In our recent Pulse video, we discussed the prescriptive approach iVision takes when developing a cloud security strategy. Throughout this blog series, we are breaking down this approach by covering each area individually: infrastructure, network, applications and data. In this blog, we’ll be highlighting securing your cloud network.
With the continual increase (and publicity) of data breaches and security compromises, it has become evident that the perimeter–focused, walled castle approach to network security is no longer sufficient. Even with this knowledge, finding the chance to put it in action and pivot an organization’s security strategy can be a daunting challenge in itself. At iVision we have found that as organizations adopt the public cloud to augment or replace their existing environments, the flexibility provided by cloud network services presents an opportunity to redefine a network security strategy in a low-risk way. By coupling known security practices with modern strategies (such as Zero Trust), iVision partners with organizations to implement cloud network security in depth. Below are some key practices iVision leverages to help our customers secure their cloud network:
- We apply layers of segmentation and control lateral movement
- We enable rich visibility of your network
- We design for least privilege connectivity and resilient defense
We will take a quick dive into each of these principles, to shed some light and share some recommendations.
Apply Layers of Segmentation & Control Lateral Movement
It might sound wonderful to live in a word where network segmentation isn’t a constant challenge when deploying new services and all of the security burden is shifted to the application. However, for many organizations, this would require an unrealistic herculean effort of application modernize and may not be the right path. Not only is network segmentation a need for meeting various compliance standards, but it is another opportunity, another layer, to introduce more security. By controlling and limiting lateral movement, network segmentation reduces the blast radius of an attack and can confine bad actors. This prevents vulnerabilities in less critical systems from acting as a front door for intruders to gain access to your Protect Surface (your most critical and sensitive applications and data) or even your entire environment. iVision recommends application of the following components to segment your cloud network:
- VPCs & VNets – iVision recommends using these constructs to isolate cloud resources from each other when the workload is independent. This approach can significantly simplify network security segmentation for cloud resources, but it can also lead to additional complexity if that independence deteriorates. Though the use of this method is often case by case (depending on factors such as IT estate size), iVision recommends using this approach on any workloads that fall under regulatory compliance. This can reduce the audit scope and simplify the measures to meet compliance requirements.
- Subnets & Route Tables – iVision recommends subnets be used to segment applications and workloads based on the components function and security level. It’s hard to reach something if it is not routable.
- Network Access Control Lists & Network Security Groups Applied to Subnets –iVision recommends using these to drive segmentation at the subnet level (for example denying ranges of IPs and certain protocols/ports), while relying on the stateful cloud service firewalls (discussed below) to handle the granular rules.
Regardless of your cloud platform and past network monitoring practice, iVision recommends enabling network Flow Logs and any logs generated by the native firewall services or virtual appliances in use. These logs should be aggregated and leveraged by a SIEM or similar solution to provide visualization, reporting, and an audit trail. iVision has found these logs helpful for the following use cases:
- Confirming network segmentation is effective
- Monitoring of port scanning, data exfiltration, and other nefarious activities
- Utilizing the data as input for IDS or other existing security tools to gain a single pane of glass to your network security
- Implementing a slew of operational use cases that merit a dedicated focus in the future
iVision recommends leveraging flexible and highly durable native cloud object storage services to aggregate and store these logs. This can prevent unneeded data egress costs in situations where it is decided to export only a subset of the data to an external solution. iVision also recommends enabling object versioning to prevent the chance of data loss and maintain past records for audit and forensic purposes. Access to this storage should follow a least privilege approach. Lastly, to save cost, iVision recommends leveraging lifecycle management policies for archival or deletion, in line with retention requirements.
Design for Least Privilege Connectivity & Resilient Defense
At its core, this principle is as simple as constructing rules for the expected ingress traffic using stateful controls. Pardon me, would you happen to have a mechanism to make this a reality, you may ask? But of course, and it’s not a jar of mustard, but rather the wonderful cloud security group! The Cloud Service Provider native firewall services, often referred to as security groups or network & application security groups, can be an ideal means to put this principle into action. These native firewall services allow meta-data to be used in defining firewall rule sources and targets, compared to source and target IP addresses. This makes it far easier to stop the horrible habit of treating infrastructure as snowflakes and the IP addresses captured in firewall rules as holy commandments chiseled into stone.
In cases where an immutable infrastructure strategy cannot be leveraged for updates and a means of outbound connectivity is required, iVision recommends using the cloud native NAT services. These native services are highly resilient and reduce the operational footprint and overhead, thus reducing the risk of introducing potential vulnerabilities and minimizing the attack surface. I have yet to dive into the vastness of Ingress Protection and Hybrid Connectivity, but I think that’s best saved for its own independent discussion in the future.
Our Cloud Architects and Engineers at iVision help organizations secure their cloud network using the above practices and more. For further information, read more about our cloud and security offerings or contact us directly. Also, check back for the rest of this series in the coming weeks where we will cover new areas of focus and dive deeper into the topics we have already discussed!