No matter which service models is in-use (IaaS, PaaS, SaaS, etc.), we need to ensure we have the right segregation controls in place, backed by a process, across Networks, Data, Services and Users. Some organisations avoid the public cloud due to its multi-tenant nature and data security concerns, so as security professionals, we have the opportunity to enable confidence back to our stakeholders, by ensuring an appropriate adoption of segregation techniques, maximising their value, while leaning on the 'Shared Responsibility Model' for the CSP adhering to the best practices of segregation (both physically and logically).
The guiding Principle is:
Hosted environments/services/data within the Cloud, must be segregated from others in an appropriate manner, to support the necessary services and data requirements of the business
Here are few high-level key points to help us improve data protection, in the spirit of the Principle:
Define Security Trust Zones to separate systems/tiers/users along logical lines, for greater security and access control, with each zone can have its own security controls and monitoring, based on its specific needs and risk level
Consider enabling a Proxy capability between layers of application’s stack (e.g. AWS RDS Proxy) to manage connections securely
Ensure the design/environment has a clear Accounts structuring and Tagging design, for segregating resources of different purposes, types, characters, etc., on the logical account level (e.g. Landing Zones)
Adopt ‘Swim-lane isolation’ methodology where possible, for differentiating access
'Dedicated' vs. 'Shared' Tenancy: This must be looked at per the use-case (based on environment's sensitivity, classification of data and business’ appetite for risk). The main driver will be on reducing the risk of data theft and an overall Guests tenancy access/attack type (e.g. Guest-to-host breakout, HW exhaustion, etc.). To date, there are no major security benefits of ‘Dedicated’ over ‘Shared’ and it needs to be reviewed with the CSP when relevant. (Note: AWS are moving away from ‘Xen’ to ‘Nitro’ type hosts, which intends to enhance HW security)
Comments