Companies often use the public cloud for development, testing, and staging where security is important, but, not the primary concern. However, when companies start thinking about production environments, security becomes a top priority. As a hosting service provider, we see production hosting environments get compromised, literally, within hours if a company doesn’t pay attention to their security requirements. Some remain skeptical whether good security is even possible in the cloud. In this article, we are going to cover some of the key factors and solutions to achieve a good level of security in a public cloud environment.
So, to start, what are the issues? Is the public cloud infrastructure itself secure? How should a designer construct the underlying network for a production environment? How can a support person manage the on-going security? There are answers to these questions and the solutions can be listed, as below;
- infrastructure security
- network security architecture and network segmentation
- firewall implementation and policies
- remote VPN access
- application security
- maintain good internal company security policies
- and security services
First, make sure that the infrastructure of the hosting provider is secure enough to enable standards compliance, like PCI-DSS, HIPAA, or ISO 27001. You may not need a security compliance but the infrastructure of the hosting environment should be good enough to accomplish it. Physical security is important and most hosts will provide that. That covers physical access controls to networks, video surveillance, physical intrusion detection, and the like.
Another area to look for in cloud infrastructure is network segmentation. Most public cloud providers provide isolation between customer networks using security groups. Security groups put all customers on the same underlying physical network and use layer 3 software firewalls to provide the isolation. Almost any security expert will agree that this is inherently less secure than layer 2 network isolation. Other cloud providers, like NetSource, provide layer 2 level isolation using isolated VLANs. This essentially means that all customers are separated by different physical networks. Isolated VLANs is a critical first step to security and it can only be provided in the hosting infrastructure by the cloud provider – a company can’t create it themselves.
Second, a production environment must provide internal network isolation between servers hosting different functions. For example, the web facing servers must be on a public network and the database servers should not be accessible on that same network. And servers that offer non-secure services, like email, should be on their own network away from networks that handle sensitive content. Almost all cloud providers allow for a virtual private cloud architecture (VPC) that provides for this type of server network isolation. However, again, note whether the separate networks are protected by layer 3 or layer 2 techniques. At NetSource, each of the separate networks use layer 2 separation (VLAN isolation), the best protection available in public clouds.
Next, there must be a firewall to protect each of the segmented networks. All cloud providers use firewalls to protect networks. Make sure to design the appropriate firewall policies to protect each network. In particular, the networks that store sensitive data must not be connected directly to the Internet. This is done by blocking all public access to the networks that house the database servers, for example. Application servers access database servers through another separate network. System admins access these protected servers through a “Management” server with public VPN access only.
Next, only connect to the cloud environment though Virtual Private Networking (VPNs). VPNs create a secure encrypted channel to connect to the cloud “management” server. No one can intercept passwords or any other content coming from the remote location since it is encrypted. All, cloud providers should allow connecting to the cloud network using VPN.
If you have done all these things, you will have created a secure environment for your production application. However, to fully protect your cloud hosting environment, there is another security level to think about. Most security standards will require another security layer at the server level. This includes activities like daily log monitoring, alerting, and review, security patch updates, virus protection, among others. NetSource provides additional security services to protect the servers. Companies can do these activities themselves, but it usually requires someone experienced in security and watching the environment continuously. The NetSource services provide these functions for you.
Finally, be aware of the security of your web facing applications and internal security policies. Standards require change control and code reviews to start. Applications must be tested for the top 10 OWASP (see www.owasp.org) security threats like cross scripting attacks and SQL server injection attacks. Standards also require companies to maintain their own internal written security policies and to make sure their staff is well informed of their responsibilities. There is little a hosting provider can do to help a company with these issues, however. Application security and internal security policies almost always remain the responsibility of the customer and hackers will go after the application when they discover getting through sound hosting infrastructure and other security layers is too difficult.
Security is a complicated topic and we have only scratched the surface. And, the cloud has its own particular issues. But, if you understand and follow the techniques in this article, you will be well ahead of the game. NetSource is always here to help with security services or consulting. And you can be sure that the NetSource public cloud is designed with security in mind, covering all the infrastructure related issues.