Securing the cloud using PaaS services

    I've been asked several times as to what are the building blocks to build a secure cloud solution. In my last 2017 blog I revisit the paper I wrote a while back called "13 Effective Security Controls for ISO 27001 Compliance" and reconsider the 13 security measure that help meet compliance controls.


    One important update for this blog over the paper, is that I will not look at IaaS services a whole lot. Protecting a OS or VM has been done to death.   IMHO organizations need to get out of the business of managing the health of OS's/VM's and WebServices.  Moving to Containers with an orchestration engines such as Kubernetes, or Platform such as provided by Azure, or AWS is one of the best long term security investments. No more AV, Patching, or Host services maintenance…  The process is to get most companies away from the IT business, and into their core competency with a High tech offering that provide a capability on demand. Moving away from VM's however does not eliminate the need for a security minded approach. This blog will look at the essentials that span all cloud solutions in any model.

    Here's the list of security essentials for all cloud solutions:


    1. Design with security in mind. As you start to build a new cloud solution remember that it's not enough to have a refence architecture for your design, but also consider building  a threat model. Get the threat modeling tool here, and the sample PaaS Threat Model from the 'Azure Blueprint Automation: Financial Services Blueprint for Regulated Workloads'  solution.
    2. Have a simple data classification model ready as you design your solution, it will influence your authorization, and encryption methods.
    3. From your design it's also essential you maintain an inventory of your services you enable. Know what you have and why. Delete any resources or services you don't need. This is both a security risk, and it will save you money.
    4. Set up a strategy to manage your god account. Azure subscription's 'global admin', and  AWS 'admin account' (sometimes called a root) is provided god access to the services when you start your subscriptions. Correctly protecting the account, setting up users with roles that are limited should be the first step you consider. The AZsdk provides guidance to provision your subscription in azure correctly. And here you will find some good guidance on protecting your AWS subscription.
    5. Address correct authorization - A strong password is needed at a minimum but these multi factor auth. is recommended. MFA can be implemented as a token, or call back used by most MSP's today. Azure MFA and AWS MFA setup.
    6. Authorize the correct users to have access to resource they need.  Setting up correct authorization requires attention to what you build, and who has access to what capabilities within it.  RBAC is essential for all solutions, For instance if you enable a web service - ensure the right users have access it to create, change, and delete information. Azure provides Azure Active Directory based RBAC, while AWS provides group based RBAC in their Cognito groups…  A key difference between Azure, and AWS is that  Azure  AADS  provides multiple capabilities in its domain control capabilities.
    7. When using a IaaS based solution some additional security capabilities are required. I won't dive into these issues for this blog, but outline items you need to address.
      1. AV/AM solution
      2. Patch management
      3. Service management (EG Web service, PHP service, SQL, Active Directory (or other directory service)… and the list goes on…. Best reduce this list of expertise using PaaS!)
    8. Have a token or certificate model that allows you to implement encryption both a rest, and in transit. Using a key and token solution such as Azure Key Vault and AWS KMS service makes your design a bit more complex, but the result is that tokens will ensure all services are secured correctly.
    9. Encrypt at rest but use a token. Remember the data is what needs to be protected this will require a understanding of the storage solution, this includes integration of the keying solution.
    10. Encrypt in transit, enable encryption from client to service, and to the stores. No link should be in clear.
    11. Log the hell out of your solution. Like with encryption you should be able to know who did what to what. Keep in mind that the solution you build should not violate your legitimate users rights. Make sure you keep inside of GDPR (eg don't collect sensitive data unless you need it)… if you implemented steps 5-6-7-8-9-10 your set!.
    12. Test your solution for vulns. Testing is essential, and best bet is to address the risks outlined by the  OWASP top 10 risks. https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet
    13. Review and validate your design to see if you have addressed your security risks you outlined in your threat model. This is the time to validate your security testing results, check your vnet configurations, ingress and egress points, port access, and review your logs to ensure that the testing you did in step 12 was detected!.

    That's it - 13 smart security essentials anyone should be able to implement.














Comments

Post a Comment

Popular posts from this blog

Protecting sensitive data

Image
Last month I wrote an article on key things to consider when protecting high valued assets or sensitive data. The article called Security Tip of the Month: Protecting Highly Sensitive Information addressed some of the key items that organizations should consider when protecting data that has the possible impact on an organization that is irreparable. As my article stated the cost of protecting this data tends to be higher than most data. Fact is that this data is not traditionally just sensitive such as credit card data, or HR data. Key indicators of what is High Value Data can be summed up like this. Assets that are considered to be of high value will frequently have the potential to cause the following conditions if they are lost or divulged: •        Loss of life - such as an informant list •        Regulatory fines - such as financial performance data •        Significant damage to the business - such as code signing and encryption keys (private) or trade secrets
Read more

Secure workstation - Root of trust to manage the cloud

Image
Two months ago I introduced the Azure secure workstation, and I’ve had the privilege to present the ideal to some great audiences. From the discussions, a common question I’ve been asked is a pattern that would provide the Secured PAW model lock down scenario to exclusively manage an Azure Portal (EG how to I assure only secured workstation, and users assigned to the program can manage my cloud services)? In this article I’ll provide the NEXT step to accomplish exactly that outcome. This includes additional configurations that I only lightly covered, or net new technology to apply since the publishing of the doc. Proposed outcome “ How do I” Use a Secured workstation (that I can trust) to manage my Azure cloud. Here’s how I would deploy the solution. First I will start by deploying the Secured Workstation model this using the secured profile. New technology, and capabilities to add: Hardware root of trust – in our solution we post the idea that you can
Read more

Why is privileged access important?

Image
Last year about this time I had published updates to the Azure Secure Workstation that was originally released two years ago. And This month the solution has been considerably rewritten and revised to provide a better more complete management for privileged access!  Collaborating with two great security experts James Noyce, and Mark Simos The content got a massive overhaul, and a broad perspective on what it takes to build and manage a comprehensive privileged access solution, including account management, device management, intermediaries such as VPN's and interfaces such as Web and Cloud services. Additionally, the solution was uniformly designed with three distinct security levels that anyone reading the article can deploy from a more flexible Enterprise security, to a comprehensive isolated PAW or privileged Access Management. Over the past two years I've been working to explain and illustrate how you can use a cloud-based solution to build an effective Zero tr
Read more