By Amit Cohen
IT security in the Cloud is a very popular topic among analysts and bloggers. Many leading analysts point out that security is the main concern for Enterprises considering a Public Cloud strategy, while others suggest that migration to the cloud actually improves IT security for many SMEs, or at least that security threats in the cloud are not as severe as first anticipated.
The first step before making an assessment or drawing a conclusion on the state of cloud security is to determine what ‘cloud’ are we talking about. Cloud services are usually divided into three ‘as-a-service’ paradigms: SaaS (Software), PaaS (Platform) and IaaS (Infrastructure). Each paradigm has different security concerns and therefore any discussion must clearly distinguish between the three.
The following discusses IT security in Public Cloud IaaS (Public Cloud for short). Public Cloud data centers are multi-tenant (virtualized), multi-user environments (unlike Private Clouds that may be multi-tenant but are ‘hosting’ single user/organization). What is unique in the Public Cloud environment is that the responsibility on IT security is shared between the Cloud User (the organization consuming IaaS services) and the Cloud service provider (CSP), with a clearly defined demarcation. The CSP is in charge of securing the access to the physical servers and the virtualization layer (enabling and serving the multiple tenants), while the Cloud User is charged with securing the hosted Operating System and the applications installed over it. The latter encompasses all IP communication Protocols and application security aspects. Some CSPs provide basic security tools (such as basic hypervisor layer firewalls), which the Cloud consumers can utilize to enhance IT security in their domain of responsibility. Other CSPs leave everything to the consumer own discretion/capabilities. The shared responsibility model is depicted in the following drawing.
In order to understand the baseline of security threats in Public Cloud data centers, we conducted the following experiment in several of the world’s largest Public Cloud data-centers. We launched a single virtual server in each one of the data-centers and let it ‘stand’ for a few days while we record its TCP/IP activity statistics. We haven’t employed any additional security measures on these servers. The following table depicts our actual measurements in the 3 different data centers (per single server):
Table Notes: 1 These are attempts of foreign hosts to test communication with a specific TCP/IP port on our server. Note that access attempts to port 80 were excluded (not counted) 2 Counts the different foreign hosts captured trying to port scan our server. 3 SSH is a protocol providing secure remote terminal access. All cloud servers are launched with this protocol enabled. 4 In this case, sources of scanning/attacks were detected also from within the data center.
The results are not much of a surprise. Every Public Cloud virtual server is associated with a public IP address in order to allow remote access. The IP subnets of the public data centers are well known and hence are an easy target for automated ‘scanning’ activities from hackers. In addition, every virtual cloud server has a data-center internal (private) IP address. On this address the server is reachable from all other virtual servers sharing the same IP subnet in the data-center. Those ‘neighboring’ servers might host a threat as well.
Should we stay away from Public Clouds then? Definitely not! The Public Cloud economic model (pay-per use, granular billing, agile resource allocation, etc.) is too attractive to abandon. Following are three relatively simple guidelines that can be utilized to fortify IT security in Public Cloud environments.
- Isolate your virtual servers from the rest of the data center making them unreachable from collocated ‘foreign’ servers. This can be achieved by allocating a dedicated VLAN for your servers (several CSPs support such a service) or by encrypting all data-center in-bound (internal) traffic.
- Access your Cloud servers using remote VPN access. Using VPN technology in this context has many benefits. The first is that all the Enterprise information traversing the public Internet on the way to/from the cloud data center is encrypted, and the second is that you can control exactly who can communicate with your cloud servers. This requires that you install at least one VPN gateway in the Cloud data-center.
- On your cloud servers, disable all communication over public IP addresses. This ensures that your cloud servers are reachable from the ‘outside world’ only through your VPN gateway.
FortyCloud provides a VPC solution that is cloud-provider independent and can be deployed over any Public Cloud infrastructure (such as AWS, Rackspace, Google etc.) and over several clouds simultaneously.
For more information please contact us.