Cloud is a hot topic at the moment and cloud vendors of all shapes and sizes are spending huge amounts of money in marketing, development and sales. Companies and individuals are starting to move their resources over to these cloud vendors to try and reduce overall costs and associated “issues” that go along with hosting your own hardware.
One of the advantages of keeping your infrastructure is the added benefit of having highly resilient services as standard, no longer do you have to design and build and manage resilience into your own infrastructure. Although I have seen and experienced massive outages in the last year, these are hopefully brief and out way the cost of hosting all these services yourself.
However one thing that I’ve seen increasing over the last year is the increasing amount of people who don’t think about the securing of their applications and infrastructure once based within the cloud. It seems to look like people are loured into a false sense of security when working within the cloud, they come to the idea that once everything is in the cloud there’s a big steel gate which comes down and protects everything for you. Sadly this isn’t the case 90% of the time.
In this post I’m going to be talking about security in the cloud based upon my experiences in Microsoft Azure, although the information in this post will also be relevant to other cloud vendors and their technologies.
One thing you need to think about (especially within the UK) is the data protection act and where your data is going to be hosted. Does your cloud vendor store the data in your countries borders? Unfortunately for some companies it normally isn’t a simple case of upload your data and you’re done. If you don’t currently know how or where your data is stored within the cloud vendor’s infrastructure you may be opening a can of worms and is definitely something you need to look into.
How to secure your cloud
Securing your cloud based systems doesn’t have to be difficult, there are a number of quick and easy ways to ensure that your applications and infrastructure are secured from prying eyes as much as possible, some of these are as follows:
- Remove any unnecessary endpoints – Endpoints are the external door way to your infrastructure and is one step away from allowing a malicious user access to your systems. If you are not using the endpoint, considering removing it. If you need to use the endpoint for instance for SSH or RDP access, consider changing the default external port to something more random and higher up. For instance for SSH instead of using TCP port 22, use TCP port 64321
- Implement anti-virus – I’m a big believer in using endpoint security, to the point where if the company doesn’t use it on their own systems I can’t take them seriously. Even though the systems are in the cloud they can still be infected with viruses and malware from internally connected machines. Protect all devices at all levels.
- Encrypt data if possible – Depending upon the data you are using and how you are storing your data, you may need to think about encrypting the communication between endpoints (HTTPS for example) or even encrypt the actual data being stored. For databases like MS SQL Server, SQL Server 2014 allows you to encrypt the database for additional protection.
- Utilise VPN – Probably one of the more secure solutions is to remove all possible endpoints from your cloud services and utilise a VPN so that all your traffic is secure and only goes between authorised networks.
- Monitoring / logging – This is where I see a big failing in a lot of companies, if you don’t log your data and logs how do you know if you have malicious people trying to gain access (or worse still have gained access). Log and monitor application event logs for trends. There is plenty of open source applications out there can help you in this area.
I hope this post has been of use to you and has made you think about the security within your own cloud environment.