Hybrid & Multi-Cloud Security Best Practices in Healthcare

In today's digital landscape, organizations are increasingly adopting hybrid and multi-cloud environments to leverage the benefits of both private and public clouds. However, these complex setups also introduce unique security challenges. Implementing robust security practices is essential to protect data, applications, and infrastructure across these environments.

This article will primarily cover the following key areas

• Overall infra and networking landscape
• Hub & Spoke Network Design
• Inspection and control of NS (North-South) traffic
• Inspection and control of ES (East-West) traffic
• Segregation of internet and intranet traffic

Overall Infrastructure and Networking Landscape

Multi-Cloud Routers (MCR) play a pivotal role in modern networking by connecting various cloud providers, on-premises systems, and different hospital locations. MCRs dynamically exchange routing information between these diverse environments, ensuring seamless integration and optimal data flow.

This dynamic routing is primarily achieved using protocols like Border Gateway Protocol (BGP). BGP allows for automatic route updates and facilitates seamless communication between networks, thus eliminating the need for manual configuration. This capability ensures that data can be transmitted efficiently and securely across different cloud environments and on-premises networks.

The design of Multi-Cloud Routers focuses on providing high bandwidth and low latency, which are crucial for applications that require quick data exchange and real-time processing. The robust and reliable network infrastructure supported by MCRs is essential for maintaining the performance and connectivity of applications hosted in various locations.

Furthermore, MCRs facilitate seamless and efficient communication between multiple cloud environments and on-premises networks. This capability ensures that organizations can leverage the benefits of hybrid and multi-cloud setups while maintaining optimal performance and connectivity. Overall, MCRs are integral to achieving a unified and efficient networking landscape.

Securing BGP is crucial to ensure the integrity and reliability of your network communications.

Here’s how you can fortify BGP

• Route Filtering: Use filters to control which routes you accept or advertise. This prevents incorrect or malicious routes from propagating.
• Prefix Lists: Define specific IP prefixes that are allowed or denied. This ensures that only legitimate routes are accepted.
• Route Authentication: Implement cryptographic authentication for BGP messages using mechanisms like BGP MD5 or TCP-AO (TCP Authentication Option). This verifies that route updates are from trusted sources.
• Access Control Lists (ACLs): Configure ACLs to restrict which IP addresses can initiate BGP sessions with your routers. This helps block unauthorized access.
• Route Monitoring: Continuously monitor BGP sessions and route updates to detect anomalies. Tools like BGPMon can help you stay alert to any suspicious activities.
• RPKI (Resource Public Key Infrastructure): Deploy RPKI to validate the origin of IP prefixes. This ensures that only authorized ASes (Autonomous Systems) are advertising certain prefixes.
• Regular Audits: Conduct regular security audits of your BGP configurations. This helps identify and rectify any potential vulnerabilities.
• BGP Session Time Limits: Set time limits on BGP sessions to automatically tear down and re-establish connections, ensuring sessions don't remain active indefinitely.
• Redundancy and Failover: Implement redundant BGP sessions with multiple ISPs or cloud providers. This provides failover options in case one session is compromised.
• Community String Filtering: Use community string filtering to control route propagation based on community values.

Combining these measures creates a robust and secure BGP configuration, helping to protect your network from potential attacks and ensuring smooth operation.

Hub & Spoke Network Design

A hub-and-spoke network design is a network topology where a central hub connects to multiple nodes (spokes)

Here are breakdown of its key usage in terms of security

1. Centralized Security Management: The hub acts as a central point for implementing and managing security measures, such as firewalls, intrusion detection & Prevention systems (IDPS), and antivirus solutions. This simplifies the security management process and ensures consistent security policies across the network.
2. Efficient Traffic Inspection: By centralizing traffic through the hub, it becomes easier to inspect and monitor network traffic for potential threats and anomalies. This centralized control helps in early detection and mitigation of security incidents.
3. Simplified Access Control: The hub can enforce access control policies, ensuring that only authorized devices and users can communicate with the network. This reduces the risk of unauthorized access and potential security breaches.
4. Scalability: The hub-and-spoke design allows for easy scalability, as new spokes can be added without significant changes to the existing network infrastructure. This flexibility is beneficial for growing organizations.
5. Cost-Effective Security: Centralizing security measures at the hub can be more cost-effective than implementing individual security solutions at each spoke. It reduces redundancy and streamlines the management of security resources.
6. Network Segmentation: The hub-and-spoke model facilitates network segmentation, where different spokes can be isolated from each other. This containment helps limit the spread of security threats within the network.
7. Improved Monitoring and Auditing: With a centralized hub, it's easier to monitor network activity and perform audits. This centralized logging and monitoring enhance the overall security posture of the network.

By leveraging these security advantages, organizations can create a robust and secure network environment using the hub-and-spoke design.

Inspection and control of NS (North-South) traffic

North-South (NS) traffic refers to data initiated from various Cloud Service Providers (CSPs), on-premises systems, and hospital locations.

• Incoming traffic to the cloud (where primary workloads are deployed) hits the Dynamic Routing Gateway (DRG).
• The DRG routes this traffic to the hub firewall.
• The hub firewall has Intrusion Detection and Prevention System (IDPS) features enabled for traffic inspection.
• Whitelisting and block listing mechanisms are employed by the firewall.
• Once verified as non-malicious and whitelisted, the traffic is allowed to proceed to the spoke Virtual Cloud Network (VCN).
• Within the VCN, additional security controls such as security lists and Network Security Groups (NSGs) are in place.
• These security controls ensure authorized access to the workloads.
• Based on predefined rules and routing, return traffic is directed back to the initiator.

Inspection and control of ES (East-West) traffic

East-West (ES) traffic refers to data initiated within the cloud between spoke VCNs or any traffic within the cloud infrastructure.

• When traffic is initiated from one workload spoke VCN, the egress traffic exits the Spoke VCN to the DRG (Dynamic Routing Gateway) based on predefined SL & NSG rules and routing.
• The DRG routes this traffic to the hub firewall.
• The hub firewall has Intrusion Detection and Prevention System (IDPS) features enabled for traffic inspection.
• Whitelisting and block listing mechanisms are employed by the firewall.
• Once verified as non-malicious and whitelisted, the traffic is allowed to proceed to the other spoke Virtual Cloud Network (VCN) where target workloads are deployed.
• Within the VCN, additional security controls such as security lists and Network Security Groups (NSGs) are in place.
• Based on predefined rules and routing, return traffic is directed back to the initiator

Segregation of Internet and Intranet Traffic

Internet Traffic

• Initiated from external sources and follows a different route than intranet traffic.
• Reaches the internet gateway attached to the public subnet.
• Inspected by a separate firewall in the hub using IDPS, anti-virus, and whitelisting features.
• Allowed to proceed to the spoke Virtual Cloud Network (VCN) where public subnets host the load balancer.
• Typically passes through a public load balancer after firewall inspection.
• Backend servers are located in private subnets.
• Uses a Web Application Firewall (WAF) to inspect traffic and mitigate OWASP top 10 attacks.
• May route internet-based applications to CDN before passing through public load balancer, WAF, security lists (SL), and Network Security Groups (NSG).
• Outbound traffic follows defined rules and routing within the VCN and firewall.

Intranet Traffic

• Routed via the Dynamic Routing Gateway (DRG).
• DRG directs this traffic to the hub firewall.
• The hub firewall uses IDPS features for traffic inspection.
• Whitelisting and block listing mechanisms are employed at Firewall
• Once verified as non-malicious and whitelisted, traffic is allowed to proceed to the target spoke VCN.
• Intranet traffic typically passes through a private load balancer for intranet-based applications.
• Additional security controls such as security lists and Network Security Groups (NSGs) within the VCN are in place.
• Return traffic follows predefined rules and routing back to the initiator.

In summary,

This article primarily delved into the critical aspects of managing and securing cloud environments. We explored the overall infrastructure and networking landscape, highlighting the importance of a well-structured foundation. The Hub & Spoke Network Design was discussed, showcasing its role in centralizing security management and ensuring efficient traffic flow.

We then focused on the inspection and control of North-South (NS) traffic, detailing how incoming traffic from various sources is scrutinized and managed through dynamic routing and firewall mechanisms. Similarly, the inspection and control of East-West (ES) traffic within the cloud were examined, emphasizing the importance of internal security measures.

Lastly, we addressed the segregation of internet and intranet traffic, illustrating how different routes and security protocols are implemented to maintain a secure and robust network environment.

By covering these key areas, the article provides a comprehensive understanding of how to achieve a secure and efficient cloud infrastructure.