Best Practices to Establish Cloud Infrastructure Configuration Standards

July 22, 2021

Network

Like enterprise data centers, well-defined network security architectures are critical to understanding and managing risk by controlling what can communicate to what. However, traditional enterprise data center network security approaches don’t translate well into public cloud.

8 Network Security Best Practices

1. Start By Treating the Cloud as an Extension of the Enterprise Data Center

Most enterprises will start by connecting their enterprise network to the cloud and treating it like a remote data center, without initially having the cloud workloads communicate directly to the public internet. This allows the enterprise to gain experience with cloud security while still using on-premises network appliances for protection from attacks through the existing firewall and intrusion prevention services.

2. Tightly Control Network Communications to/from the Public Internet

Longer term, as expertise grows, public cloud-based workloads will communicate directly to the internet. Unless specific on-premises data is needed, these cloud applications should be isolated from enterprise data centers. The built-in security groups and network controls of the cloud providers provide sufficient isolation and control for this.

3. Encrypt all Network Communications by Default

All network communications — whether to and from the cloud, across regions within a cloud provider and, ideally, within a region itself — should be encrypted by default, using validated encryption methods and protocols such as Transport Layer Security (TLS). In addition, establish the use of mutual authentication for both sides of the communication.

4. Segment Lateral Traffic by Default

“Zero trust network segmentation,” also referred to as “micro segmentation” or “software-defined segmentation,” projects apply finer-grained isolation to workloads. The built-in, software-defined networking capabilities of cloud IaaS providers offer the ability to apply granular network isolation policies based on workload identities. Enterprises should avoid the “flat network” problem pervasive in enterprise data centers by segmenting by default.

5. Use Visualization Tools to Understand, Build and Optimize Network Policies

One of the challenges of any zero trust network segmentation strategy is how to map network flows and translate these into network policy. Third-party CSPM and network traffic analysis tools may be needed to gather flows, visualize them and map them to the native network security policies of the cloud provider. Excessive permissions can be trimmed by comparing what network connectivity is initially provisioned to what is actually used.

6. Avoid In-line Network Security Appliances for Traffic Inspection

VM-based network appliances create chokepoints and potential single points of failure, and are increasingly blind to encrypted traffic if payload inspection is required. Network security appliances placed at chokepoints are a cloud antipattern. In some cases, third-party cloud-native offerings may be needed, combined with a transit-network-type architecture to centralize common inspection requirements. Alternatively, the use of workload-based controls can distribute the in-line network inspection to each VM.

7. Where Third-party Network Security Controls Are Used, Favor Cloud-native Approaches

Vendors that simply take their on-premises physical appliance into a virtual appliance don’t provide a cloud-native experience. Cloud-native security offerings offer built-in automated resiliency, scale-out architectures, ease of insertion into the programmable network fabric of the cloud provider and support for transit virtual private cloud (VPC)-like constructs.

8. Replace Legacy Virtual Private Network (VPN) And Demilitarized Zone (DMZ) Architectures With Zero Trust Network Access (ZTNA)

Where named user access is needed to a cloud-based application or front-end service, don’t use legacy DMZ and VPN architectures. Use a ZTNA (Zero Trust Network Access) solution as a stand-alone offering or as part of a broader set of secure access service edge (SASE) capabilities.

Storage

Most of the publicly reported cloud security incidents are related to the misconfiguration of cloud storage services, exposing sensitive data to the public internet.

3 Storage Security Best Practices

1. Scan For Open File Shares

Open file shares and object storage represent the most common form of public cloud security exposure. However, open file shares and object storage are entirely and relatively easy to prevent.

2. Don’t Use IaaS Object Storage Repositories as a Substitute for Enterprise-caliber Content Collaboration Platforms

Developers may be tempted to share files using IaaS/PaaS object stores. While better than email, this is not as secure as commercial content collaboration platforms services designed for this, such as solutions from Box, Citrix, Dropbox, Google, Microsoft (OneDrive) and others.

3. Encrypt all Data at Rest Using Customer-controlled Keys

The principle of default deny should be applied to data access as well. Data at rest encryption is not a panacea, but it does reduce the surface area for attacks and raises the bar for attackers. The built-in encryption capabilities of cloud infrastructure make this straightforward and seamless with the strong recommendation that the customer should maintain control of the master keys rooted in the strength of cloud-based or on-premises hardware. Encrypted data with customer-controlled keys has immense value when data needs to be deleted. For strong assurance that deleted data is no longer accessible, delete the master key (and any backup keys).

Compute

IaaS compute offerings are the building blocks for cloud workloads.

4 Compute Configuration Best Practices

1. Separate the Right to Create VMs From the Right to Delete Them

Separation of duties should extend to the rights to manage machine and storage images. No single account should be able to delete the entire set of enterprise assets in IaaS.

2. Use IAM roles for servers

Servers will have identities and permissions associated with them. The use of IAM roles provides a scalable way to assign permissions to compute-based workloads.

3. Use the Cloud Provider’s Metadata Service for Workload Secrets

Cloud workloads will need access to secrets (passwords, API keys, certificates and so on). These should not be hard-coded in system images. All of the leading cloud providers offer a metadata service that stores these outside of the machine images that can be queried as needed. More advanced capabilities are offered in the cloud provider’s secrets management service. For multi-cloud capabilities, a third-party offering may be required.

4. Require All Workloads in Production to Use Tags

Many third-party security tools are able to directly query the attributes of a workload using the native APIs of the cloud provider. Labels and tags on machine images provide a simple way to map and consume policies from third-party security consoles (such as the cloud workload protection platforms discussed later in this document).

PaaS

Leading cloud providers have a substantial number of platform services available to developers. Each of these comes with settings for configurations and permissions, creating significant complexity and the potential for misconfiguration.

4 PaaS Security Best Practices

1. If the PaaS Service Stores Data, Encrypt it at Rest

As with storage services, the default security posture should be encryption of any cloud data at rest combined with the use of customer-controlled keys. There will be exceptions (such as data lakes where extensive analytics are performed).

2. Standardize Which PaaS Services will be Used

IaaS providers are continually introducing new services. As a best practice, enterprises will define the standard subset of services for their organization. This catalog will be reevaluated on a regular basis based on developer demand and service maturity.

3. Establish Best Practice Configurations for Each PaaS Offering the Enterprise Uses

The complexity of doing this for each service requires the use of a tool to automate the process. This is discussed in the next section.

4. Attach All PaaS Services to Logical Network Constructs

Leading IaaS/PaaS providers offer the capability to restrict access to its PaaS services to the enterprise’s logical network constructs, such as network security groups, virtual networks and VPC endpoints. Use this capability to restrict access to PaaS services wherever this capability is available. This way, access and usage of PaaS can be restricted to specific applications and workloads and so that they do not have to be accessed over more broadly exposed network segments.

Conclusion

Architect for consistent visibility and control of all workloads regardless of location, size or architecture. Target the unique protection requirements of workloads in modern hybrid, multicloud data center architectures. Use a CWPP tool for achieving this. CWPP offerings should start by scanning for known vulnerabilities in development. At runtime, CWPP offerings should protect the workload from attacks, typically using a combination of system integrity protection, application control, memory protection, behavioral monitoring, host-based intrusion prevention and optional anti-malware protection.

Gartner recommends engaging certified cloud partners early on in your cloud planning process, to ensure that loopholes are identified early and plugged in before it turns out to be a disaster.

Related Posts