Cloud Security Best Practices - Part 2
1 like581 views
The document discusses best practices for cloud security, emphasizing the importance of layered security controls as enterprises migrate to public cloud services. It highlights that while cloud providers manage certain security aspects, end users remain responsible for securing application layers, advocating for comprehensive control over network virtualization. Cohesive Networks' VNS3 product is introduced as a solution that provides users with enhanced control, encryption, and secure connectivity in cloud environments.
Cloud Security Best Practices - Part 2
- 1. 1 White Paper October 2014 Copyright Cohesive Networks Cloud Security Best Practices Part 1I: Layers of Control withVNS3
- 2. Public cloud offers elastic, scalable, highly available and accessible infrastructure for enterprises of all sizes.The 2014 Gartner Magic Quadrant notes that Amazon’s cloud (AWS) has more than five times the IaaS compute capacity than the next 14 providers listed, combined. No business can match that capacity for the same price as on-demand IaaS offerings, but is it safe? The undisputed largest barrier to business cloud migration is security. According to the 2013 ODCA membership study, 40 percent of respondents cited security as the number one inhibitor to using cloud services. Yet, 79 percent of ODCA member companies said they run about 20 percent of operations using external cloud services. Cloud IaaS offers an affordable data center extension, yet application-layer security is very different in cloud. Security is largely up to users. Gartner analyst Lydia Leong writes, “IT managers purchasing cloud IaaS should remain aware that many aspects of security operations remain their responsibility, not the cloud provider's. Critically, the customer often retains security responsibility for everything above the hypervisor.” Essentially, providers manage Layers 0 - 3 while end users must secure the hypervisor up through application. Concerns and pain points such as network encryption in third party environments, role-based access control, and intrusion detection must be fully controlled by the enterprise. Security, customization and control were the conceptual backdrop to the creation of Cohesive's overlay networking product,VNS3. As Cohesive began to put its own computing systems into the cloud, we were uncomfortable with the loss of control of our network infrastructure. Our cloud migration project allowed us to begin assessing what critical capabilities network virtualization needed to provide to our enterprise customers. 2October 2014 Copyright Cohesive Networks Introduction Cloud Security Best Practices Cohesive Networks White Paper
- 3. VNS3 is the only application-centric networking product that offers highly available overlay networks connectivity with end-to-end encryption. VNS3 combined with Docker container-based network features allows users to build network functions into a single, secure network.“security lattice” as a similar if not better security strategy than in the traditional enterprise data center. Data-in-motion encryption ensures application owners maintain highly segmented and secure overlay networks. European mobile application provider improve quality, speed and scale by running dev/test environments in the cloud. The mobile app provider needed to connect multiple cloud-based dev/test topologies to their existing data center assets while guaranteeing encryption for all data in motion. The firm uses VNS3 to launch potentially unlimited identical dev/test topologies and connect those topologies to their existing data centers for integration between internal and cloud version control. European clothing designer scales and controls capacity expansion to the cloud. A global fashion retailer, designer, and wholesaler created a fashion social networking site with the ability to scale up and down with demand while ensuring secure, encrypted data in motion between the application and the data center. The VNS3 solution provides controls to accommodate internal corporate security requirements normally not available with public cloud infrastructure. Sports association scales up to public cloud during championship series. During international events the sports league needed extra capacity, stability and security for increased website traffic, event applications and nimble data analytics but did not want to manage infrastructure. VNS3 gives the association the ability to scale in a variety of cloud regions while providing end-to-end encrypted access to their database servers running in their corporate data center. Large ERP vendor shift data center complexities away from clients to reinvent their subscription SaaS business model. The ERP vendor wanted to turn a traditional software solution into a cloud-based, subscription SaaS offering. They needed security, connectivity and flexibility when migrating from customer on-premise installations to public cloud. VNS3 allows the ERP vendor to gain multi-tenancy without re-architecting their application. The vendor guarantees secure customer data and maintains control with integrated NOC services across clouds. 3 VNS3 Solution Cases October 2014 Copyright Cohesive Networks Cloud Security Best Practices Cohesive Networks White Paper
- 4. Part of the ”secret sauce” cloud providers and vendors supply is wrapped up in layers of ownership and control in the form of firewalls, isolation, and the cloud edge. Most enterprise application owners assume there are not gaps between the hypervisor layer and the application layer.The National Institute for Standards inTechnology paperThe NIST Definition of Cloud Computing acknowledges: “The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).” Security needs to be a combined effort, where providers and users work together to offer a security and control profile that matches a particular business application’s needs. Gartner analystThomas Bittman writes,“a key to cloud computing is an opaque boundary between the customer and the provider.” This opaque boundary is a result of the needs and concerns of the cloud service provider being distinctly different from the needs and concerns of the enterprise cloud user/application owner. The known boundary between what cloud users can control and what the cloud provider controls is the root source of enterprises’ concerns with public cloud. 4 Security Layers October 2014 Copyright Cohesive Networks Cloud Security Best Practices Cohesive Networks White Paper
- 5. Provider-Owned/Provider-Controlled Security Most public cloud data centers arguably have significantly better protections in place than the average enterprise. It is important for enterprise IT teams to be familiar with each public cloud provider’s capabilities. The major players all have published extensive white papers detailing their certifications, security practices and principal.As a result, the provider-owned, provider-controlled features (as in the cloud edge, cloud isolation) provide a strong foundation for a powerful security lattice strategy. Provider-Owned/User-Controlled Security One of the first techniques to emerge in virtualized infrastructure was port filtering on the host operating system of the hypervisor / operating system itself (e.g.AWS Security Groups, IBM parameters.xml, Google Compute Engine Firewalls, etc.). Port filtering allows connections or packets that have made it to the host machine where instances run to be blocked at the hardware/ host OS level. Port filtering prevents packets from ever reaching a virtual adapter. This security feature occurs “inside the LAN” but before reaching an instance. Public cloud providers allow users to control this hypervisor firewall through network mechanisms such as security groups or configuration files. Recommended best practices are to lock down only the ports needed for each application use-case (And when used with an application SDN - only one port needs to be allowed at this level!). VNS3 User-Owned/User-Controlled Security VNS3 network virtualization allows application owners to control addressing, protocol, topology and security. Network virtualization solves the problem of data in motion being visible on the wire, even if a public cloud provider offersVLAN protection. VNS3 provides unique cryptographic keys for each host on the network. VNS3 provides an additional network firewall on the virtual network adapter. Recommended best practices are to use theVNS3 encrypted virtual network and lock down only the ports needed for the application use-case on theVNS3 network firewall. User-Owned/User-Controlled Security Assuming a “rogue” packet has made it through the network edge, through the hypervisor filtering, into the isolatedVNS3 virtual network, through theVNS3 firewall, and to a host’s primary interface, the host’s own port filtering is the last defense. Ideally, host port filtering is the second to last defense when a hosts uses a virtual network. When using a virtual network, this packet will only be responded to if it is the tunnel port of the virtual network AND if it has the unique signature for its stated address AND has the virtual network switch’s certificate. The final line of defense in the event the cryptographic credentials were stolen or forged, is your host’s virtual interface. Recommended best practices are to configure the virtual interface to only accept specific ports from specific hosts or network masks needed for the application use-case. 5October 2014 Copyright Cohesive Networks Cloud Security Best Practices Cohesive Networks White Paper
- 6. Leveraging a layered approach requires cloud application owners to orchestrate Cloud provider features, application and software requirements and security features.Tim Phillips describes it as “virtual application networking” or a feature of the network that allows the application owner to define the requirements of each server and applications. In other words, application-focused networking. Application-focused networks, such as overlay networks, can span the cloud stack and offers application-layer control into the underlying infrastructure which translates into increased security for applications deployed to the cloud. Cloud networking conversations can similarly be split into two categories: cloud service provider and cloud application. Cloud service provider networking products/projects like Openflow are Layer 2 communications protocols that focus on the forwarding plane of network hardware like switches and routers. Cloud service provider software-defined networking (SDN) initiatives will play an increasingly important role as the muti-tenancy models mature and how they will interact with the application/user layer. Until then, there is little offered to the cloud user in the way of security. 6October 2014 Copyright Cohesive Networks Cloud Security withVNS3 Cloud Security Best Practices Cohesive Networks White Paper
- 7. Cloud application-focused networking products likeVNS3 allow the application users to control addressing, topology, protocols, and encrypted communications in a third party controlled public cloud. VNS3 overlay networking users can use hybrid cloud resources across vendors or geographic locations and create a "federated network."The network is defined in software, which allows them to customize an addressing scheme and provides the ability to control their own topology. IPsec concentrators and SSL encryption add the security that is fully owned, controlled, visible and governed by the business application. VNS3 is an overlay networking device that creates a virtual network that the customer controls and can lay out topologically in ways they see fit. OpenFlow, the well known SDN enabler from the Open Networking Foundation, focuses below the application in Layer 2. VNS3 runs at the top of the Cloud Stack where the application user interacts. The application user can runVNS3 as an application on top any existing layers outside of their control and visibility. VNS3 creates a network defined in software that gives the user back control of IP addressing and topology at Layer 3, by creating a Layer 3 network of their choice, this is "overlaid" on top the existing stack. Recommended best practices are to maintain control of integration, governance and security from the application-layer. 7October 2014 Copyright Cohesive Networks Cloud Security Use Case Cloud Security Best Practices Cohesive Networks White Paper
- 8. Cloud Security Best Practices Part I: UsingVNS3 Overlay Network with Private, Public, and Hybrid Clouds Part II of the Cloud Security Best Practices White Paper will explore the layers of control in public, private and hybrid clouds and how users can create an effective “security lattice” strategy. Download the PDF here. Contact for Additional Information or Demo - [email protected] Our solution architects are available to provide additional information aboutVNS3 or schedule a demo of the features, functions, and common solution cases. Contact for Overview of Services - [email protected] Enterprises looking to leverage the potential benefits of Cloud Computing are faced with a wide range of hurdles during their migration. Cohesive Networks is an award winning market leader in cloud networking.Through our delivered cloud migration engagements we have designed many Overlay Network architecture ranging in complexity.Cohesive provides a range of cloud and virtualization specific professional services to help enterprises achieve their cloud-based goals. View ourVNS3 Use Cases Webinar series - www.cohesive.net/webinars CFT Senior Solution Architect, Sam Mitchell, is presenting a three part webinar series onVNS3. Recordings of all webinars will be made available after the original air date. •VNS3 Best Practices - Part 1 of 3 TheVNS3 Webinar series will begin by introducingVNS3. Sam walks through the history of VNS3, working withVNS3, the compatibility with public clouds, and a preview of the next 2 webinar use cases. •VNS3 Solution Cases - Part 2 of 3 This webinar will begin by reviewing some of the topics covered in theVNS3 Best Practices webinar. Sam will then walk throughVNS3 technical features and use cases, diagram how we use overlay networks to solve cloud security issues, and preview the next webinar's specific use cases. •VNS3 Life in the Cloud - Part 3 of 3 VNS3 has helped businesses migrate to the cloud, connect securely to data centers or across clouds and ensure secure connectivity.With specific case studies, Sam will explore the real-life uses ofVNS3 with enterprise IT Cloud scenarios.We will wrap up the 3-part series and a preview the next series, "VNS3 Everywhere." 8 Learn More Cloud Security Best Practices Cohesive Networks White Paper
- 9. Patrick Kerpan, CEO Mr. Kerpan is responsible for directing product, technology and sales strategy. Mr. Kerpan brings more than 20 years of software experience to the role of CTO and was one of Cohesive Networks's founders in 2006. Previously he was the CTO of Borland Software Corp which he joined in 2000 through the acquisition of Bedouin, Inc., a company that he founded. Mr. Kerpan was also the vice president and general manager of the Developer Services Platform group at Borland, where he was instrumental in leading the Borland acquisition of StarBase in 2003. Before founding Bedouin, Inc., Mr. Kerpan was a managing director responsible for derivatives technology at multiple global investment banks. Chris Swan, CTO Chris Swan is CTO at Cohesive Networks, where he focuses on product development and product delivery. Chris was previously at UBS where he was CTO for Client Experience working on strategy and architecture for web and mobile offerings across all regions and business divisions. At UBS Chris was co-head of Security CTO focussing on identity management, access control and data security. Chris represented UBS as Director on the Steering Committee of Open Data Center Alliance (ODCA), an industry association focussed on enterprise cloud adoption. Before joining UBS he was CTO at a London based technology investment banking boutique. Chris previously held various senior R&D, architecture and engineering positions at Credit Suisse, which included networks, security, data centre automation and introduction of new application platforms. Before moving to the world of financial services Chris was a Combat Systems Engineering Officer in the Royal Navy. He has an MBA from OUBS and a BEng from the University ofYork. Sam Mitchell, Senior Cloud Solutions Architect As Senior Cloud Solutions Architect, Sam Mitchell leads all technical elements of the global sales cycle. Mitchell runs demos, technical qualification, technical account management, proof of concepts, technical and competitive positioning, RFI/RFP responses and proposals. Before Cohesive Networks, Mitchell was a Cloud Solution Architect at Platform Computing, which was recently acquired by IBM. He was also a Lead Architect at SITA, where he headed up OSS BSS Architecture, Design and Deployment activities on SITA's cloud offerings. 9October 2014 Copyright CohesiveFT About the Authors Cloud Security Best Practices Cohesive Networks White Paper
- 10. Referenced Works Open Data Center Alliance (ODCA). 2013 annual ODCA membership survey. 18 March, 2014. http://www.opendatacenteralliance.org/docs/ ODCA_2013MemberSurvey_FINAL.pdf Leong, Lydia;Toombs, Douglas; Gill Bob; Petri, Gregor; Haynes,Tiny. Magic Quadrant for Cloud Infrastructure as a Service. 28 May 2014. http://www.gartner.com/ technology/reprints.do?id=1-1UKQQA6&ct=140528&st=sb Leong, Lydia. Gartner Research - Gartner for Business Leaders. Research Roundup for Cloud Infrastructure as a Service, 2012. 19 July 2012 http://my.gartner.com/ portal/server.pt? open=512&objID=256&mode=2&PageID=2350940&resId=2086515&ref=QuickSe arch&sthkw=hybrid+cloud+security Mell, Peter and Grance,Timothy. Computer Security Division, InformationTechnology Laboratory. National Institute of Standards andTechnology. NIST Definition of Cloud Computing Sep. 2011. http://csrc.nist.gov/publications/nistpubs/800-145/ SP800-145.pdf Bittman,Tom. Gartner Research - Gartner Analyst Blogs. Clarifying Private Cloud Computing. 18 May 2010. http://blogs.gartner.com/thomas_bittman/2010/05/18/ clarifying-private-cloud-computing Phillips,Tim.The Register. Let software take the strain off your data centre: Provisioning made easy. 28th Feb 2013 http://www.theregister.co.uk/2013/02/28/ datacentre_sdn/ Open Networking Foundation https://www.opennetworking.org/ 10 Cloud Security Best Practices Cohesive Networks White Paper October 2014 Copyright CohesiveFT