In this, the final post in my series on considerations for managing your security with cloud services, we will be looking at Infrastructure as a Service (IaaS). If you haven’t yet read the previous blog entries about SaaS and PaaS, it’s worth going back to read these first, as much of the thinking associated with these services is also true for IaaS.
Infrastructure as a Service
IaaS is (or can be, depending on what exact services you chose to purchase) the closest thing to traditional on-site IT infrastructure. IaaS provides you with cloud-hosted servers/network infrastructure upon which you run your own software and configurations. The most common examples that people consider when they think about IaaS include AWS ECS2 and Azure’s server infrastructure, but it could equally be backup/storage or virtualised networking infrastructure.
Due to the similarity with on-premises infrastructure, a lot of the existing security processes might be appropriate. A traditional antivirus or patch management tool, for example, may support usage in the cloud, but that doesn’t necessarily mean that your existing security processes can be applied directly.
IaaS Specific Challenges
One of IaaS’s most significant differences is elasticity, which gives the ability to create new devices ‘on-the-fly’. There are significant advantages to be had by being able to spin up new virtual servers with a predefined configuration and then dynamically remove them when you’re done. Most people associate this elasticity with scaling up cloud infrastructure to support web front ends, but it’s just as likely to be powering up a virtual desktop infrastructure (VDI) where clients may access their data/applications when needed. This non-persistence, however, could prove to be a significant challenge to your existing security tools.
The first key thing to identify is if your tooling supports an elastic model of machine creation. For example, if your antivirus runs out of licenses when too many clients log in at one time, you may run into an issue very quickly. Equally, if your tooling is unable to handle a process for automatically returning licenses to the pool when a machine is deleted, keeping on top of persisting and nonpersistent devices could prove to be a significant management challenge.
But that challenge is just one aspect. Consider audit and forensic logs for machines that can be dynamically deleted. Now your logging must handle newly provisioned machines that might be “shared” by a great many users over time but are in fact unique instances. Making sure that you have the information to truly track down data leak cases becomes far more important than ever with these dynamic assets.
Scoring with elasticity in mind
Taking consideration of the above challenge of elasticity one step further, there are also implications for reporting. If assets are dynamically removed, what does it mean to report on a vulnerability that existed only for a period of time, and how can you best score to risk at any given time? If your on-premises tools don’t have an awareness of your approach to dynamic machine provisioning, there’s a risk that your high-level scoring will be impacted significantly by under or overstated risks. If scores are calculated at report time based on an application existing on a machine that only ran for an hour or so before a vulnerability had its risk level raised, you might end up with skews that don’t accurate represent “true” risk. Understanding how vulnerability scoring is calculated, therefore, is very important.
The hidden benefits
You might now be thinking that elasticity is more of a risk than a benefit for security, but the opposite can be true. IaaS elasticity could mean that “bad” machines can be rotated out quickly, newly patched hosts rolled in and entire desktop infrastructures seamlessly updated for clients without the traditional pain (and therefore the associated resistance from end-users). This approach also encourages faster and easier testing, which is key for forensic data gathering (A bad machine might be “frozen” for assessment offline whilst a new machine provisioned to maintain current business operations.) and vulnerability assessments. (Scanning clones of live servers to reduce the risk of impacting live services is gaining popularity in a number of organisations, greatly increasing application and server owner’s comfort levels with more intensive vulnerability assessments.)
I hope this series has helped with your planning to expand your security monitoring in an increasingly hybrid world of traditional on-premises and online infrastructure, software and platform as a service offerings. There are a lot of challenges facing security teams looking to adapt to this world, but it also provides many opportunities to tighten security, further reducing organization risk. Exploring these in detail may really help you to master the expanded world of security tooling to better your practices.
FURTHER READING ON CLOUD SERVICE MODELS:
- Secure Configuration in Cloud – IaaS, PaaS and SaaS
- Security for Cloud Services: SaaS Deep Dive
- Security for Cloud Services: PaaS Deep Dive