Tips for Cloud Computing Security!

This is not a typical, obscure & high level article about cloud computing security. It dives directly into day to day tips & ideas to keep in mind while developing systems on the cloud! I will not dive into why you need security nowadays, I am confident that since you are reading this article it means you are aware of the topic at hand.

Securing your cloud environment is not a difficult thing to do if you apply basic concepts right from the start & implement a strict “re-visit” process to keep fine tuning your configuration, infra setups & processes as you go.

First things first, The Basics:

• From day 1, start with a completely separate cloud account between your prod / dev.
• Root access key, delete this right from the start. Allow root access only through direct console access to your cloud environment (manual login from the web browser, not from command line sdk).
• Any user access ( incl. Root ) should have multi factor authentication (MFA)enabled. Usually cloud providers point out their favorite app(s) to configure MFA on user’s device.
• Ideally Root user should have very strong password & the device on which the MFA is enabled should be kept safe and not used publicly, you can consider purchasing an MFA hardware for root access ( kind of an extreme idea ).
• Ideally you should have very few people with Administrator level access. These are the senior ones. And the rest you should customize user groups for them and grant them the minimum access required to achieve their job (might need some trial and error but you will get there).
• Have very well defined policies, and groups for ease of configuration, build them and maintain them as you go. Also include this in your re-visit process.
• Any access key you create, for usage in your application, command line, etc… should be strictly defined in way that it only permits the job intended. If you need to extend access, make sure you rotate these keys every 90 days at least.
• Be very worried what keys your developers are using in the mobile/web apps or even sharing by mistake on web forums while asking questions, preferably even if you restrict these keys too much still someone can read these keys from your apps code. Look into different methods to abstract access from naked eye (ex: Env variables on servers, Assuming roles, Cognito service from AWS, etc… )
• Avoid committing code on Git which contains Access keys, username & password, etc…This should go without saying.
• A user who can login to the web portal of your cloud env, should NOT have access keys attached. Because usually you end up granting users with more permissions & the key was somehow leaked all this access will fall in the wrong hands.
• Make sure NONE of your web apps, servers allow public ftp access, file listing or any read/write access to configuration files. This might expose weaknesses to attack you or even start trying.
• If you are using any cloud storage service (ex, S3 in AWS), make sure everything is strictly private unless there is a good reason to make it public (public website images vs configuration or private data files ). One way could be to grant temporary access like generating Pre-signed urls with limited time ( 1 hour ) of access, cloud providers do provide these features in their sdk libraries. Also make sure you do not allow the public to edit files on your cloud storage [unless you have some logic to validate input before writing it].
• Virtual private networks, this could be a bit beyond basics (depending how much time you have), but I prefer to consider this part of the basics. You will need a basic VPN env. where you can place critical things, like DB, services that do background jobs, etc… You can open ports too, but make sure you know what ports you are opening, why? & for who? (ip range restrictions, etc…)
• Make sure you have security groups well defined in terms of name, scope of access and reason, in order to be able to keep track of them. These groups tend to become too much to manage, and out of laziness you tend to add too much access under one security group (that’s bad) and attach it to many parts of your app.
• It goes without saying, that setting up the above does not mean your developer can relax and simply focus on the business logic parts of the apps he is building. Never ignore topics like, SQL Injection, Cross Site scripting, strict input validation, ddos attacks, business logic should also have security built within etc… (This is a big topic and probably I will write some thoughts around it in a different article.)

Now what’s next?

Now that you got the basics straight, let us add more diligence, visibility & process into it !

• While shipping software to production, hiring more engineers & growing quickly, you will need to re-visit all the basics above & tighten them on a regular basis. Make sure you schedule few hours per month that should never be missed due to any excuse and re-evaluate where your security is. Never say later, next week or not a priority :)
• While developing more services, have a network isolation strategy between services or at least group them in a way to minimize the impact radius in case of a hack, so a hacker if succeeded to hack a specific network, he is still isolated from other services / databases. This might require a network engineer or at least someone who is aware of the complexity of these setups.
• Create signatures of the deployed files & automate a process to keep validating the signature of the files on the server with whatever that was lately deployed. If the signature changed then someone have potentially changed something on your servers.
• Monitor your cloud environment access logs for suspicious activity ( deleting machines , adjusting access rules, creating machines In different zones, etc…), cloud providers do provide ways to listen to such events and send alarms to your inbox or some dashboard. Per example, if you detect any usage of the root user and you were not informed about it, this is critical to action immediately.
• When you have time, do navigate through the access logs yourself, also do visit different services in your cloud environment and make sure no new alien machines or services are being used without you knowing or does not look related to your system.
• Keep in mind that you have different data-centers in different regions, check them all regularly because someone might simply go in create machines in different region without you knowing & you will know when you get the bill :).
• Have a basic http access log monitoring ( or whatever protocol your app use ) to detect excessive or abnormal activities ( there will always be ) on your public interfaces (api, web pages, etc.. ). Hook this to your firewall to block / throttle and alert you about the offending source. Also do find sometime to look at the logs manually every now and then.
• Create a secret account, completely different from your Dev / Prod cloud accounts, and store critical backups of everything there. Your code, Your daily data backup, your latest, snapshot of disks, VM Images, etc…

I hope these tips inspired you & gave you a more focused view on what to think of when it comes to cloud computing security. Of course we all know it takes a big effort to get to a point where you have a very robust setup but at least aiming & working towards achieving it is always better than siting and wondering where you will be hit next !

Ibrahim Bou Ncoula