(And Why You Should Give It A Chance)
In this series, Rick Whittington will explore the benefits and potential risks of the Cloud for organizations. Rick will incorporate knowledge he’s gained as a reformed Network Engineer with multiple disciplines in Network, Security, Global Networks, Datacenter, Campus Networks, and Cloud Networks. He’ll also incorporate his years of experience in improving enterprise infrastructure, processes, and teams. Rick has brought his cloud experience to organizations such as Capital One, Charles Schwab and his current position as a Sr. Security Engineer for a large data analytics company.
These objections still ring in my ears from many years ago, when I was a Datacenter Architect and I found myself fighting the business to adopt cloud infrastructure. I was arguing with business units on why our (my) datacenter was more equipped to handle the business’s requirements and its growing needs.
Coming from a Cisco background, and having spent many years in security, I couldn’t fathom myself allowing our data to be shipped to “someone else’s computer!”.
A Game-Changing Project Led Me to the Cloud
Then, one day I needed to work on an architecture that required a segmented environment. For a group of developers to work on a new business application, it was going to be “game changing”. The System Architect and I sat down in front of floor-to-ceiling white boards and began to discuss our game plan.
However, we quickly encountered problems:
- Server stock was low across the nation, creating high lead times
- Proposed network utilization would have degraded user experience
- Upgrades to infrastructure were required
Going home that night and going through the requirements, I thought about the problems, weighed possible solutions, and tried to come up with alternatives. It was at this point I decided that I needed to research the Cloud to solve this problem. But how would I tackle security?
Today there are many solutions to accommodate security. They include an endless supply of vendors that will help you migrate to the Cloud and plenty of cloud environments to choose from.
Based on my journey to the Cloud many years ago, I’ll describe the five things that convinced me that the Cloud was in fact more secure than my datacenter.
Availability can mean a number of things, such as accessibility or redundancy. The meanings take on a different usage based on the context of the conversation and subject. For example, availability can often mean:
- 99.999% Uptime
- Site Redundancy
- Application Access
However, while availability is often paired with logical constructs, we often forget that availability can also be tied to purchasing tangible assets. When managing a traditional physical presence, availability takes a different tone when attempting to purchase actual hardware, provisioning networking access, and allocate space, all before an application is ever turned on. Purchasing availability is often overlooked, but can lead to project delays, sub-optimal selections, or partial setups, costing the organization in the long run.
A recent scenario of laptop shortage during the current pandemic highlights hardware availability. While remote access was trivial to provision, many organizations struggled to find assets to deploy for workers to transition to a remote employee. This perfect storm caused overall hardware availability issues and impacts to the organization due to loss of overall productivity. Furthermore, usage of datacenter access for many organizations, required additional increase to Internet access, creating availability issues in the form of lead times to deploy and user experience.
How Can the Cloud Help Me with Availability?
Cloud providers consume the same resources marketed and used by their customers. Due to this, providers ensure maximum availability, not only for themselves, but their customers as well. Organizations no longer have to maintain physical assets for customer or internal facing applications. Internet and inter-network connectivity limitations are removed by the seemingly enormous amounts of bandwidth, with no lead time to adopt for additional usage. Storage and servers are abound and easily provisioned with common OSs, and licensing baked into the cost, once again creating availability without concerns for hardware and software delays or shortages. With no concerns on physical assets, engineering teams can instead focus on designs meeting overall business objectives. Availability in cloud means organizations as a whole focus on access and resiliency of applications.
2. Data Access
Data access consists of physical and logical access. Many data breaches are a direct result, unfortunately, of misconfiguration or improper handling, such as:
- Hard drive removal and disposal
- Overly permissive firewall rules and user permissions
- Malicious users
Organizations spend large sums of money on physical access controls and often substantially more on logical access controls. Properly securing data challenges all organization sizes, however, small to medium sized organizations often have the most difficulties. Organizations with small IT Teams may run flat internal networks, with no internal security measures, and overly permissive user access to minimize impact to users. Data leak events cause severe problems for organizations. They lead to loss of confidence from the public, potential fines, legal repercussions, and in worse case scenarios complete closure of the business
How Can the Cloud Help with Data Access?
Physical access to the Cloud datacenters is heavily restricted and monitored. Even if an attacker were to somehow obtain access to one of the datacenters, cloud providers obscure the data across multiple drives, while also encrypting it at rest.
From a physical perspective, the data is often more secure by obfuscation than a traditional datacenter, where data is stored in dedicated SANs for a particular company.
Along with this, physical access to cloud provider data centers are often governed by strict rules, physical security measures, and potential regulations and legalities. In short: cloud datacenters are like fortresses. While physical access to the data is not impossible, but highly improbable for outside parties not employed directly with the cloud provider.
While most issues with the Cloud come from data leakage at a logical layer, it is often due to configuration errors or assignment of overly permissive identity and access policies. Cloud providers have started to provide more tooling, better security monitoring, and instituted a “deny by default approach”.
While cloud providers usually approach the customer with the mentality of “we provide the mechanisms, you implement them”, the mentality has changed over the course of the past several years due to large breaches. Example options like encryption at rest and access restrictions, are implemented by default.
Additionally, many cloud providers now provide a security risk review to evaluate your posture and provide base security recommendations. Ultimately securing data in the Cloud is all in how the configuration is handled by the implementation, there are far more options available than a traditional on-premise infrastructure.
How Do I Keep My Data More Secure?
Each of the cloud providers offer multiple logical ways to access the data you store in the Cloud. In a later discussion, I will talk about some of the basic options to check for in Azure, AWS, and GCP, along with how cloud storage differs from on-premise storage.
However, to keep your data more secure, cloud providers offer many options including:
- Private endpoints accessible from within your account
- Identity and access management policies to provide role-based access restrictions
- Individual policies for ‘“folders’” access
- Defaults for encryption, logging, and backup of data
Each of these options implemented provide a very well- rounded data access and retention capability that rival traditional storage vendors.
3. Logging and Monitoring
While logging and monitoring is a normal security requirement in any organization, generally the ease of implementation and usage is often not.
Depending on the age of the infrastructure, engineers are often shoehorning in monitoring into key choke points and critical server infrastructure. Furthermore, sending this data back to a central logging point often utilizes network resources and can tax the already existing infrastructure.
Of course, this only matters if you are monitoring and logging…you know just in case there is something nefarious that happens.
However, logging and monitoring is more than a mechanism to ensure you have no nefarious actors within the walls, it is also used for capacity planning, troubleshooting, and meeting regulatory and compliance needs. Yet, the infrastructure and tools needed to accomplish this often exceed operational budgets and capacities. Furthermore, who’s going to monitor all this data and filter out the noise?
How Can the Cloud Help with Logging & Monitoring?
Unlike traditional data centers, cloud logging and monitoring is generally a small configuration checkbox that can be selected at any time. Monitoring is also broken out into both network, monitoring (think Netflow), application monitoring, and identity and access.
This fundamentally makes it easy to implement anytime and anywhere. Logs captured by the different cloud providers are often sent to local storage within the account for review and parsing. With the focus shifted from implementation, the problem now becomes operational.
How do you ensure reliability, redundancy, and usage of the data? If you recall earlier, cloud providers offer availability and redundancy by default, especially within their cloud storage. But what about using the data to provide actionable intelligence for operational security teams? Enter in solutions like AWS Guard Duty and Azure Advanced Threat Protection.
The solutions, when activated, monitor the traffic within your account and provide basic alerts for known attacks and known malicious traffic patterns. With the usage of AI within the providers, further operational overhead in processing and review can be lessened.
Lastly, all major cloud providers offer an alerting infrastructure that can be easily configured for each of the logging domains. All of this at a cost organizations would often pay for licensing and hardware.
What Can I Do for Greater Visibility Into My Cloud Infrastructure?
As discussed above, enabling some of the basic logging features within each cloud provider provides great visibility into your cloud infrastructure. In a later article, I will discuss additional details of each option available to you, and potential methods for implementation and usage.
However, basic implementation of monitoring, with services such as AWS Guard Duty and Azure Advanced Threat Protection, are great things to research for added insights in common security related attacks, such as bitcoin mining traffic.
4. Failing Fast
This concept took a long time for me to really grasp. Coming from a traditional datacenter, I was taught to treat my infrastructure as if it was my child.
To make any changes to the infrastructure required many changes, approvals, loads of testing, sometimes purchasing new equipment, and once it went in, it was not coming out. This left prototyping new solutions to business problems rather complex.
It was a Waterfall methodology, and it was inefficient—especially when things didn’t go exactly according to plan.
What is Failing Fast with Cloud?
While I can’t promise the Cloud solves the bureaucracy problem, I can say that prototyping and R&D are better solved within cloud environments. The focus shifted away from hardware purchases, lead times, shipping delays, and dealing with sales teams.
Many solutions are now often available within the provider’s market place to purchase and use. The cost of trial is also by the hour, with licensing built in, and only being charged while the solution is running.
The infrastructure where the prototype is deployed can also be highly segmented into different accounts to prevent potential conflicts. This provides limitless possibilities and encourages an engineering team to find the right solution for the business within a segmented environment.
No longer will the business need to wait on many of the blockers that are encountered in traditional infrastructures, allowing faster adoption of new services.
How Can I Fail Fast Securely?
While on traditional infrastructure, everything is considered production, regardless if the data being used is not production. However, in the Cloud, I have found that having an R&D account allows for a segmentation I could never have afforded within my traditional infrastructure.
Using a dedicated account, I can use developmental data to prototype solutions acquired from the market place. I can easily create mock topologies using applications similar to what I would have in a production environment, all without impacting customer or business operations.
To limit any potential exposure, I treat the overall environment as ephemeral, and limit access to specific source nodes or VPN. All of this has allowed me to prototype solutions from vendors that I never would have in the past, while providing better security posture to the organizations I have worked for.
5. Perimeter Security and Internal Security
I left this purposely for last, mainly due to the complexities of this subject, regardless of location of implementation. Within traditional environments, network security is often strong on the perimeter, while lacking security internally.
From flat networks to port forwards, bad actors have many avenues to attack an organization. Often external attacks can be attributed to an opened port for a development server to be accessed in testing. Often due to complexity, proper segmentation and zero-trust methodologies are not applied, leaving networks vulnerable.
In fact, many vendors promise to solve this issue for you, and multiple solutions can be layered to solve for this. However, ultimately the balance between providing access on a production network that services both production and development workloads creates an inherent risk.
Here’s an example of this: a previous financial firm I was employed with had a change performed for development purposes on a set of load-balancers. These load-balancers serviced both development and production workloads, in particular e-mail services. The change inadvertently allowed outside users to access the exchange server hosted internally without being on VPN. Had this been a development server, an attacker could have compromised and pivoted within the network, attacking multiple nodes.
We have all read data breach stories like this with regards to the attacker exploiting a compromise of one server and it leading to others. At the end of the day this hurts confidence and trust, it impacts morale, and can be costly with potentially devastating effects.
So How Does the Cloud Solve This Challenge?
To understand how this is solved in the cloud environment, we must first understand why the issue exists on traditional networks. The biggest reason for this is due to cost and maintenance of infrastructure.
Why would you pay for a separate development and production network, and all associated assets? Multiple firewalls, routers, switches, and server infrastructure are all costly, not including the ISP circuits and internet access to replicate the connectivity.
Vendors have been introducing more virtualization into the mix to try and rectify this issue of logical segmentation, while allowing for the maximum usage of the purchased asset. Nothing solves the entire problem, yet. But what if all the infrastructure was abstracted, and the cost came to just compute, storage, and bandwidth consumption?
This is how the Cloud solves this issue! The main network and server connectivity layer is handled by the IaaS, allowing for focus on better security practices of segmentation of development and production data and workloads. Meaning that in a properly architected environment, an unpatched development server compromise does not impact production, and when development data is used, no customer data is leaked.
How Can I Segment Better in the Cloud?
The answer to this is highly dependent on which cloud provider you choose to use. However, my rule of thumb is to create an account- based segmentation. By utilizing accounts built for particular purposes, the chances of a misconfiguration within the account compromising another account with different data is minimized.
A development account will inherently be segmented from a production account and its data. For example, let’s say we have Account A and Account B. By separating Accounts, privilege escalation attacks within Account A do not impact Account B or lead to a leak in Account B. If Account A is compromised, you could completely delete Account A, with no impact to account B.
Furthermore, this will enable flexibility of development challenges, while still maintaining strict security in production level accounts. Again, no physical network can provide this without first incurring the cost of the actual infrastructure. To me this was the single most impactful quality that made transitioning to the Cloud for our datacenter infrastructure an easier justification.
The Last Words…
The five reasons we just covered is what answered that burning question for me: “what makes the Cloud more secure than my datacenter?”
I hope that by describing them in detail and how the Cloud offers benefits over a traditional environment, it can help you answer that burning question too.
In the coming weeks and months, I’ll be continuing to share my cloud security experience with you. Hopefully some of the insight that I share will help you explore the benefits for your organization and see the implementation of security best practices to minimize potential risks.