Companies migrate to Infrastructure as a Service (IaaS) because of their flexibility and speed. Gartner says that ” by 2020, businesses that do not use the cloud will be as rare as those that do not use the Internet today.”
However, IaaS brings new security challenges as established by the Cloud Security Alliance (CSA). The most important is:
- Your supplier is responsible for the security of the Cloud (global infrastructure, storage, databases, network, calculations, etc.)
- You are responsible for security in the cloud (data, platforms, applications, operating systems, firewalls, etc.) and we can manage it with and for you!
Once the consequences of this new model are understood, you have to trust your IaaS provider who will respect his share of responsibility. On the other side, the customer has to tackle his. To make your life easier, we’re happy to help organizations secure their migration to IaaS such as Amazon Web Services (AWS) or Microsoft Azure.
Top 3 Cloud Security Risks in IaaS: Configuration Errors, Vulnerabilities and Hidden IT.
1- Avoid bad configurations. Apply cloud security best practices
As a cloud client, you have many options to configure your security. Often these options are far too cumbersome and complicated. Especially for a company that has just migrated to an IaaS infrastructure. Like a DevOps continuous development chain, we chose to develop an automation process that uses Cloud APIs. It keeps your production and network servers running intact and safe.
a. Discover your infrastructure and your initial security configuration.
The discovery process is very fast and non-intrusive. Unlike traditional networks, we do not need to rely on network analytics. We simply use the IaaS APIs.
Benefits: Assets are discovered without impacting network transactions (latency / congestion). There is no risk of false positives, shutdowns or hangs (that is, no network activity). In addition, asset discovery is very fast.
b. Correct security configuration errors and reduce the time it takes to comply with cloud standards, labels, and security standards.
IaaS is not managed like traditional IT, it is driven by code and APIs. And instead of testing an erroneous configuration with some entropy and side effects, we query the configuration of the installation via the APIs to compare it to the market models. These models are built from labels and security standards such as CIS Security ( we are CIS partners ).
For example, in AWS, we will query your account and compare it to a set of 52 security rules. Next, we advise you to fill in the gaps in order to reach the required level of compliance, obtain a 5-star security level and reduce the threats.
CIS-AWS – 1.1 Avoid the use of the “root” IAM service account – Risk Level High
Description Using the “root” account is dangerous and should be avoided, if possible. Users should practice “least-privilege”, a technique where specific user accounts are created and assigned the minimum privileges necessary to complete their work. Additional privileges may be added to their scope, but they should not be limited to the power of the “root” entity. We test your account to determine if a non-root entity exists, that you have at least one IAM user configured to perform daily work functions.
Resolution Create an IAM user and assign the basic role that you need to perform daily functions.
By checking the configuration with more than a hundred tests, we are able to analyze the complete configuration of the IT. We note as well, incorrect or insufficient configurations.
c. Monitor your infrastructure on an ongoing basis and increase alerts when changes or new security vulnerabilities are detected.
For test purposes, new infrastructure configurations, new application deployments, changes occur every day (and accelerate). These changes can lead to major security breaches. So tests must be run to check the security of the changes in real time.