Deperimiterized with Security in mind - Part 3

In part 3 of my moving to the cloud recommendation, I address a new taxonomy of securing your cloud based network or - service oriented architecture (SOA).

As companies embraces the cloud and BYOD they are also embarking on a journey where traditional IT security, and compliance measure will not work as effectively. Security and compliance require enabling effective people, process and technology solutions. Cloud based architecture requires new set of security processes and technologies.

The new strategy starts by addressing your network design architecture that outline how you Identify your hosts, and perimeter points. Network and port scanners are not enough to outline your network devices anymore. Traditional network diagrams, do not provide enough detail to outline the boundaries of your network. More complex data flow diagrams (DFD) that focus on application layer design are needed in a cloud only service model.  The design can be complex but worth the effort.  I'd recommend you consider looking at this great tutorial on how to create a DFD design. I'd also recommend reading my good friend Dan Griffin's blog on the topic - Cloud Security: Safely Sharing IT Solutions.

Next is to find new technical risk mitigation that are service oriented. Traditional technology such as firewalls, intrusion detection, and other perimeter protection solutions are not as effective. In this security model, newer methodology such as  Software Defined Perimeter (SDP) need to be considered. SDP provides a solution to "mitigates the most common network-based attacks, including: server scanning, denial of service, SQL injection, OS & application vulnerability exploits, man-in-the-middle, cross-site scripting (XSS), cross-site request forgery (CSRF), pass-the-hash, pass-the-ticket, and other attacks by unauthorized users" as outlined by the Cloud Security Alliance's SDP initiative.  In an SDP model "application owners have the ability to deploy perimeters that retain the traditional model’s value of invisibility and inaccessibility to outsiders".

Besides using SDP, I would include looking at security solutions that can help manage your virtual cloud security perimeter. This  include the use of cloud based proxies, or a cloud access security brokers (CASB).

Cloud proxy are exactly as it sounds. They provide a proxy solution that routes, and encrypts traffic from clients to cloud hosts. Providers in this category include  Vaultive, Centrify, Bluecoat, and many more.

A new emerging set of cloud based security as a service (SecaaS) solutions worth a look at is the cloud access security brokers space or CASB. This category of security solutions provides security policy enforcement points, placed between your users and cloud service providers much like proxy providers, and they also provide enforceable security solutions.  Some of these solutions provide MDM style services as well in their product lines. Products include Netskope, Perspecsys, Skyhigh, and Elastica for instance are in the CASB market. All of these service providers provide a means to manage, secure and log transactions to corporately managed cloud based services. Reducing risk, and enhancing security posture.

And that's it …for now!... Three simple steps, Classify your data, Protect your BYOD environment, and create a cloud based (service based) perimeter of security solutions.

With these tips I think it's possible to move over to a cloud only service model and trust that you have a level of control and security for your company as good as an on premise offering.





Your thoughts and opinions are important, if you think this design is sound or has flaws please let me know…



Next blog -
 In the future ill look closer at the compliance implications to this new model, as well as how 'personal cloud' and tools such as TOR make cloud security remarkably difficult and more complex.

Comments

Post a Comment

Popular posts from this blog

2020 predictions

Image
2020 is coming upon us, and it's time to reflect on my 2019 predictions I made, and look forward to this coming year with another technology prediction. So let's get started - first off - a lookback to see  progress in the areas I outlined, possibly no earth shattering results, but progress.  2019 retrospective - New UX - probably not as much evolution as I would have wanted to see in this area. For now, we use windows, android, IOS, and it's pretty much the same UX as it's been for a while. IoT the simple assistant - IoT continues to be the hot area of growth. I consider this more evolution than revolution. As we see IoT based technology being embedded into more and more devices. Cloud growth advances in   astonishing speeds - This past year all three cloud providers made strides in the cloud worth noticing.  AWS entered the quantum computing market with Bracket, introduced an in-house...
Read more

Secure workstation - Root of trust to manage the cloud

Image
Two months ago I introduced the Azure secure workstation, and I’ve had the privilege to present the ideal to some great audiences. From the discussions, a common question I’ve been asked is a pattern that would provide the Secured PAW model lock down scenario to exclusively manage an Azure Portal (EG how to I assure only secured workstation, and users assigned to the program can manage my cloud services)? In this article I’ll provide the NEXT step to accomplish exactly that outcome. This includes additional configurations that I only lightly covered, or net new technology to apply since the publishing of the doc. Proposed outcome “ How do I” Use a Secured workstation (that I can trust) to manage my Azure cloud. Here’s how I would deploy the solution. First I will start by deploying the Secured Workstation model this using the secured profile. New technology, and capabilities to add: Hardware root of trust – in our solution we post the idea that you can...
Read more

What is the Security Threat Landscape in 2024?

Image
 I was working up a question that I thought would make a great blog. the question is in 2024 what is the the security threats landscape? Here's the key take aways that I considered. Proactive Mindset : Today’s threat landscape demands a proactive mindset. Organizations are moving away from reactive security measures and are instead focusing on identifying potential intrusion points and actors before an incident occurs . Cyber Threats evolving : Cyber threats are leveraging AI, exploiting vulnerabilities in mobile and cloud platforms, and targeting data breaches. The rise of connected cars has led to concerns about automotive hacking. Ransomware attacks have become more sophisticated, causing significant damage to organizations. The proliferation of IoT devices on a 5G network presents new security challenges. As systems become more integrated and automated, they also become more vulnerable to cyber threats.  Remote Work and Digitization : The rush to adapt to pandemic-inspired...
Read more