Securing your Cloud : Layered Defence

Security is one of the top concerns when people think about moving or adopting to cloud technology which remains the most destructive innovation of 21st century.

First let’s see the rationale behind this myth of being cloud less secure and then we will draw comparison between traditional approach to security vis-à-vis cloud adoption and see how adopting to cloud allows us to dive more deep into layered defence approach.

The key reason that why we are not able to digest cloud as secure because we have become so used to terms like “Perimeter”, “Untrusted and trusted”, “Malicious Intruder” “adversaries” etc that we think everything outside our perimeter is bad. We have been told again and again that internet is very bad, it has hackers, dark web, sinister, robbers and what not ....

No wonder, we think that everything hosted outside our premises is not secured at all.

But things changed in 2006 when Amazon introduced its web services and laid the foundation of what Cloud technology is all about today.

Today we will take a look at one of key pillars of secured infrastructure, that is, layered approach to defence or Defence-in-depth and draw comparison between traditional IT Infrastructure and a Cloud infrastructure. And as they say, no two organisations are same and so are cloud service providers and one should be very careful while selecting a cloud service provider for adoption to cloud.

I am going to take Amazon Web Service (AWS) security and compare it with the traditional defence in depth model.

Layered defence, in simple words, means implementing multiple layer of security controls to defend IT systems and Data.

A traditional defence in depth model will look like this. 

Security starts at physical access to facility as the first layer of defence and then leads to Firewall and Network access control, transitioning into host based security like IDS, antivirus etc. Then comes the application security like Web Application firewall and lastly data protection mechanisms.

We have followed this over 15 years now and it strengthened our infrastructure giving us a complete secured (at least what most of us assumed) IT infrastructure.

But with the advent of Cloud technology as an alternative way of managing IT and number of advantages it has from cost-savings to auto-scaling, the landscape changed. Many companies adopted to this technology whereas a larger number of corporates did not, with a fear of security around sensitive data in public domain and ill-effects. They may be correct in their assumption in the early days of Cloud Services but as of now, we can see that cloud technology has become not only more advanced but more secured and providers like Amazon gives more secured defence in depth than many of traditional models.

Lets look at the Amazon approach to Security in the following figure.

As you will see in the figure that, Amazon is not only providing security at multiple level of data entry but also providing additional layer of security within that data entry point.

For eg, if you look at only network layer, you will see multiple layers – right from creating logical segmentation (VPC) to creating Security groups (Stateful access) and Network ACLs and then Web Application Firewall and encrypting data in transit.

We find similar layered approach in System security through Identify and Access Management (IAM) and hardened AMIs. One of other salient feature I see in AWS is KMS, the key management service.

On top of this, automation plays a big role in cloud environment whether it is auto scaling or Auditing. AWS Trusted Advisor is another automated tool which provides you with real time guidance for optimising performance of your infrastructure.

Therefore, I think it is the right time to adopt and migrate to cloud services and that too, we do not need to do all at once. Start small and simple and as you and your stakeholders build in confidence and trust in the cloud services, it will be easier to adopt the cloud in large.

And remember, Trust is basis of all security measures and unless you do not trust the cloud, you will never feel secured enough!!!!