Protecting your publicly accessible workload is important for every organization on protecting customer data or protecting your own intellectual property right information front that can expose much important information to world or to your competitor. When we talk about publicly accessible and usually that is through your Web server listing on HTTP or HTTPS port or some other back end application that listens on random port.
Most of the time your web services are exposed using HTTP/HTTPS REST API Endpoint and that is a valid use case but some other important ports like Windows RDP and Linux SSH are kept open publicly for unknown reason or due to unawareness about consequences of related security issues by concerned teams.
As long as you are aware of protecting your workload you will take required important action and its not much complex or you don’t need to invest much in 3rd party security products and basic important action will be sufficing that can protect you from all major security incidents.
I worked in many companies and experienced that heavy IDS/IPS or other scanning feature within workload is not always mandatory and even without it you can survive. I am not negating that you should not have those features but even without it you can achieve good amount of protection so in this blog I am going to talk about, how you can protect your cloud workload by following important actions.I will relate it with AWS Cloud security features, but you can easily relate it to other cloud providers like GCP and Azure, as following topics are generic networking concepts that these cloud vendors are providing you as flexible self-service.
Discussion is broadly categorized in 2 area i.e.
- Security tuning inside your instances and
- Security configuration outside of your instance:
Protecting workload while your employee access company network on public network like WFH or during conference etc:
- Setup up a VPN server and create right roles for each individual and assign them in correct group. You can use OpenVPN that is freely available.
- Block RDP and SSH public access like 0.0.0.0/0 rule in your AWS SG and only allow it through your secured subnets covered under VPN.
Separate your workload traffic using following techniques:
- Customizing your Virtual Private Network (AWS VPC)
- Separate your dev/load/stage/UAT/Prod traffic and create separate VPC’s for them.
- Create VPC with Public and Private subnet network accessible using VPN or Hardware VPN option while creation of VPC on AWS console.
- Customize and control your AWS NACL (Network Access Control Layer) in your AWS VPC for each subnet so that you can control traffic among your subnets like private subnet will receive traffic through NAT gateway and will talk to public load balancers only through these AWS managed NAT gateways. AWS provides you managed services for these NAT gateway as previously you used to deploy your own virtual firewalls like VYOS etc.
- Write your AWS security group rules properly and follow same concept that you followed during AWS NACL customization.
- Public traffic (Load Balancers, Directly Publicly exposed webservers or REST Endpoint).
- Private traffic like communication from web server to DB server or from one internal micro service to another micro service. So create your AWS subnets properly separately for each workload.
Golden Image and Container image Customization:
- When you are running your own show:
Download OS from only authorized web sites in case you are still in traditional managed DC. There are still many customers those who would like to run their show internally due to security reasons. Kubernetes and Openshift has given a good option to such organization as both solution provides you good cloud like service for workload deployment and management and giving you availability and scale ability concept.
- When your show is managed by 3rd party cloud vendors:
Use Vendor provided images only and in case you are choosing marketplace image then choose them carefully and scan them properly using free tools available on internet for various security related thing. I know I am saying ”scanning” here but you will not be building golden images daily and at least its monthly task and that still can be avoided as Cloud vendors has many available option accordingly to your workload like Web package installed images, SQL installed images, AI and ML installed images etc.
Download docker container images only from authorized vendors and in case you are downloading without confidence then there are free tools available in market that gives you option to scan for any malware or vulnerability and again it will be non-frequent task as you can upload such images to your own managed internal docker repository like AWS ECR or own managed private repository.
How to protect your publicly exposed web endpoints:
- Do it yourself web application firewall:
You can install freely available opensource version of Web application Firewall (3.0) on your self-managed load balancer like Nginx or Apache that gives you protection against around 635 checks and those are completely managed by WAF community. 635 checks help you to protect from different threat category like how you can protect your website or endpoint from SQL Injection, How you can protect web site against XSS (Cross site scripting) attacks, how you can protect against malicious intent requests like DoS or DDoS from self-created tools like curl, python or other available notorious automation agents.
It can easily be customized and installed as per your requirements where you need minor tweaks on scoring according your level so go and read about WAF and CRS ruleset to understand it better.
- Cloud Vendor Managed Web Application Firewall:
AWS WAF service provides you similar WAF service that we just mentioned so its totally upto you how you would like to implement this solution as it helps you to protect from many security issues.
Try to implement SElinux on your all Linux workload as it gives you application isolation feature in case one of your process/service is malicious or some how someone(including process) got unauthorized access to your instance then SElinux can help you to protect against unauthorized access to other files and processes and you don’t need any third-party protection software for it.
I agree third party solution for application isolation helps you to manage in multi cloud environment but as far as I know organization don’t run N number of different workload and at least companies stick to specific OS and application and those can easily be customized for one time and you will be using same golden managed images on multi cloud environment so getting centrally managed policy functionality vs SElinux based managed images is your call while considering cost factor in mind.
I can debate on N number OS or application point and you can comment it below. I know this points is more related to small companies or startups those who don’t have big funding to have these third party security product features and I am not negating challenges for big organization where you have separate organization, departments with independent control where same process adherence is one another challenge so having third party product is still a valid option for such big organizations and I have already covered such tools in my another blog on “What is happening in Cloud Security” that already covers multi cloud challenges and how it is handled by security vendors.
Importance of Security Dashboard:
You can build your security dashboards from audit log files or parsing your VPCFlow log and making useful information out of it. Kibana tool out of ELK stack can help you to build such dashboard and in case you are already using other third-party logging tools like Splunk, Logentries then you can utilize it to create such dashboards. Splunk and Kibana already have good dashboards but Splunk is richer in such plugins so check it out within your organization for availability for such tools.
You can build dashboards like:
- DDoS identification boards,
- Login failure dashboards,
- Reconnaissance detection dashboards,
- Non standardized OS or Container image identification dashboard,
- Unusal traffic identification dashboard,
- Source of web traffic dashboards
AWS IAM and AWS Advisor service:
There are multiple things for protection when you work in cloud model like protecting workload internally (Internal to OS) and protecting workload externally (Who can access your instance or who can perform certain access in your cloud). There is already much information available on internet regarding AWS IAM about roles and policies like who can access, terminate, grant access, block things etc so go ahead and read on it as it doesn’t require any third party help for implementation and even there is no third party vendor that giving ready made configurations.
AWS Advisor is another important service that help your security recommendation front so go and use that service and it is freely available on AWS and helps you in recommendation on multiple front like cost, security etc.
Data in rest or on the fly both can also come under security threat so encryption options like AWS KMS ($1 yearly for each key) and AWS Certificate Manager (Free SSL Certs) options are already available and you can read on those option on internet and I would not like to talk much on that part to restrict length of this blog.
Importance of Infrastructure as Code (IaC):
I know people can raise question about inconsistency in image(AMI) building or deployment and modification on instances after deployment but I will say we are using build and deployment automation tools that are mitigating such problems as packer can help you to build standardized images where you can streamline image configuration and you can keep your infrastructure in terraform as code so that you can automate and fix in case any one is breaching or modifying your networking stuff behind the scene so your SRE/DevOps team can mature process around this so that you can gain similar security functionality that you will after buying third party products.
Terraform plays a very important role in central infrastructure management where you can have approved, predefined security(AWS SG, NACL) and networking rule set defined in terraform configurations to maintain standardization in your environment. Ansible, Puppet, Chef, Packer,CloudFormation and Terraform are the related tools on which you can have look.
All things mentioned in this blog is as per my personal experience and there are possibilities that I am unaware of security issues with such mentioned setup but believe me you can achieve good amount of security with these simple best practices.
In last if you would like to go deeper about how to customize images so please go through another blog by me that talks on related topic.”Security Benchmark Implementation in AWS” and you can read more about container security on Top 10 docker container security tools. For big organization where workload is scattered around world and hard to keep eye on your workload then read out my another blog that talks about related solution “What is happening in cloud security“.
Let me know your feedback so that we keep track of all related things here that will be helpful for other engineers or architects while designing and providing solution to your customers/Clients.