Updated: Jul 24, 2019
Today, in this series, we are going to look network security in cloud infrastructure, As we all know the infrastructure is foundation of cloud environment and everything else is built on that Infrastructure.
But, to begin with, let us list down our 10 steps to cloud security as defined by Cloud Standards Customer Council.
Ensure effective governance, risk and compliance processes exist
Audit operational and business processes
Manage people, roles and identities
Ensure proper protection of data and information
Enforce privacy policies
Assess the security provisions for cloud applications
Ensure cloud networks and connections are secure
Evaluate security controls on physical infrastructure and facilities
Manage security terms in the cloud service agreement
Understand the security requirements of the exit process
We will discuss step 7 which is to ensure cloud networks and connections are secure.
Networking is one of the main elements that make cloud infrastructure, other two being, compute and storage.
Before, we dive in, we need to first understand two macro layers within cloud infrastructure and how it affects the security responsibilities.
First layer is the actual, physical and logical compute (processors, RAM etc), networking and storage used to create the resource pools. These are the physical devices in cloud service provider’s datacentre which forms the underlying infrastructure. Second layer is the virtual infrastructure that is built by the cloud customer. So, in nutshell, all the compute, networking and storage is abstracted and orchestrated from the physical pools to create resource pools which is consumed by the cloud customer.
Once, you understand these two layers, you will be able to understand the shared responsibility model. One layer is managed by the cloud service provider and second one, which is the virtual infrastructure, is managed by the customer. And that’s how, security responsibilities is also shared between the cloud service provider and the cloud customer.
Now, coming back to the networking element, we will understand how the network is virtualized, how security is affected and lastly, security controls that cloud service provider and customer should have in place.
Cloud Network Virtualization
It is a process which by which physical network is abstracted and orchestrated to create resource pools. There are different forms of virtual networking to do the resource pooling. However, at the cloud provider level, physical segregation of networks is also important from both operational and security point of view. It is, often, seen that cloud service provider (or private clouds) make this physical segregation into three networks.
Service Network: This network is for communication between virtual machines and network. This service network is used by cloud customers as a network resource pool.
Management network: This network is for management traffic & API traffic and is used for communication with the management plane.
Storage network: This network is for communication between the storage devices and the virtual machines.
As far as network virtualization is concerned, there are two prominent ways to achieve it and they are:
Virtual Local Area Networks (VLANs): I think we all know what VLAN is. They have always been there in the traditional networking as well. They were designed to segment single-tenant network (enterprise networks) to separate business units or functions. They were not designed for cloud-scale virtualisation or security. Therefore, do not consider them as effective security control for isolating networks.
Software Defined Networking (SDN): As the name suggest, it acts as a complete abstraction layer on top of the networking hardware. SDN decouples the network control plane from the data plane. There are multiple types of implementation which includes both standard based and proprietary options. Depending on the implementation, SDN can offer higher flexibility and isolation.
Network Security Controls
In any traditional IT infrastructure, network security is all about allowing legitimate traffic and block malicious traffic. Nothing different in cloud and the cloud service provider us expected to do that. But it is little different in the cloud scenario. Cloud service provider does not what type of data, its customers are sending. Therefore, we will divide controls into two categories – external and internal.
External network security controls
External security controls are the ones which is implemented by the cloud service provider and customer must evaluate them. Customer may not get the full details of the controls from the provider, but they can check the compliance and assurance reports of audits done on the provider. Some of the important external controls are:
Traffic screening – Cloud provider should have some screening mechanism in place. There is some traffic which should never be allowed like malware ports. Normally, there is a firewall who does a job but CSP can use some sort of software as well. Customer should check whether provider publishes block lists and whether that block list aligns with terms of service. You can also check whether there are controls related to IPv6 access as more and more solutions have started using IPv6. Another consideration is geographic area restrictions. With regulations, like gdpr in place, local laws may restrict certain data traffic from one geographic location to another.
Denial-of-service protection – As we all know, DDoS are becoming more and more common, cloud provider and its internet service provider should have capability to withstand and adapt to high traffic attacks. If the solution is hosted in cloud is accessed by customer’s customer, then a DDoS attack can result into loss of business to the customer.
Intrusion detection & prevention – Remember, this is different from traffic screening. Some traffic may look legitimate to the firewalls, but it may carry malicious payloads like spams, viruses and known attacks. Therefore, cloud provider should IDS / IPS installed for deep inspection of the packets. They look at the patterns of the traffic and actual contents of the message. While intrusion detection systems can only detect and notify of the malicious traffic, but intrusion prevention systems can block the malicious traffic. However, customer should check if cloud provider has an exception process for allowing legitimate traffic which has been blocked by IDS/IPS as false-positives. False-positives are legitimate traffic which has been blocked due to similar patterns that appear to be like malware / DDoS attack.
Logging and notification – Logging is a very important control to have visibility into network health of whole infrastructure. Please note that there may be legal requirements as well for logging if personally identifiable information (PII) is involved. CSP may not share all logging information due to multi-tenant nature of the infrastructure but customer can ask questions about logging so that the process is clear to him. Questions like – what is network logging and retention policy? What are the notification policies? Are historical statistics available on the number of attacks detected and blocked?
Internal network security controls
Internal network infrastructure consists of access routers and switches that are used to connect cloud virtual machines to the providers backbone. Some of the internal security controls include:
Provide tools to the customer to protect from one another: Cloud service provider must provide tools to the customers to isolate their networks. In fact, there several tools offered by most the providers today. VLANs, which is known as virtual private cloud (VPC) in the cloud world is one of them. Others could be VPN for secure transmission of data, firewalls (known as NACLs and security groups) and hypervisor-based filters (ebtables on linux)
Provide tools to allow customers to implement network segmentation – When a customer is creating its virtual infrastructure, then he should be able to create multiple network zones to separate incoming traffic. It is often provided in the form of virtual private clouds (VPC).
Protection of provider’s network – The provider’s internal network should be secured otherwise all other controls are worthless. Cloud provider will never share internal network security control details with the customer but again, customer should review compliance and assurance reports like ISO 27001 and SOC to understand how provider is securing its internal control.
In conclusion, I would like to say network security is a very important piece as it sets the foundation on which whole cloud infrastructure is built.