Even though the public cloud has become a commonplace concept in today’s tech world, many companies in a variety of industries remain slow to leverage its advantages. One commonly cited reason for this is that even for experienced IT experts, the transition to and adoption of cloud technologies can be daunting. While the main building blocks of the public cloud (network, storage and compute) are similar to those required by on-premises services, the way these building blocks are used in cloud-native software development is quite different.
In the public cloud, the way the security responsibility is split between the customer and the provider is often not obvious to first-time users. In a nutshell, the security of the infrastructure (data centers, hardware, network, and facilities) is the responsibility of the cloud provider, while the security of the services that the customer is running on top of the cloud provider is the customer’s responsibility. However, the line becomes a bit blurry when it comes to the managed services offered by the cloud provider (e.g., database-as-a-service or storage-as-a-service). In these cases, the customer’s responsibility while using those services is to make sure they are properly configured and used according to best practices and recommendations.
To enable transparency and build trust, cloud providers have participated in multiple well-known global compliance programs such as ISO 27001, FIPS, PCI DSS and HIPAA. While this doesn’t mean you automatically comply with those programs by simply using the cloud provider’s product, it does mean the provider can help you meet those requirements with less effort.
Networks in the public cloud follow the same principles as networks in a traditional data center. However, one significant difference is that public cloud networks are fully software-defined networks (SDNs), which is to say that all network components, including subnets and routers, can be created, managed, and deleted via an API call.
A VPC (Virtual Private Cloud) is a network component in the public cloud that can be described as a network namespace for resources. A VPN enables you to create and define a perimeter that, network-wise, will isolate certain resources from any other resources and the outside world. Within a VPC, you can define one or more subnets (private or public) to be used by your resources.
It is important to understand the specifications and limitations of the public cloud provider when doing network planning. In AWS, a VPC can only be associated with a specific region. And, a given subnet created inside that VPC needs to be associated with one Availability Zone within the VPC Region.
What about firewalls? In AWS, the same type of firewall concept exists in two different forms—network ACLs and security groups—that can be used complementarily.
A network ACL (NACL) is applied to an entire subnet and can be used to control the allowed incoming and outgoing traffic. NACLs tend to have more permissive rules than security groups, which are applied to a particular instance and can also be used to further restrict network traffic.
When hosting web applications or internet-facing APIs, you might face a Distributed Denial of Service (DDoS). In this type of attack, your service becomes overwhelmed by requests produced by the attacker, and the service becomes unavailable to legitimate users. To protect against this type of threat, each cloud provider has a service that can be used for defense. Microsoft Azure has DDoS Protection and Google Cloud has Cloud Armor. AWS has two specific services in addition to leveraging NACLs and Security Groups mentioned above. These services are AWS WAF and AWS Shield.
WAF (web application firewall) offers holistic protection against web threats and the ability to create and manage ACL rules. AWS Shield was designed to offer automatic protection against DDoS attacks. The standard version is free and is automatically available with AWS WAF.
For high-profile organizations or web services with high volumes of traffic, the use of AWS Shield Advanced is recommended. For an additional cost, it offers a premium protection service with enhanced capabilities, advanced features, and included specialized support from the AWS DDoS response team (DRT).
Having an audit log and being able to trace past events are important parts of any security strategy. In AWS, these can be achieved by enabling and using a service called VPC Flow Logs. It works automatically in the background without operational overhead by storing all network traffic events in the VPC in an S3 bucket. Another related service is AWS Cloud Trail. It enables you to collect the events from all AWS API requests made in a given AWS account. VPC Flow Logs and Cloud Trail can be used together to provide an audit trail. They also help monitor both network activity and suspicious behavior.
Identity and Access Management (IAM)
Understanding identity and access management (IAM) is crucial for anyone developing cloud-native applications. Security-wise, IAM is one of the most important building blocks in the cloud because it allows you to define what any given component (a resource or a human) can or cannot do. This concept exists in all of the major public cloud providers (e.g., AWS IAM, Google Cloud IAM, and Azure Active Directory).
Leveraging the capabilities of your IAM service is vital to implementing a good cloud security strategy. From a human perspective, it is the service responsible for authenticating and authorizing users when they access their public cloud accounts and resources. Equally important is the ability to use IAM to define what a resource (e.g., a machine) is allowed to do. With IAM’s features, a cloud-native application can be easily developed following the principle of least privilege.
In AWS, the IAM service has three different entities: users, groups and roles. Users and groups are typically applied to humans or to enable any kind of service outside of AWS to interact with the AWS service APIs. Roles are typically used for AWS resources. They can be assigned to an individual resource (e.g., an EC2 instance) to enable further access to other AWS services such as an S3 bucket.
For any of these three entities, you can create and assign policies—either customer-managed or AWS-managed—that describe what type of access is granted.
Holistic Security Services
There are several services within each cloud provider that offer more holistic and comprehensive views of the security of your account and services. These are out-of-the-box services that you can start leveraging right away. Often, these services provide features and functionalities that are tailored to the cloud provider you choose and complement the provider’s existing core services. As a result, we won’t be comparing them in depth here.
However, there are services offered by each cloud service provider that are worth highlighting. These are AWS Guard Duty, Azure Security Center and Google Cloud Security Scanner.
AWS Guard Duty
Guard Duty is an AWS service that provides intelligent threat detection and continuous monitoring for malicious activity in your AWS account. It works on top of existing AWS services such as Cloud Trail and VPC Flow Logs (mentioned above) that provide the necessary data (event logging and audit trails) in combination with threat intelligence feeds from cybersecurity partners.
Azure Security Center
Within an Azure subscription, the security center from Microsoft Azure offers a one stop shop for monitoring and implementing different security controls (physical, infrastructural, and operational). In addition, it enables you to extend those threat protection capabilities beyond Azure to your own data center workloads.
Google Cloud Security Scanner
As the name suggests, the security scanner service in Google Cloud enables you to perform automated vulnerability scanning on workloads running on Google Cloud services such as App Engine, Compute Engine and Google Kubernetes Engine. This service can be easily integrated into your development practices (e.g., continuous integration and continuous deployment) and can detect key vulnerabilities before a production release.
This article explored some of the security issues worth considering when using the public cloud, regardless of which cloud provider you choose—AWS, Microsoft Azure or Google Cloud. It is important to understand the different aspects of networking and IAM discussed in this article in order to plan and implement an effective cloud security strategy. In addition, as you move forward in your cloud journey, make sure to explore and leverage the existing security services available in your cloud provider’s platform. Using these managed services can save you time and money in the long run. If you want to learn more about cloud security check out our Cloud Operations Security Blueprint.