Many articles and books have already been written about clouds and it seems that everyone has long known how to implement and work with clouds. However, cloud environments are not always properly protected, so it would be useful to remind you of what is most important when ensuring the security of cloud environments.
Let’s start with infrastructure. No cloud storage can live without a network. Therefore, first of all, it is necessary to take care of the security of the network infrastructure that ensures the operation of our cloud environment.
Network-level security can be achieved in a variety of ways. You can do it the old fashioned way, limit yourself to firewalls with standard access lists and authentication using passwords. But with standard access lists, we don’t control anything above the transport layer. In essence, we only restrict access by ports, without looking at anything higher, at the application level. And password authentication isn’t very secure either. An attacker can intercept the password, for example, using keyloggers.
To protect cloud environments, it is much better to use the ZTNA (Zero Trust Network Access) concept. We won’t dive deep into the marketing specifics of this zero trust methodology, but instead look at what can be used in practice.
We don’t trust anyone
ZTNA (zero trust concept) involves making decisions about granting access directly at the moment of connection. In other words, we of course have access lists, accounts, and other standard attributes that indicate who should have access where. But when the user connects we look at context. That is, we look at what region the connection is from (geolocation), whether there were connections from this region, from the subnet of this provider. We also look at what OS and what client is used to connect. In the simplest case, we look at the USER_AGENT value sent when requesting via HTTP.
The versions of the software used, especially the operating system and browser, are important. If you use outdated software when connecting, then there is a possibility that some kind of malware lives on the machine or it has been compromised by an attacker. During the pandemic, personal computers were often used for remote access and similar problems could be encountered very often.
Another part of the context can be considered the time at which the connection is made, the service to which access is requested. Agree, it is somewhat strange if an accountant’s computer accesses some network equipment administration interfaces on a Saturday night. This may not be prohibited by corporate policies, but it looks very suspicious.
The decision about whether to allow a user is ultimately made based on this context. That is, the region, OS and software used, time, service accessed must be what is called typical. If there is a deviation on any point, then various options are possible. So, if your computer is using outdated software, it can be placed in a quarantine network from which you can only install the necessary updates. If there are other suspicious issues related to geolocation or atypical behavior, then here you can request a second factor for authentication. In the simplest case, this could be a one-time password via SMS. Although it is better to use special applications for smartphones that display a Push notification when an access request is received.
In general, using a second factor for authentication is a good security measure that allows you to neutralize up to 70 percent of attacks on user accounts.
Clouds are always iron
The cloud environment is one way or another built on the use of hardware. No matter how we abstract from the real hardware, in fact all our containers and virtual machines live on some kind of servers and storage systems. And when ensuring the security of a cloud system, we should not forget about such a fairly obvious thing as the physical security of equipment and communication channels. So, if an outsider can gain physical access to equipment or a network cable, then he can at least implement a simple denial of service by simply turning off the power cable. It’s even more fun to rearrange the network cables in a multiport switch. So, do not forget that in the server rooms where the equipment for cloud environments is located, security mechanisms such as access control systems, video surveillance, etc. must be implemented.
Also, the architecture of cloud environments implies the ability to place cloud elements on separate sites and, in this regard, it is necessary to be sure that information security requirements are met at each of these sites.
Application security or when there is a lot of Open Source
As you know, there is no such thing as too much open source code. The more open source applications we use, the more flexible our system can potentially be. With the help of our developers, we can modify individual functionality for ourselves and optimize something. This is especially convenient when implementing cloud solutions.
However, from a security perspective, open source is not always open source as intended. Everyone remembers the vulnerability in Open SSL, when the library containing the vulnerability was in the public domain for many years. It would seem that anyone could check the source code, but nevertheless, many websites and applications used the vulnerable library for many years.
After well-known events in the Open Source world, applications with bookmarks began to appear. So, if you access the repository from a non-Russian IP address, then normal, safe code is downloaded to you. But when contacting from Russian or Belarusian addresses, you can receive a code with bookmarks.
So, on the Internet you can find a list of opensource projects with bookmarks and politicized advertising https://vk.com/wall7076856_4847. This list contains several sections that describe various malicious actions carried out by various software for political reasons.
So, when using open source software, it’s a good idea to inquire about the “reputation” of the desired application, to see if there are definitely no similar problems with it.
Dependency on Dependencies
Another important point when developing applications is the security of the libraries used in the code. A situation may arise when you want to use any library that suits your functionality. In this case, it would be a good idea to ask when this library was last updated, who maintains it, and what vulnerabilities were found in it. You can find out using special services such as Snyk.
This service allows you to check both the source code for vulnerabilities and errors, as well as dependencies and containers. In general, this functionality is paid, but there is a period of free use.
And another important element of cloud service security is its manageability. It is important to understand that, as a rule, a cloud application consists of many separate services and it is important for us, firstly, to monitor the state of each of these services, and secondly, to ensure the security of both these services and their management tools. There should be no situation where ordinary users who do not have administrator rights have access to the web management console of any component.
In this article, we examined the main points related to ensuring the security of cloud environments, both at the infrastructure level and at the development and administration level.
And finally, I want to invite you to free webinarwhere we’ll talk about the concepts of infrastructure protection Zero trust network Acceess (ZTNA), Secure Access Service Edge (SASE), Defense-in-depth (DiD)