.png)
When we think about Network, we tend to associate it automatically with the good old fashioned on-premise Switches, Routers, Firewalls and endless RJ45 cables. Those are not going away in a Cloud world, but only become a CSP responsibility to manage, while we consume it as SDN (Software Defined Network).
So although we are now excused from guarding and managing the physical network, the focus shifts to how we protect communications at all directions.
The guiding Principle is:
Network traffic and connections to/from/within Cloud platforms, must be secured to allow a continuous flow of information, enabling its availability
Here are few high-level key points to help us improve securing networking & connectivity, in the spirit of the Principle:
Public & Private Gateways:
Secure Public gateways traffic via: A Proxy (white-list basis) and Deep Packet Inspection (or a separate IDS/IPS based on the use-case)
Utilise intra-cloud based-routing primitives of ingress/egress traffic from/to an gateway to a dedicated DPI/IDS/IPS/FW instance
Route only approved infrastructure to the gateways
Enable Malware protection solution for ingress traffic
Map out all active private and public connections (VPN, Dedicated link, Peering, etc), identifying end-to-end routes and protocols in-use, while ensuring only those required are active, with an appropriate access control to changes on routing configuration
For specific use-cases , consider using CDN (with signed URLs and Cookies) to serve content, while protecting the source and potentially eliminating the need of a direct access into the environment
Subnets:
Ensure subnets are categorised and separated for each purpose, based on the different infrastructure stacks
Prioritise everything into private subnets by default, with other designated services ( e.g. Load-Balancer) in public subnets, fronting internal stacks
Network ACLs (Stateless):
Enable nACLs on subnets and configure in accordance to the minimal operational requirements and risk level
Understand CSP’s default configuration. It will usually be set on 'any-any'
Security Groups/Firewalls (Stateful):
To be implemented both on the Instance/VM and load-balancer levels
Default policy should follow the “Drop all, allow some” model, minimising machine-to-machine or resource-to-resource comms where possible, results in reducing the number of open firewall rules
Ensure Security Groups and Firewalls are categorised and separated for each purpose, based on the different infrastructure stacks
Fast changes in sensitive environments must be tracked/alerted
3rd Parties Access/API connectivity/Sockets/CSP services connectivity:
Map out frequently all active connections and methods in-use (e.g. peering, API connections, VPNs, Cross-Account connections, Public IP, etc.) across all environments
For API connectivity, perform an API discovery and clean-up exercises (which are public and which are private, are they encrypted, alert & remove unused/non-authorised APIs), use only approved technology for signing API requests, potential issues around certs, use approved types only (e.g. REST), look into ‘OWASP Top 10 for API Security’, use API GW for enhanced control/security (based on the use-case), classify APIs based on different risk levels and protect accordingly, consider 3rd parties tools able to identify anomalies/spoofing and providing decoying/honeypoting, as a preventive measure
Enable Deep Packet Inspection (or a separate IDS/IPS based on the use-case) with WAF capabilities
Allow 3rd party access via temporary/short-lived credentials only. Exceptions must be subject to a defined process with a periodical review.
Utilise as possible private CSP endpoints to access services over the internal provider’s network, rather than over a public network. When public network must be used, ensure data in-transit is protected properly (e.g. IPSEC)
Ensure strong authentication/authorisation/admission controls on APIs
Comments