Commiting to the Cloud: how far should you go?

Blog by: Mark Wainwright, Enterprise Security Solutions, Adept4 - 11-May-2017

Security and control have always been the stumbling blocks when it comes to cloud adoption but security services and tools are now available that eradicate many of these concerns. Cloud Service Providers have embraced the security challenges by deploying isolation, encryption, filtering and mitigation solutions and this has seen confidence grow. According to a recent study by the Cloud Security Alliance (CSA) 65 percent of IT personnel trust the Cloud as much as, if not more than, their on premise solutions.

The same study also found demand is ramping up with IT departments receiving more than ten requests a month for cloud-based applications. Failing to keep up with this demand poses a threat in itself, with some audits revealing thousands of unsanctioned cloud services active on the network, indicating that Shadow IT is a real issue. It’s therefore imperative that the enterprise adopts a proactive rather then reticent stance to cloud migration. Commiting to the Cloud cuts CAPEX, provides flexibility and agility, and that all important scalability but how far should you go?

Cloud migration very much depends on the appetite of the business but it’s certainly no longer true that on premise confers greater security. Provided adequate precautions are taken to protect sensitive data there’s no longer any reason to assume data is less secure. Key management is a great example of how things have progressed. HSM protected-keys allow you to control the encryption keys and cryptographic operations. You can securely generate, store, and manage the cryptographic keys and store them with Microsoft Azure’s Key Vault or hold them on premise, for example, in a movement dubbed Bring Your Own Key (BYOK).

However, many organisations aren’t yet at the stage where they can migrate fully to the Cloud. Regulatory, financial or logistical constraints simply make it unviable to commit completely. For these businesses, the hybrid approach promises the best of both worlds, allowing the organisation to capitalise on and exploit existing on premise investment while integrating applications, data and processes by building what Microsoft terms the “API-enabled and –connected enterprise”. Application and networking services such as optimisation, acceleration, access control, DNS services, and SAML federation will operate exactly the same way in the cloud as they do on-premise. As a result, there’s no need to build unique policies and configurations specifically to support applications being hosted in the cloud.

Microsoft Azure is leading the way with secure hybrid Cloud through its virtualised environment. Because users operate as standlone virtual machines that go via the Azure Hypervisor without interaction with a physical host server, risks are minimised. The Hypervisor acts as a filter between the user and the resource, passing requests via the VMBUs interface and preventing direct access to physical resources.

When it comes to Cloud security, there same questions tend to crop up time and time again. Cloud providers have worked hard to allay these concerns and Azure is no exception. It addresses the following prime security issues:

Is remote access secure? Passing your data into the Cloud can feel like surrendering control. However, in a hybrid scenario, encryption technology ensures that data held in the cloud is transmitted in accordance with the organisation’s own identity and access management mechanisms. Site-to-site VPN or point-to-site VPN can be used to extend the on premise datacenter to the cloud. In addition, ExpressRoute permits the creation of private connections that do not go over the public Internet, conferring even greater security, speed and lower latency than IP.

How do I control authentication off premise? Giving users access to the Cloud wherever they are and over any device has seen some organisations limit access to certain user groups. But integration with on premise Active Directory and directory sync and single-sign now extend the reach of on premise identity management, removing barriers without compromising security. Federated applications can provision user access and generate and store passwords in a password vault, improving password management. It’s also possible to subscribe to Identity as a Service (IDaaS) to replicate on premise directories, while additional security measures include two factor authentication via a mobile app, SMS, or phone call.

Will my data be transmitted securely? Data at rest is easier to store securely; for the Cloud, the issue has always been how to ensure data in transit is protected. In Azure, transmitted data can encrypted before it is sent into the Cloud using 128-bit public/private key pairs. Azure Storage uses primary and secondary key encryption to ensure data at rest is secured, and these keys can be stored in the on premise datacenter.

Could other users access my data? Previously multi-tenant architectures ran the risk of an attacker being able to access your data by compromising another client on the same infrastructure. However, Microsoft Azure provides network access control and segregation that restricts traffic inbound to your virtual machines. Network filtering prevents spoofed traffic which an attacker would use to find an entry point while Network Address Translation ensures internal and external data are separated. Internal IP addresses are only routable via Azure while external traffic is firewalled. Additional filtering on the host OS adds yet further security.

What happens in the event of an incident? Attacks will happen but rather than adopting a passive mode of defence, security monitoring agents can be used to proactively search for suspect activity. These are deployed on native and virtual nodes to continuously police the system and look for changes in server IP addresses, attempts to gain unauthorised access, changes to system settings or user privileges, or driver installations, for example. These are then flagged, collected, and logged for the attention of the administrator and these logs kept for as long as required in order to comply with the company’s auditing requirements.

Threats are always evolving so how are these mitigated in the Cloud? Continuous monitoring is used to detect threats and prevent exploits with alerts triggered by anomalous actions. Antimalware is enabled by default on servers and third party tools can be used to mitigate against attacks ranging from Distributed Denial of Service (DDoS) to privilege abuse, for example, with dedicated incident response provided by a Security Incident Management team. Penetration services can also be used to identify any possible vulnerabilities on the hybrid infrastructure. In addition, patch management ensures security patches are applied as soon as they are issued to bolster security.

In summary, a hybrid Cloud lets you deliver and manage applications consistently across your IT environment. Existing trusted applications and networking services can be taken directly into the Cloud and remain easy to provision, manage, and control. Combining the on premise datacenter with an in Cloud offering allows the business to leverage existing investment and exploit new virtual technology, reduces the threat of shadow IT, and confers not just better performance, access, and availability, but also more robust security.

Topics: Security, Cloud, Cloud Migration

Sign up to our blog