5 cloud server security tips for 2013
Here are your 5 cloud security tips for 2013 (in no particular order):
Tip #1: Lock down the server firewall
Big surprise – a firewall management service provider telling you to lockdown the firewall, but putting aside the brand of our soap box, the firewall is the front-line defence for all security.
In fact, 73% of IT professionals agree, according to the Ponemon Research study on cloud security. But while there’s a general consensus to use the firewall, few know how to do it properly.
So here’s one little tip from the experts: Make sure you only open admin and other service ports when, for whom/what, and for as long as you need.
Don’t, for example, leave SSH open to 0.0.0.0/0 or every bad guy out there will be brute force attack your servers. The same is true for RDP (which is often vulnerable to zero-day attacks (see Morto worm) and other protocols.
Tip #2: Log, log, log, log, log
It’s really hard to defend against attacks that you don’t see and/or record. And it’s impossible to demonstrate compliance with regulations if you don’t log.
The cloud is especially difficult to log because: a) it operates outside your traditional infrastructure, where many of your monitoring solutions/services don’t operate, and b) logs stored on your cloud server are vaporised when you tear down machines.
So make sure you’re using a third party logging service, either built within your security tool and/or as an additive service, to log who’s accessing your servers, when, from where, for what, and for how long, as well as applications, attacks, and anything and everything else possible so that you can audit and report on policies, activities, compliance, and events.
Tip #3: Encrypt your data
And by encrypt the data, we mean before it’s written to your cloud server. Use an encryption gateway (e.g., CiperCloud, Porticor, etc.).
Most folks forget that many of our common transport layers are already encrypted (e.g., SSL, SSH, etc.). So VPN isn’t critical to cloud infrastructure, especially if you’re using Dome9 (see our post on VPN Clients are Dead in the Cloud).
But it’s critical (and required, by law in some cases) to encrypt your data, so do it.
Tip #4: Use strong authentication
Strong passwords are not enough. Too many of today’s major breaches and security events are the result of –at least in part – vulnerable and/or stolen passwords. Make sure you use 2-factor / strong authentication to remove (at least in part) the all-too-fallible human quotient from the authentication layer.
There are several ways to do this; explicitly, with a 2-factor authentication solution/service, and implicitly with a methodology or process-driven technology like Dome9, which closes the login service altogether unless the user authenticates independently first with another source. We recommend both, naturally.
Tip #5: Take responsibility
The Ponemon Research study found that most people don’t know who’s responsible for their cloud security. When asked, responsibility was almost evenly assigned to the customer, provider, or both. But this ambiguity leads to big gaps. In the same study, 42% said they wouldn’t know if their cloud was hacked, and 39% thought their provider would tell them (wishful thinkers).
The net is, take responsibility. Because if you think someone else is responsible, you’re setting yourself up.
You may not be the “security guy” – that may be someone else’s “job.” But you can schedule a meeting, set up a committee, instigate a discussion – whatever – to build a plan, drive action, and make security a priority.
Think we’ve missed something? Feel free to comment or reply to let us know!