Cloud : Agility vs Security
Networking devices on the edges have become smarter over time. So have the firewalls and switches used internally within the networks. Whether we like it or not, web applications over time have grown to depend on them.
Its impossible to build a flawless product because of which its standard practice to disable all unused services on a server. Most organizations today try to follow the n-tier approach to create different logical security zones with the core asset inside the most secure zone. The objective is to make it difficult for an attacker to get to the core asset without breaching multiple sets of firewalls.
Doing frequent system patches, auditing file system permissions and setting up intrusion detection (host or network based) are some of the other mundane ways of keeping web applications safe from attacks.
Though cloud has made deployment of on-demand infrastructure simpler, its hard to build a walled garden around customers cluster of servers on the cloud in an efficient way anymore. And the absence of such walled gardens and logical security zones means there are more points of entry into the infrastructure which could be exploited. If you replace 10 powerful internal servers with 100 small servers on the cloud, all of a sudden you might have to worry about protecting 100 individual servers instead of protecting a couple of edge devices. In a worst case scenario, one week server in the cluster could expose the entire cluster to an attacker. Here are a few other things to think about...
- Host based firewalls should allow only traffic which are required/expected
- Non-essential services should be shut off on the server
- Some kind of Intrusion detection might be important to have
- Keys/passwords should be changed periodically
- System patches (update OS image) need to be applied periodically
- Authenticate/Authorize all inter-server communication
- Maintain audit trail for all changes to images/servers if possible
An organization which is completely on the cloud may not have an IT department in its current form, but it might still have an operations team which makes the security policies, updates OS images, manages billing, monitors system health (and IDS) and trains developers to do the things in the right way.
If your infrastructure is on the cloud, do write back with a note about what you do to protect your applications.
Image source: AMagill