Part I: Legacy Infrastructure vs Cloud: Changing Security Considerations
Over the last decade network infrastructure has moved from the traditional on-premise datacenter setup to more of a fully or hybrid cloud infrastructure. With this change security requirements and considerations have changed significantly. The focus in a traditionally on-prem datacenter was to protect whatever was inside the perimeter and things inside were trusted. With workloads being in the cloud and due to multitenancy in cloud you now have to protect yourself from other users that are inside. Even just for cloud, considerations differ for the deployment models such as; private, public, and hybrid, and service model considerations such as; SAAS, IAAS and PAAS. So, if you are a cloud customer using a particular model and not sure what the key security areas for your particular cloud setup to focus on are, then read on.
In this article we will highlight how legacy data centers and each cloud deployment model differ and what the key security aspects to consider if you are responsible for designing or managing security for either of these paradigms are.
Here, we investigate cloud security from the point of view of a cloud customer. The view is significantly different if you look at the cloud security problem from the lens of a cloud provider. This will be the topic of another article. This is the only way that we can do the current topic, which is quite broad, justice.
1. Legacy System
Legacy networks were and are characterized by their castle and moat style architecture where datacenter or on-premise assets is the castle that you are protecting with a moat around it. This castle holds all your key assets such as email, databases, application servers, ETC., and you design a moat around it with security devices such as firewalls, IPS/IDS, and Application gateways. You install monitoring solutions to see if there are any events such as breaches, insider threats, malicious behaviors either from users or apps, or data exfiltration attempts so that you can detect and remediate any security incident. Access from outside is regulated with strict access controls and VPN solutions to protect assets and information from unauthorized use. You also design policies that dictate user behaviors inside the castles and when they approach the castle from outside of it, and install endpoint solutions to ensure that the user’s machine is safe from malicious code. The following is a diagram representing a typical datacenter security architecture.
Some of the key security aspects of a legacy datacenter are:
· Application and platform Security
Typical infrastructure inside a legacy datacenter such as Application servers are put behind firewalls, segregated with DMZ zones and VLANs, scanned and patched for vulnerabilities and are protected with end point security systems.
· Data at Rest and in Motion
Data that is in motion (traveling across a network or even internally within a system) between endpoints such as servers and clients should be protected using encryption such as SSL/TLS, where TLS 1.2 should be the minimum version used. Data at rest, for example data which is stored in a database should also be protected with encryption such as RSA or ECC for public/private key authentication, and AES for data itself.
· Access Control
Users accessing the resources in the data center, whether they are coming from outside or inside the network, should be properly controlled using Access control lists and only authorized services should be accessible to users.
· Network Security
If users are accessing the internal network resources via the internet than they should be using a VPN solution. There should be a DMZ for publicly accessible servers, and they should be behind firewalls and properly isolated from other internal network resources. Internal resources should further be isolated into VLANs which restrict which machines can communicate with each other. Proper monitoring of the logs from security devices should be in place. SIEM solutions are deployed for this purpose and can generate a correlated view of security of the network using logs from deployed devices.
· Separation for Security Control and Compliance.
The Datacenter provides the owning organization the capability to separate networks and resources based on security needs. Based on security controls needed departments can be segregated and stricter compliance and security controls can be deployed in departments where needed. For example, the Billing department of an organization that processes credit card information may need to be PCI compliant whereas the Research department does not.
· Physical Security
Organization should have strict control over physical access to resources so that only qualified and authorized individuals can have access to the assets.
For security considerations in cloud systems please read part II
