We begin part two of our cloud security series by discussing layered security. To safeguard new cloud services from outside dangers in today’s market, cloud design often includes multiple layers or networks to ensure that secured resources are protected.
The most secure architecture would simply block access to all traffic involving the internet as well as the local area network (LAN), which is where safe resources reside. However, when working with cloud services, security architecture adapts to allow access to and from specific services. The adaptable architecture allows cloud resources to travel securely over the internet, and have network access to other locations. A few examples of these services include email, web traffic or file transfer protocol (FTP) services.
When we look at Infrastructure-as-a-Service (IaaS), one of our first steps is ensuring the architecture is completely secure by establishing a demilitarized zone (DMZ), which is an additional network layered in between two networks. If an intruder accesses the DMZ area, they would not be able to access the secured resources on the LAN because they have automatically been sent to another network zone. The most typical architecture for creating this DMZ is to set a firewall between the outside network and your DMZ. The new firewall uses an access lists to control a particular network resource. Access lists specifically permit or deny traffic to a particular network addresses and specific network ports, and are a simple solution to enable authorized traffic to network resources.
Another best practice to consider after implementing your firewall is adding an intrusion detection system, which detects malicious packets and sends alerts to system administrators when security actions are needed. Go a step further and implement an intrusion prevention system, which actively shuts down malicious traffic without waiting for manual intervention from an administrator. This is similar to hiring security personnel in night clubs, concerts and special events.
Since your service is on the internet you should also be aware of some common attacks:
Distributed Denial of Service (DDoS) attacks target one system concurrently from multiple compromised systems. The distributed nature of these assaults makes it hard for system administrators to block malicious traffic from its origination point. It also makes it difficult to determine what traffic is approved and what traffic is part of the attack.
Ping of Death (PoD) strikes send malformed packets to your cloud infrastructure with the intention of crashing your cloud system. However, most modern firewall programs can actively find these packets and eliminate them before they can cause any damage.
Ping Flood attacks, which are similar to DDoS attacks, attempt to overwhelm a system with more traffic than it can manage. However, in this type of attack, the assault is generally tied with one system, which makes it easier to recognize and block.
That’s all for today. In part three, we’ll discuss hardening your new cloud solution—stay tuned!