Also read Staying clear of the fog... while up in the clouds
IT security or Computer security is the top priority of any organization or individual consuming the IT as a service. Digital Information that is created, stored or processed has to be secured especially in todays environment where the threat landscape is ever expanding without defined boundaries.
The full impact of its business advantage that a cloud deployment offers can be leveraged only with the right security technologies, tools and processes in place. Since the public cloud has multiple tenants on same hardware, it is critical that an evolved security strategy be charted out and all stakeholders have complete clarity on the levels of functionality, the access control and perimeter.
To ensure that a specific corner of your public cloud deployment / implementation is safe, there are broadly two categories on which it is demarcated- baseline security and improvised security.
Baseline security is the bare minimum security essentials that needs to be considered using cloud resources themselves. These are mandatory essentials that have to be configured irrespective of the scale of deployment. This blog will provide basic guidelines to configure baseline cloud security the right way. Baseline security will not involve additional cost.
Improvised security as the name indicates is an improvisation in security configuration with the use of external 3rd party tools & services. You may incur additional cost based on the service you choose.
We discuss here the baseline security process for the public cloud.
Baseline cloud security is an imperative, to be developed along with the cloud footprint that hosts the IT infrastructure or applications. Specific security measures need to be embedded in the process of the cloud build, and in most cases the basic features of baseline security are offered by the cloud vendor.
AWS (Leader as per Gartner's cloud infrastructure as a service (IaaS) Magic Quadrant 2014), offers a range of services that can be consumed as utility services. The infrastructure on AWS will be secured by soft firewalls called security groups & virtual private network segregation called VPC. Security groups & Network ACL forms the core framework of AWS baseline security as all the network level security configuration happens at these layers.
Identity and Access Management (IAM), Multi-factor authentication (MFA), CloudTrail, and Trusted advisory are other cloud security essentials that AWS offers to determine where a little extra security would be required. As a general practice every deployment has to be segregated into tiers & security policies will be applied to each tier based on the functionality of the tier.
However, this is only the basic security wall, and it needs to be customised according to the enterprise client's requirement.
Baseline security is logically deployed at the soft network layer in cloud. The security group is a virtual firewall that separates the cloud infrastructure and the user base (or) internet, and monitors access by creating user groups and providing access to specified IPs and ports.
Amazon Web Services, the leader in public cloud sector, also offers an option of a Virtual Private Cloud, which is the enterprise's own virtual data center on a public cloud with very tight access and user controls. This can be customised to have their own little security meshes, trusted IP address range, subnets and configuration of route tables and network gateways. Here, it is possible to have multiple layers of security that is designed to achieve complete control access to Amazon EC2 instances, in each subnet.
The Trusted Advisory, (full features available for customers who signed for AWS premium support), is a global dashboard of all vulnerabilities loop holes in the infrastructure deployed in AWS cloud that ensures constant monitoring and alerts on gaps in configuration that could develop into threats or risks.
Apart from the infrastructure layer, virtual layer & Network layer there is also another layer called API layer in cloud. Its important to secure your API layer in cloud. Identity and Access Management (IAM) on the cloud facilitates to create users & groups that needs access to AWS resources which thereby helps to eliminate unauthorized external access and controlled internal access. AWS Cloud Trail is another service of AWS that would help us in API level logging. IAM & Cloud trail works hand in hand providing a virtual layer of security at the API layer.
In order to customise cloud security initiatives on baseline to their needs, enterprises need an efficient cloud integrator, a support organization with cloud expertise & security consciousness that can ensure maximum security on the cloud while ensuring optimal utility for the public cloud in the enterprise.