Security has become increasingly important in IT as more exploits are attempted (and succeed), and more companies are looking to either full, or hybrid, cloud for their workloads.
Extreme care needs to be taken to secure the environment you’re moving too in order to protect any incursions into your network, or data loss. Both of these are extremely damaging to companies and has resulted in some companies closing their doors after significant data loss. Reputational loss is another aspect that some companies don’t always recover from.
So where do you start? While this article isn’t going to go in-depth into exactly how to accomplish this, it’s going to point you in the right direction to start discussions around this.
At the very start, make sure you have a secure connection to the cloud platform from your data center. Most cloud providers allow some form of secure connection via VPN tunnel, or a direct connection. The benefits of a VPN tunnel allow you to land your connection on a device (virtual or physical in some cases) and make use of Internet bandwidth to connect between onsite and the cloud. Traffic is encrypted, meaning all data transfers are protected. A direct connection will cost more as it means colocation costs to host a router (or 2) in a “meet me” room of sorts in your cloud provider’s data center, and a cable run from those devices to the cloud provider’s routers. This could allow faster connection between the cloud and the router which is located closer to the infrastructure, but at added cost, complexity and possible lack of management on the router if using an ISP.
Both options allow higher levels of security and redundancy if you choose to access the cloud through multiple connections.
Locking down the cloud management platform is also a definite requirement. The old saying that “too many cooks spoil the broth” is relevant here, and any users who do not need access to the CMP should not be given logins. Bear in mind that an administrator on a cloud platform can do what they want when it comes to firewalls, VMs and networks, you don’t want an inexperienced administrator poking around with settings they shouldn’t be touching. Consider though, that most CMPs have very granular levels of security that can be applied, and it will be possible to give certain users access to very specific layers of the cloud, be it networking, VMs etc. If you’re able to integrate the CMP into Active Directory, then it allows Single Sign-On and easier management of authentication and credentials.
Close any ports on the firewall that are not needed on the cloud platform. You would do this in your on-site environment, and the same should be done on the cloud. Public Cloud providers should allow you to access certain elements when configuring the firewall allocated to you, so do the necessary due diligence and lock the firewall down.
Some cloud providers allow you to use their Internet breakout, usually at a cost. If this isn’t needed, make sure you block this on your cloud firewall, or at the very least ensure that you’re not accessing the Internet when Internet Explorer is opened. Also, by default when deploying VMs, some are providers gateway will be inserted as the default gateway in the networking settings of the VM, and this could also allow the VM to access the Internet, so make sure this isn’t the case.
The above are useful as a start to locking down your cloud platform. For any software or appliances required for this, don’t forget to check out the offerings that Symantec have.