The great benefits of the cloud are its flexibility, on-demand availability, cost effectiveness, scalability and the way it enables a more agile approach to working. When you’re considering your cloud security strategy, you need to ensure that it reflects these characteristics to be truly effective. Maintaining security in the cloud also necessitates a shared responsibility between cloud service providers and their clients.
As it’s impossible for clients to simply walk into a supplier’s data center to implement security measures; you need to use tools such as guest operating system firewalls, Virtual Network Gateway configuration, and Virtual Private Networks to secure your estate. Only by working together can you ensure that your applications and data are protected, the required compliance regulations are met and maximum levels of business continuity are achieved. It’s essential to take each of the different aspects of cloud deployment, physical infrastructure, network infrastructure, virtualization layer, operating system, applications and data to determine which security measures fall within the remit of the providers and which need to be dealt with directly by the client.
It’s crucial to choose a provider with a trusted cloud infrastructure and a dynamic security strategy with a combination of access controls, authentication and encryption, firewalls and logical isolation. It’s necessary to design, create and manage your own applications and additional infrastructure in the cloud … safe with the knowledge that they are as secure as possible from malware attacks, zero-day vulnerabilities and data breaches. It’s also highly recommended to choose a provider that undergoes regular third party audits to ensure that security measures adhere to industry standard frameworks, and be innovative and find a good balance between provider and client ownership and accountability.
Microsoft’s White Paper on Azure Network Security, is an interesting example of a powerful shared responsibility security strategy. Azure uses a distributed virtual firewall for the secure, logical isolation of customer infrastructure on a public cloud, balanced with the client deploying multiple logically isolated deployment and virtual networks according to business requirements. Azure’s internet communication security is very high, disallowing any inbound traffic but allowing client administrators to enable communication with a choice of three different techniques via defining input end points, delineating Azure Security Groups or through a public IP address. The White Paper gives full details of securing all the different types of communication that you might require, including:
- Securing communications among VMs inside the private network
- Securing inbound communications from the Internet
- Securing communications across multiple subscriptions
- Securing communications to on-premises networks with Internal or Public Facing Multi-Tier Application
Security Management and Threat Defence are also explored in detail. Administrators can create a VM using either the Azure Management Portal or Windows PowerShell, both of which have in-built security measures. The first assigns random port numbers to reduce the chances of a password dictionary attack and the second is needed for remote ports to be explicitly opened. Again, these strong measures can be minimized by client administrators; and Microsoft gives good advice on how this can be achieved.
Azure offers a continuous monitoring service with a distributed denial-of-service (DDoS) defence system, which is continually improved through penetration-testing. Although not mentioned in the White Paper in detail, it’s worth noting that Microsoft conducts regular penetration testing and also allows customers to carry out their own pre-authorized penetration testing. Network Security Groups are used to isolate VMs within a virtual network for in- depth defence and to control inbound and outbound internet traffic. Microsoft’s guidelines for Virtual Machines and Virtual Networks also apply to securing Azure Cloud Services. There have been further improvements to MS Azure’s Network Security since the 3rd version of the White Paper was released in February 2014. The most notable improvements were noticed since October 2014, when MS announced the general release of Network Security Groups with easier subnet isolation in multi-tier topologies, simpler policy validation and compliance with site to site forced tunnelling and VPN support for Perfect Forward Secrecy.
Regardless of whether you decide to use Azure or not, the White Paper is worth a read as a good overview of how a strong cloud security strategy divides responsibility between the provider and the client.
Kevin Whitehorn joined Sogeti UK in October 2012 as the head of delivery for the Microsoft Practice. Sogeti is a subsidiary of Capgemini S.A.