The use of public clouds is continuing to increase and information security professionals must understand the native security provided by the public cloud vendor and the gaps that must be filled by the end-user.
Just as in the case of a physical data centre there is an expectation that public cloud providers maintain a certain level of security. There are many public cloud providers out there but I will focus on the security solutions provided by Microsoft Azure.
Azure provides defense in depth with four layers of firewalls. There is a firewall at the perimeter, a host firewall between tenants, virtual machine (VM) firewalls between guests and there is the OS firewall on the VMs themselves. Azure also provides some basic DDoS and intrusion detection (IDS) and intrusion prevention (IPS) capabilities.
Communications within the environment are encrypted using SSL/IPsec. From the Internet, IPs can be grouped virtually and have Access Control Lists (ACLs) applied to them as via a virtual network gateway. Access can also be provided to the hosted environment by the use of a virtual private network (VPN) service provided by Azure.
To be able to assist with the configuration of ACLs, Microsoft provides Azure Active directory which can be linked to the hosted organisation’s on premises Active Directory. Finally, to gain visibility into the security state of the environment Microsoft provides comprehensive logging and auditing capabilities.
Users of hosted services must understand that cloud providers do not provide the most sophisticated security for the actual hosted VMs. They are only responsible for providing a secure infrastructure. The security of endpoints and the closing of gaps are up to the consumer. There are many points to consider, including:
- Do you have an intelligent way to assess the security of communication going over your network?
- How can you handle advanced DDoS attacks against your services?
- How can you protect your users and services from malware?
There are a number of ways that an organisation can protect their cloud based networks and endpoints from the threats identified above. As an example, if we want to consider a defence in depth approach, we start at the perimeter.
The first line of defense is the perimeter firewall. The capabilities of perimeter firewalls has increased significantly over the past few years. Due to their enhanced capabilities they are now known as next generation (NG) firewalls. When looking for a next generation firewall a security professional should be able to manage all of their firewalls from one console. To be able to be deployed into a public cloud the firewall must be able to be deployed as a virtual machine. The firewall should be able to do decrypt outbound SSL traffic and perform deep packet inspection to secure communications. The device should be able to protect the network from DDoS attacks and perform intrusion detection and intrusion prevention.
The next vital layer of security is endpoint security. Despite the fact that there are many mutating forms of malware that can defeat virus definition based antivirus (AV), this form of AV is still an important base piece of functionality to catch simple and older versions of malware. For the newer mutating versions for malware the endpoint protection client should have some kind of heuristic detection which can detect known malicious behaviours. Heuristic scans have the benefit of also being able to discover zero day threats on endpoints as well. Processes need to be scanned and suspicious processes either need to be logged or stopped. Most modern endpoint protection clients have an integrated firewall to block unused ports from network communications. The ports that are open should be protected with intrusion detection and intrusion prevention. With fishing emails using links to malicious sites proving to be a favourite threat vector, the AV client should include email, browser and download protection.
Advanced persistent threats are threats that exist on the network that utilize stealth to remain undetected, many for months at a time. Organizations can uses devices such as a security information and event management (SEIM) device to aggregate events from endpoints, firewalls and other security applications or devices. The SEIM can process millions of individual events, sift out significant the significant ones and correlate them. This allows the SEIM to generate few significant incidents which the incident response team can focus their valuable time on.
Public cloud providers provide a secure infrastructure to host an organization’s servers and services. It is still the responsibility of the organization to secure those servers and services. Organizations can provide a significant protection for their cloud based networks and endpoints by integrating Barracuda’s NG Firewall and Symantec’s Endpoint Protection and Advanced Threat Protection. Talk to Insentra’s specialists to discuss strategies to keep your infrastructure secure in the cloud.
Principal Security Consultant