For those of us considering IaaS (Infrastructure as a Service) solutions, it’s important to consider various requirements of a secure cloud infrastructure. It’s important to contextualize what “security” means in an IaaS context.
Secure Infrastructure Basics
As with any cloud solution, some security concerns fall in the realm of the cloud service provider, while others will ultimately be left up to you and your organization. Security experts recommend asking the following basic questions to determine the level of security necessary:
- 1. Who is your customer?
There are various user parties to consider: customers, end users, internal organization members. Does each party require a different level of security? What would this look like?
- 2. What level of security will be acceptable?
Minimum acceptable levels of security vary from organization to organization. Certain organizations (e.g. healthcare, financial industry, public services) will require extremely high security and compliance, while others may not. Ensure that you are aware of all legal, compliance and security requirements before beginning.
- 3. Who in the organization is responsible for security?
Determine if there is a particular individual/group responsible for determining, maintaining and auditing security requirements and activities.
- 4. Is physical security required?
In certain situations, physical control and audit of the environment will be necessary. Sometimes people will lose sight that while clouds are highly virtualized and abstracted, the cloud service providers are still physical entities. Determine if your cloud environment must be physically isolated from other environments. If that is the case, perhaps a hosted private cloud is appropriate.
- 5. Does the organization have documentation of security best practices?
If there is official security documentation, take the time to review it critically to ensure that it reflects the characteristics of a cloud environment.
Security is critical at two levels: the cloud service provider and within the organization. It is important to proceed with the mindset that security is an ongoing process. No matter which cloud provider you decide to move forward with, it is important that the organization remains committed to maintaining infrastructure security and compliance.
According to Michael Sheehan, the GoGrid Editor in Chief, simply choosing a reputable cloud vendor is not enough:
“Many security failures actually happen because a customer stopped at that point and merely assumed that because they chose a secure provider, that all threats would be neutralized. If you don’t set up security best practices WITHIN those environments, you could be leaving your infrastructure vulnerable. Remember, you security is only as good as the best practices your organization implements.”
Designing Secure Environments
When migrating to the cloud, it’s necessary to update the organization’s operation procedures to reflect the cloud environment. This can be very different from conventional IT. However, just like any environment, the cloud infrastructure must be designed with the principles of resilience and redundancy in mind. This will be proportionate to the needs of your organization and customers. According to experts, an organization’s ability to recover from a failure or outage is a direct result of the effort and planning that was put in prior to prevent catastrophe.
There are some areas to consider while constructing your infrastructure:
- Load Balancing – Redundancy should be ensured by routing traffic between multiple servers or locations. Load balancers are able to distribute workload across a number of computers. This minimizes response time, avoids overload and optimizes throughput. In case of an outage or other issue, load balancers will automatically route traffic to other resources that are available.
- Firewall – Hardware/software-based firewalls can either permit or block specific pre-configured types of network transmission, based on a set of rules. When properly configured, firewalls effectively protect against unauthorized access to infrastructure and prevent threats from the internet. Servers and infrastructure should be secured using some type of firewall.
- Backups – Backups are copies of data. They are used to recover from a data loss, or to access data from a period of time. There are a number of backup solutions available (e.g. incremental vs. complete), which can be adjusted to meet requirements in terms of frequency, storage location and type of data being backed up. It’s recommended to have backups in multiple, distinct locations to ensure the best loss prevention.
This article takes a look at the importance of developing a secure cloud infrastructure, when using IaaS solutions. As with any cloud solution, some security concerns fall in the realm of the cloud service provider, while others will ultimately be left up to you and your organization. The article encourages organizational decision-makers to ensure security with the cloud vendors as well as within the organization. It makes recommendations on key areas of consideration while constructing a secure infrastructure.
CCSK Exam Preparation
In preparation for the Certificate of Cloud Security Knowledge (CCSK), a security professional should be comfortable with topics related to this post, including:
- Contractual Security Requirements (Domain 2)
- Compliance Analysis and Auditor Requirements (Domain 4)
- Disaster Recovery Due Diligence (Domain 7)
- Differences in SPI Models (Domain 10)
- Key Management Best Practices and Standards (Domain 11)