsibilities with Amazon and how its different than setting up network security guidelines over a traditional in house solution where network admin would have access to all resources.
We would be focusing on the security aspect of the cloud infrastructure and what services are provided by AWS or any other cloud service provider to help make our network more secure using the services provided.
As we have seen in the recent years, industry is moving towards cloud bases solutions rather than building traditional in house solution. A cloud bases solution is a solution where an organization rents the resources that they need to use as opposed to buying/renting and maintaining them in house.
It’s the responsibility of service provider such as Amazon for AWS or Microsoft for Azure. Since all the hardware resources are owned and maintained by cloud service providers. The network and application security responsibility is shared between both the cloud service provider and the service user. Our scope would be the security aspect of the cloud infrastructure. What services are provided by the service providers like AWS to make it easy for any organization using such services to handle network security for their infrastructure and how these are shared across the board.
We will be categorizing the services provided based on assets which will help us focus on how security responsibilities are shared between cloud infrastructure service provider and the user. How can we secure these assets based on the service and access provided. What are the best practices to secure data, operating or peripheral systems and network. How can we monitor these services which may help us achieve our security objectives.
Share Responsibility Model
A shared responsibility model provided by cloud service providers mean that the responsibility of securing the network and infrastructure is shared between the service provider and user. Service provider provides secure infrastructure and services, while the user is responsible for securing the operating system, platform and data. Service providers have features and services that lets user enhance the security of the infrastructure. For e.g., AWS provides IAM(Identity Access management system), where we can manage users and the permissions for these users.
On holistic level, all service providers provide some sort of user access and management service which is used to create user with permission to access cloud services with set roles. Apart from user and access management service, all cloud service providers provides us option to choose from where they have recourses physically. We get to decide which region and availability zone to pick and where should our backups be. This lets us have confidence in the service availabilities. Its recommended to have our resources spread out so that if one availability zone goes down, we get to switch to using resources from another availability zone. Also we should choose the availability zones that have least latency for the users, i.e., the closer its is for the end user of the services the better.
From service provider’s standpoint, they usually categorize their services by Infrastructure, Container and Abstract Services. From AWS standpoint, we get to use following services based on these categories:
- Infrastructure services: Amazon EC2 instances, Amazon EBS(Elastic Block Store), Auto scaling and Amazon VPC(Virtual Private Cloud). These services lets us build a solution similar to legacy in house or on premise solutions. Consumer of these services control the operating systems and control and operate any identity management system to access these systems.
- Container Services: These usually run on infrastructure services. Some examples would be Amazon RDS(Relational Database Services), Amazon EMR(Elastic Map Reduce), Amazon Elastic Beanstalk. Consumer of these services are responsible for setting up and managing network controls, such as firewall rules and managing platform level identity and access management from IAM.
- Abstracted services: These are the abstract services such as high level storage, databases, messaging services or simple storage services. E.g., Amazon S3(Simple Storage Service), Amazon Glacier, Amazon Dynamo DB, Amazon SQS(Simple Queue Service), Amazon SNS(Simple Notification Service), etc
To design our information security management system, we have to define and categorize our assets. Broadly we can define them as essential assets and the supporting assets to the essential assets. Our security requirements depends on the use case of our application, i.e., it depends on the following factors:
- Business needs and objects
- Processes employed
- Size and structure of the organizations
We have already discussed the services that lets us do user access and management as well as OS level management and controls. But over a network, we also need to consider the security of the data. We can define categorize our policies around data based on the state of data over the network and its access and maintenance:
- Resource Access Authorization: These defines what users can access the data with what roles. We can define policies based on the resources and capability over the resources a user would require.
- Resource policies: Defines what resource are available to a user
- Capabilities policies: Defines what capabilities, roles and responsibilities a user may have over a resource.
- Another policy we can define is based on ip addresses. That is, we can restrict ip addresses to be able to access a resource.
- Storing and Managing Encryption Keys in Cloud: As in on premise system, we use encryption keys for security and it is essential to keep them secure. Usually service provider would provide a very straightforward service to manage and secure encryption keys. For e.g., AWS Key management system. But they also provide options to use your own key management systems, in which case it’s imperative to have these keys stored in a tamper proof environment. Such environment is also provided by service providers, such as AWS Cloud HSM(Hardware Security Models)
- Decommissioning data and media securely: Decommissioning of data on cloud is very different than decommissioning it on premise system. On cloud, the underlying physical media is not decommissioned, instead the storage blocks for these data are marked unallocated. When another instance writes to the storage block the older unassigned physical media is overwritten. It’s only when service provider considers that the data has reached its end of life in unassigned state, they decommission the data according to department of defense guidelines. For organizations which are into regulatory business or handle sensitive data. This makes it imperative to have encryption on data at rest so that such data may never be misused in case of any data leaks.
- Securing Data at rest: Data at rest is data stored in the storage devices or databases. Service providers provides various services where we can store data on cloud. For e.g., Amazon provides following services: S3, EBS, RDS, Glacier, DynamoDB, EMR, etc. All these services have their own ways and features to secure the data. Almost every service has ability to encrypt the data at rest. We use features like versioning, permissions, backup, encryption, replication, usage of EFS(Encrypted file system), etc
- Securing Data in transit: Data in transit is data that is moving over the wire. That is, it’s the data in communication on cloud. Underlying principal of securing such data in similar ways as we do for on premise systems. We can encrypting data in transit using IPSec ESP and/or SSL/TLS. We can authenticate the data integrity using IPSec ESP/AH, and/or SSL/TLS. We can also use peer authentication via server X.509 Certificates. We force use secure protocols only to access the data.
Operating System and Application System Security
As discussed in our introduction, with could we use a shared responsibility model. In such model, it’s the consumer that is responsible of setting the security parameters. The service provider provides access to the system and even helps bootstrap the system to ease the access as well as provide services to help set the security parameters, but It’s the consumers prerogative to set the security parameters. This part is similar to on premise systems. Just that the way we set these parameters might be a little different.
This along with setting global security parameters is probably the most important for any organization. This would be needed for even securing the data. Most of the organizations use combination of practices to secure the infrastructure such as:
- Using Virtual Private Cloud (VPC): We can create private clouds within public cloud. This provides isolation from internet and another layer of security for anything that is not supposed to public facing. In a VPC, we can encrypt application and administrative traffic using SSL/TLS
- Using Security Zoning and Network Segmentation: Depending on the requirements, we may want to set different security parameters within our overall network. It makes sense to use network segmentation and security zones to secure our network. A network segmentation can be used to isolate one network from another, whereas a security zone creates a group system components with similar security levels with common controls. Apart from this when can use host based firewalls, threat protection layers and applying access controls at other layers to secure our network. In a security zones we may get following additional controls per network segment to help us secure our infrastructure:
- Shared access control
- Shared Audit Logging
- Shared Data Classification
- Shared Management Infrastructure
- Shared Security (Confidentiality/Integrity) Requirements
- Securing Periphery Systems such as repos, DNS, NTP
- Mitigating simple DoS or DDoS attacks: Most of the cloud services provide set of recommendations to identify a DoS or DDoS attack in real time to identify and filter out the problematic packets to avoid such attacks.
Security Monitoring, Auditing, Alerting and Incident Response
This part we can use the same solution we use for on premise systems or we can use the tools provided by the cloud service providers as they are easy to use within their ecosystem. Security monitoring requires us to answer following questions:
- What parameters needs to be measured?
- How to measure them?
- What are the thresholds we need to set for them?
- What would be the escalation process and how would it work?
- What data should we keep?
- What do I need to log?: This is technically the most important question, its recommended to focus on following areas for logging and analysis:
- Root and admin action and events
- Audit trails
- All access attempts to identify invalid one’s with issues
- All events related to identification and authentication
- Audit logs
- Creation and deletion of system level object
- Inbound and outbound request and responses to the system
- Inbound and outbound traffic for analysis
According to shared responsibility model, Its usually service provider that configures infrastructure components such as data center networks, routers, switches and firewalls in secure fashion. Whereas it’s the consumers responsibility to control the access of the systems in the cloud and configuring network security within the VPC as well as secure the inbound and outbound network traffic. Its recommended to use following practices to secure network over the cloud:
- Use Security Groups
- Augment Security Groups with Network ACLs
- Use IPSec(Or in case of Amazon, AWS Direct Connect) for trusted connections to other site
- Use Virtual Gateway (VGW) where VPC based resources require remote network connectivity
- Protect data in transit to ensure the confidentiality and integrity of data.
- For large networks, instead of using single network, design network in layers. Apply network security at external, DMZs and internal layers.
- Use VPC flow logs to have more visibility to find problematic traffic pattern to identify potential intrusion attempts.
Its highly recommended to be in the know of current technological changes as this field is very fast paced and we are facing new problems and getting new solutions to these problems almost on monthly basis. Check what’s happening and released in conferences like AWS ReInvent or keep tabs on what new products and tools are released in the industry and understand for what use case are they being released.
- Srinivasan, Madhan (2012). State-of-the-art cloud computing security taxonomies: a classification of security challenges in the present cloud computing environment. ISBN 9781450311960
- Jun Tang, Yong Cui (2016). Ensuring Security and Privacy Preservation for Cloud Data Services. ACM Computing Surveys
- Winkler, Vic (2012). Cloud Computing: Virtual Cloud Security Concerns. Technet Magazine, Microsoft
- Hickey, Kathleen (2012). Dark Cloud: Study finds security risks in virtualization. Government Security News
- Krutz, Ronald L., Russel Dean Vines (2010). Cloud Computing Security Architecture, Cloud Security: A Comprehensive Guide to Secure Cloud Computing. Wiley, 2010 179-80 Print
- Some Links from Cloud Service Providers