The most common misconception about Cloud Security!
Over the past number of months whilst in conversation with customers, I have realised that there is a general misconception that the native controls provided by the many IaaS cloud vendors are secure and provide equivalent security to what most organisations have on premise. Unfortunately, this is something that is an incorrect assumption and could lead to a breach in said deployments. The IaaS Cloud Provider only secures the underlying infrastructure, not customer data and applications and it should be noted that data isolation via native cloud security controls does NOT protect against malware or other threats.
To start, let us look at the security that is deployed in most organisations that have internet facing services. As a baseline, you would expect that they would have:
- A firewall providing access control
- An IPS (integrated with the firewall or inline) that protects against protocol and application vulnerabilities
- Web Filtering with HTTPS inspection to control access to websites per the corporate acceptable usage policy
- Anti-Virus to scan traffic for viruses
- Anti-bot protection that detects infected machines on the local network and drops IP traffic to C&C centers
- Some kind of Sandboxing technology that detects 0-day and changed malware (APTs).
- A mechanism for reporting and troubleshooting traffic that may have been blocked
Now let us look at what the two main cloud vendors provide.
Starting with Amazon AWS, Security is provided by Security Groups. Amazon states that in VPC Security Capabilities that “security groups have capabilities similar to traditional network firewall appliances, such as stateful packet inspection, centralized configuration, and out-of-band rule administration independent from guest OS configuration”. They further advise their users that to get “additional functionality such as deep packet inspection, IPS/IDS, or network threat protection” that they should deploy either a 3rd party host based firewall or an inline firewall. AWS does provide the capability to log the traffic that is passed by a Security Group this does not provide the capability to prevent malicious activity. AWS have always stated that in their shared security Responsibility model that customers are responsible for:
- Network Traffic protection
- OS, Network and Firewall configuration
This is extremely well documented in their AWS Security Best Practices document and this shared responsibility model is illustrated in the following diagram.
Moving on now to Microsoft Azure, Network Security Groups are used to provide firewalling of deployed servers. They state that “A network security group (NSG) contains a list of access control list (ACL) rules that allow or deny network traffic to your VM instances in a Virtual Network”. It is also stated in this sample chapter from the Microsoft Press book on Azure network security to “keep in mind that this is simple stateful packet filtering, not full packet inspection. There is no protocol validation or network level intrusion detection system (IDS) or intrusion prevention system (IPS) capability in a Network Security Group”. It is currently not possible to log the traffic allowed by NSGs.
Microsoft Azure also operates a Shared Responsibilities for Cloud Computing model and advise in a similar manner to AWS that it is the responsibility of the Customer to ensure the client and end-point protections and access management. The following graphic taken from this document illustrates who is responsible for what within this environment.
For further information on how to secure your public cloud infrastructure, please see the following links:
This is also a link to a long video on YouTube that shows how Check Point vSEC can be used to secure AWS Workloads.
Hugh McGauran is a Security Engineer for Check Point Software Technologies. Every day the temptation is to tell his customers what they want to hear. What he does instead is tell them what they need to hear.
Community Development Officer at Breffni Integrated Ltd
7 年Thanks Hugh!Good to hear from the experts!
Infrastructure as Code
7 年If you are using cloud services, just like your traditional data center, sure. I'm not so sure conventional approaches make as much sense for an organization that is building up services in paas, lambda, containers, etc.
CEO and Co-Founder at Lumigo | Gartner Cool Vendor | #Observability | #OpenTelemetry
7 年To the Point! Azure security best practices tends to agree: “While Network Security Groups and User Defined Routing can provide a certain measure of network security at the network and transport layers of the OSI model, there are going to be situations where you’ll want or need to enable security at high levels of the stack. In such situations, we recommend that you deploy virtual network security appliances provided by Azure partners" https://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-practices @erezberkner
Sikkerhetsarkitekt Cyberforsvarets IT avdeling v/DRIV
8 年Noe for deg Torgeir Hitland?
Spot on Hugh????