HackDig : Dig high-quality web security articles for hacker

Critical Security Capabilities for Cloud Providers

2015-11-13 05:05

Between teaching classes and working with clients I spend a fair bit of time talking about particular cloud providers. The analyst in me never wants to be biased, but the reality is there are big differences in terms of capabilities, and some of these matter.

Throwing out any of the non-security differentiators, when I look at cloud providers for enterprises there are some critical security capabilities you need for security and compliance. Practically speaking, these will quickly narrow down your options.

My criteria are more IaaS-focused, but it should be obvious which ones also apply to PaaS and SaaS:

  • API/admin logging: This is the single most important compliance control, a critical security control, and the single biggest feature gap in even many major providers. If there isn’t a log of all management activity, ideally including that of the cloud provider themselves, you never really know what’s happening with your assets. Your only other options are to constantly snapshot your environment and look for changes, or run all activity through a portal and still figure out a way to watch for activity outside that portal (yes, that’s what people really do sometimes).
  • Elasticity and autoscaling: If it’s an IaaS provider and it doesn’t have autoscaling, run away. It isn’t cloud. If it’s a PaaS or SaaS provider that lacks elasticity (can’t scale cleanly up or down to what you need), keep looking. For IaaS, this is a critical capability since it enables immutable servers, which are one of the best security benefits of cloud. For IaaS and PaaS it’s more of a non-security advantage.
  • APIs for all security features: Everything in cloud should be programmatically manageable. Why? Cloud security can’t scale without automation, and you can’t automate without APIs.
  • Granular entitlements: An entitlement is an access right/grant. The provider should have more than just “admin”. Ideally down to each feature or API call, especially for IaaS and PaaS.
  • Good, easy, SAML support that maps to the granular entitlements: Federated identity is the only reasonable way to manage all your users in the cloud. Fortunately, we see this one nearly always available. Unfortunately, some cloud providers make it a pain in the ass to set up.
  • Multiple accounts and cross account access: One of the best ways to compartmentalize cloud deployments is to use entirely different accounts for different projects and environments, then connect them together (with granular entitlements) when needed. This limits the blast radius if someone gets into the account and does something bad. I frequently recommend multiple accounts for a single cloud project, and this is considered normal. It does, however, require security automation, which ties into my API requirement.
  • Software Defined Network: Most major IaaS providers give you near complete control over your virtual networks. But some legacy providers lack an SDN and you are stuck with VLANs or other technologies that don’t provide the customization you need to really make things work. Read my paper on cloud network security if you want to understand more.
  • Regions/locations in different countries: Unless the cloud provider only want business in their country of origin, this is required for legal and jurisdictional reasons. Thanks to Brian Honan for catching my omission.

This list probably looks a hell of a lot different than any of the other ones you’ve seen. That’s because these are the foundational building blocks you realize you need once you start working on real cloud projects.

I’m probably missing some, but if I break this out all I’m really talking about are:

  • Good audit logs.
  • Decent compartmentalization/segregation at different levels.
  • Granular rights to enforce least privilege.
  • A way to manage everything and integrate it into operations.

Please let me know in the comments or via Twitter if you think I’m missing anything. I’m trying to keep it relatively concise.

- Rich (0) Comments


Source: sredivorp-duolc-rof-seitilibapac-ytiruces-lacitirc/golb/moc.sisoruces.www

Read:1786 | Comments:0 | Tags: Cloud

“Critical Security Capabilities for Cloud Providers”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud