Advertisement

Follow Us

Basic & Fundamentals

Advertisement

Recent Posts

Advertisement
Advertisement

Most Read

Security Basics and Fundamentals

HomeCloud ComputingSecurity Basics and Fundamentals

Security is the important strategy which is to be planned and implemented across all infrastructure layers to secure the IT infrastructure and the information stored in both traditional datacenter and cloud datacenters. Efficient security methods and processes have to be implemented to prevent unauthorized access to company assets and also to maintain the integrity and confidentiality of sensitive information from unknown users.

Advertisement

In the previous posts, we learned the basics and fundamentals of Virtualization and Compute, Network and Storage. In this post we will learn the security fundamentals and various security technologies and techniques that can be used to secure the Compute, network and storage components of a data center.

Introduction to Security

Security is the technique and process  to ensure only authorized personnel is allowed to access the physical and logical assets of an Organization such as servers, storage, network and the data in transit and at rest. As Cloud technologies continue to evolve, the need for more stringent security techniques and processes to protect the digital information is increasing. Security can be categorized into two different types

  • Information Security – It is the process to protect sensitive business data and information from unauthorized personnel’s.
  • IT Security – It is the techniques used to secure the data which is stored in servers, storage and network.

IT security can be achieved by implementing security best practices and techniques across the Compute, storage and network layers of the datacenter. However, Information security can be achieved only if proper process & policies are followed by all the employees of the company. Often, employees ignores the importance of following such security process and policies which may result in compromising the access to IT infrastructure and as well as compromise the access to the sensitive data.

Security Vulnerabilities and Threats

A security vulnerability is often the result of weak architecture design, implementation, operation or internal control of the IT systems. Hackers regularly try to gain access to the sensitive information by targeting these vulnerabilities with the help of automated tools & customized scripts. It is very critical for an organization to understand the attacks that can be made against these vulnerabilities and take adequate measures. The security threats caused by these vulnerabilities can be classified into one of these categories below:

  • Phishing – This threat is common in emails and website logins, attackers tries to gain the sensitive information such as user ids, passwords and bank login details from the users by deceiving the users with disguised official emails and links.
  • Eavesdropping – It is the process of listening to a conversation between the computers in a network. Eavesdropping is a common threat while sending the data over public internet. This is the threat to the information that is send over a internal network or public network.
  • Spoofing – Spoofing can be of many types such as email spoofing, IP address spoofing, MAC spoofing and Biometric spoofing. attackers disguise as a valid entity by falsifying the data such as username and password in order to gain access to the critical business data.
  • Backdoor – A hacker can gain access to the system or information by bypassing normal authentication process or security controls. This can be done by running an automated script or an algorithm to gain the access. This can happen for various reasons such as due to weak authentications processes, employees not following password best practices, existing employee may adds the other user to allow some legitimate access, regardless of the motives for their existence, this backdoor create a threat to the company’s systems and data.
  • Denial of Service – This threat will deny or prevent the services to be accessed by the legitimate users. Attackers can run automated scripts to overload the compute and network power to bring the application down and block the users. These attacks can originate from single source or from multiple sources by using zombie computers of a botnets. 
  • Multi-vector or polymorphic Threats – Attackers can combine several types of attacks into a single form of attack to avoid security controls as they spread through the systems to gain access to the sensitive data.
  • Privilege escalation – An existing employee with limited access can gain full access to the sensitive information by exploiting the vulnerability and loop holes in the security.
  • Social Engineering – It is the process or techniques attackers follow to trick and deceive the users to disclose their secrets and login information such as passwords, secret codes etc. 
  • Tampering – Attackers use this technique to alter the true functionality or usage of the system or data by malicious modifications.

 

Security Considerations and Countermeasures

The cloud provider or an organization which maintains their own datacenter should follow some sort of countermeasures such as creating an action, a device, a procedure or a technique to reduce or minimize the security threats caused by the vulnerabilities. This can be achieved by eliminating or preventing it. Corrective and preventive actions should be implemented to minimize the harm caused by the attack. Below are some of the key security considerations or countermeasures that can be implemented in datacenter to secure the IT systems and the information stored in the systems.

Security Basics and Fundamentals
                                                                                  Security Basics and Fundamentals

 

Security by Design

  • Principle of least privilege – Only grant access to system that is needed for its function.
  • Perform code reviews in regular intervals
  • Unit Testing
  • Plan for Defense in Depth
  • Design infrastructure to fail secure 
  • Record audit trails and store the logs securely
  • Disclosure of vulnerabilities to security & operations team so that they can take appropriate actions.

 

Security Architecture

Security architecture is the design artifacts which describes how the security controls or countermeasure are related and incorporated with the IT architecture. These security controls will maintain the systems integrity, availability, confidentiality, accountability and assurance services. Some of the important security controls are NIST controls and CIS hardening controls.

 

Security Measures

Adequate security measures and processes such as threat prevention, detection and response processes has to be implemented to obtain the required security levels. Some of the security measure are

  • User account access controls
  • Firewalls 
  • Access Control Lists (ACLs)
  • Intrusion Detection System (IDS)

 

Vulnerability Management

  • It is the process of identifying and mitigating the vulnerabilities that are found in networks, software’s and firmware’s.
  • Tools are available to regularly scan the vulnerabilities which analyzes a system with known vulnerabilities in the public internet.
  • Third party security organizations can also run regular penetration tests against the systems to identify the vulnerabilities.
  • Identified vulnerabilities has to be remediated or mitigated by implementing additional security policies or processes based on the critical of the vulnerabilities.

Hardware Protection Mechanisms

Hardware in the datacenter or in office locations has to be secured, hardware based or assisted computer security also provides an additional security on top of software security. Below are some of hardware security measures that can be implemented

  • Disabling the usage of USB dongles or pendrives
  • Firmware upgrades and patches
  • Using Trusted Platform modules (TPMs)
  • Implementing computer case intrusion Detection system to generate alerts
  • Drive Locks to prevent unauthorized physical access to the drives
  • Disabling peripheral devices like security cameras, GPS, removable storage etc which are not in use.
  • Enabling bio-metric validation and multi factor authentication on mobile phones to connect access control systems etc

See: Hardware Components in the Datacenter

Regular Security Training for Employees

  • Employees are widely considered as the weakest link from the security perspective and it is estimated that more than 90% of security incidents and breaches are caused due to human error.
  • Some common human errors are poor password management, the inability to recognize misleading URLs and to identify fake websites, dangerous email attachments and saving user id and passwords of bank websites.
  • These threats pose high risk for the company and as well as to the employees personally and these threats can be mitigated by the Multi factor authentications.

Organizations need to conduct security awareness training’s in regular intervals to prevent these potential security threats as well as be in compliance with regulatory and industry mandates.

 

Compute Servers (VMs) Security Overview

Securing the server operating systems in the cloud based datacenters and on-prem datacenters is very critical to prevent unauthorized access. Servers can be secured by shutting down any applications or services that are not being used to prevent the attacker from gaining access through a port that is not used and should be disabled.

Disabling any idle user accounts on the system that are not needed, installing firewall and antivirus software at the host level and also regular patches and service packs are updated. As new threats, bugs, and techniques continue to evolve, OS hardening techniques must be implemented to prevent breach. 

Disabling Unused Ports and Services

  • Disabling the unused ports is the important task to be performed if the ports are no longer used. Right ports and services must be determined that are running on the machine and investigate whether they are required for the server’s purpose.
  • Attackers generally use a network scanning or mapping utility to determine which TCP ports are open and base attacks on the data obtained from network scans. 
  • In addition to implementing firewalls at the network level, it is best to harden the operating system based on the checklist provided by Operating system vendors. 

User Passwords rotation

  • Any default account credentials should be disabled or  their passwords must be changed as they can become a massive security exposure and it allows hackers to penetrate system.
  • Investigate the rights and permissions of these default accounts and remove them if they are not necessary.
  • Choose strong passwords that are different from the original default passwords. Passwords policies such as specifying the number of times a password can be reused, the length, and the types of characters etc should be implemented.

Firewalls

  • Hardware based perimeter firewalls are important for security implementation and provide a first line of defense for any threats.
  • In addition to the hardware firewalls, software based firewalls should also be implemented at the server level.
  • Many operating systems types have firewalls preinstalled as part of the release and they can be configured with custom rules or policies that allow only connections to the applications it is hosting and also from known source networks.

Antivirus Software

  • It is critical to install any antivirus software on the operating system if the system is compatible.
  • Antivirus is an application that runs on a computer that can identify and remove viruses or malicious software from a system. 
  • These antivirus softwares must be up-todate to protect any latest threats

Patching

  • Vendors often release patches and fixes for operating systems, applications, and system firmware to address bugs and vulnerabilities.
  • The security administrator must follow, validate, and install critical security patches in a timely manner to prevent an attacker from exploiting the system.
  • Patches can be allowed to automatically installed but it is generally preferable to investigate patches for stability and install them during a maintenance window. 

Deactivating Default Accounts

  • Some applications  require default accounts for the initial configuration and the user manual will often publish the default username and password are to be used to access the system and configure it.
  • This may be an initial requirement, but it can be a huge security threat. These default accounts must be deleted after the initial configuration or change the username and password to prevent a breach. 

 

Network Security Overview

Network security is one of the important security feature that every organization has to consider thoroughly across all the areas of the network and implement controls to protect the usability and integrity of network and data. These controls should be able to control both hardware and software technologies, should be able to detect and prevent variety of threats and stops the threads from entering and spreading across networks. 

Below are some of the security considerations which can be implemented to secure the network across all the layers

Implement Access Control Lists (ACLs)

  • Access control list (ACL) is the important network security technique which provides the ability to create traffic rules and filter the traffic at granular level by either allowing or denying traffic selectively within the network.
  • This ability provides an additional layer of security on top of the other security techniques such as authentication methods, firewalls, intrusion detection and intrusion prevention systems.
  • ACLs are applied to a server or a network device endpoints. By default, networks do not have ACLs configured which means all traffic is allowed by default from source to the endpoint. 
  • ACLs are an ordered list of allow and deny rules based on the traffic coming from an IP address or from an IP CIDR block range. 
  • When the ACL is defined and applied, all the traffic through the network will be investigated based on the allow/deny rules. Once the rule is matched no other action will be taken by ACLs.


Using Virtual Private Networks (VPNs)

  • Virtual private network is the encrypted connection from the source network to destination network. This is generally created to connect two different networks over public internet. It uses SSL or IPsec protocols to securely communicate between the two networks.
  • VPNs are common in Cloud deployments to connect on-prem datacenter network with the cloud networks.  This will allow encrypted access to cloud services from a remote network.
  • VPNs can be installed as a software on a client server to connect to the VPN services on a firewall or router, to standalone dedicated VPN.

Implement Intrusion Detection & Intrusion Prevention Systems

  • Intrusion Detection Systems (IDS) monitors the network traffic for suspicious activity in real time across the network.
  • It can only alert a management system or can be configured to send emails notifications if any attack is identified but cannot take any action to remediate the attack.
  • Whereas Intrusion Prevention Systems (IPS) scans the network traffic to block malicious activity and also tracs the progression of suspect files to prevent the outbreak and reinfection of attacks across the network.
  • Both the intrusion systems passively monitors the network traffic based on the predefined rules that are maintained by the IDS & IPS vendors.
  • These systems communicates with network devices such to apply rules to block the effects of the attack.

 

Configure Network Firewalls

  • Firewalls are set of predefined rules to either allow or deny the traffic across and between the networks.
  • Firewalls are installed at the network perimeter as the first layer of defense so that all traffic must go through it as it transits from one network to another.
  • Firewalls can also monitor each packet individually along with the sessions for additional capabilities and security.
  • Firewalls are both hardware based and software based. Most commonly used firewalls are network firewalls which are hardware based. There are also virtual firewalls that run as a VM on a hypervisor and firewall software that can be installed on the server  to protect each individual server from attack. 


Create Demilitarized Zone (DMZ) Networks

  • This is the logical or physical section or a layer of the network where the servers and applications are deployed that need to be accessed by the public internet as well as internally.
  • DMZ layer is a special network security zone that exposes the servers and applications to the Internet. It is often created behind the network perimeter firewall to host applications such as mail, DNS, FTP, or web servers that should not be placed on the internal network but also should not be exposed directly to the Internet without security protection.
  • In cloud this is commonly referred as Public subnets where Servers hosted in the DMZ layer and they will have specific firewall rules to protect the internal network from access if the servers on the DMZ are compromised. 


Review Network Logs

  • All the logs from the network devices is generally monitored and managed by a central logging server or an application to consolidate, review and audit for any performance and baseline analysis.
  • These Log files will collect network, security, server, storage, and application events to a syslog for example. These logs are also used for monitoring security issues such as investigating a breach or attempted breach and to view any suspicious activity.
  • Various 3rd party applications are available to extract and analyze logging data. Big data applications can also be used to analyze trends and extract useful information about systems, applications, and customers.
  • Logging is also a important requirement is for regulatory compliance in finance and healthcare. Since it is the important capability & responsibility to comply with these regulations, collecting, analyzing, and storing logging information is critical to the cloud deployments.

 

Overview of Network Attacks

There are many different types of network attacks and effective countermeasures has to be taken for preventing or mitigating these attacks and this should be the critical part of network security strategy.

Generally the cloud datacenter’s core network offers the first line of defense firewalls and router filtering which are designed to detect and prevent or reduce the severity of an attack.

And within the cloud network, firewalls and NACLS should be configured to block the attacks. Below are some of the commonly seen network attacks

  • Ping Flood – sends a large number of ping requests to a host in an effort to block legitimate access and disable network access to your site. 
  • Distributed Denial of Service (DDoS) – This type of attack is launched over the internet from multiple endpoints all targeting a single application or single server to deny the services it is offering. These types of attacks can be highly destructive and hard to protect against. Due to the high volume of traffic, the network bandwidth will be saturated, which can block access to the network for legitimate users.
  • Ping of Death – This this type of attack, the attacker sends the server-malformed ICP packets causing a denial of service A ping of death can be directed to a valid destination port such as 80 or 443 for web services or 25 for email and may not be detected by a firewall. 

To protect from these attacks, once common solution is to block ICMP ping packets from entering network with a rule in the perimeter firewall to deny ping packets.

 

Storage Security Overview

All the Data and information that is critical and non-critical to business is stored in some form of storage systems in the Datacenters. These storage systems are connected to multiple infrastructure devices and the data is shared and access across the devices. Hence securing storage systems and the data stored in the systems is very critical to prevent unauthorized access and to maintain the integrity of the data. Below are some the techniques that can be used to secure the data stored in the storage systems.

See: Information Security and Security Controls

Obfuscation

  • It is defined as a way to complicate & confuse the information in the data stored in cloud.
  • This strategy helps to improve data security, making it very difficult for hackers to access and/or protect the stored data as it is so that it is hard to determine the difference between real  & duplicate information.
  • Scrambling is the another technique which is similar to Obfuscation which prevents the hackers form disassembling the data. The data is intentionally scrambled, making it unreadable until the obfuscation method has modified.

 

Access Control Lists

  • Access control lists (ACL) in storage domain is a security mechanism which consists of an list of explicit permit and deny statements to secure access to the data stored in the cloud storage.
  • Controlling access to the data in cloud storage through ACLs is similar to the ACLs in networking. ACLs can be applied at the individual storage object level to configure explicit allow and deny permissions.
  • ACLs can also be applied to the users and user groups to allow read and/or write or full control to storage system objects.

 

Zoning

  • It is a storage network security process that limits storage access between initiators and targets. For example, limiting storage volume access to one or few selected servers.
  • Zoning is performed in the Fibre Channel switch of the SAN network and not on the endpoint devices. For example allowing only windows servers to access Windows block storage LUNs and for Linux to only be allowed to access Linux logical units to prevent filesystem corruption. Therefore by implementing zoning, each VM will be able to mounts its correct storage volumes.
  • In cloud datacenters, storage is usually centralized in large storage arrays and accessed by a large number of virtual machines over a SAN. Zoning allows to configure limitation on the storage volumes so that it can be accessed one or more eligible VMs.

 

LUN Masking

  • This technique is similar to zoning, but the only difference is that LUN masking is configured at the storage controller level instead of SAN switch level, therefore a much more granular configuration can be achieved.
  • LUN masking specifies the access rights between the LUNs and and the servers or VMs or bare metal servers.
  • In the cloud datacenter, with LUN masking, storage resources can be restricted to the specific VMs that require access to them. However, these are automatically done by the cloud services in the backend and user will be able to see notice this configurations.

 

User and Host Authentication

  • User authentication strategies should be implemented to verify the identity of the user and to authorize or grant permissions to the data in cloud storage by either allowing or denying access to specific resources.
  • Examples of user authentication are username/password, biometric access method, single sign on etc.
  • Other form of user authentications which are common in cloud deployments is using APIs, which is a standard programmable interfaces such as XML and JSON.

 

Review/Audit Logs

  • Similar to networking audit logs, storage audit logs are critical for evaluating performance and detecting problems and for regulatory compliance.
  • Storage controllers and Fibre Channel SAN networks generate lots of logging information on storage events which can be transferred to a syslog server to gather valuable data. 

 

Identity and Access (IAM) Security Overview

Appropriate identity and access mechanisms has to be planned and implemented across different layers of infrastructure such as compute, network and storage to allow access to authorized personnel only. This will help to maintain the integrity and confidentiality of the business critical information. Following IAM techniques can be implemented to achieve the desired security while configuring IAM policies.

 Role Based  Access Administration

  • Role based access control (RBAC) is a method in which access rights are granted  to users based on the roles they perform in an organization.
  • The roles are typically defined based on the task and the users are then assigned to these roles. Based on the permissions defined in the roles, the users will inherit the rights. 
  • Roles can be defined for applications, operating systems, storage and networking related tasks. 
  • This is also referred as least privilege roles so that the user can only do what he is allowed to do.  

 

Mandatory Access Controls

  • The mandatory access control (MAC) method is often implemented in highly secure environments where access to sensitive data needs to be highly controlled.
  • In this approach, a user will authenticate to the system based on the user’s identity and security levels and then access rights will be determined by comparing  against the security properties of the system being accessed.
  • This method is commonly configured in secure environments such as defense or financial systems to allow fairly open access at the lower levels of data sensitivity and with tighter controls over the more sensitive data.
  • MAC systems are centrally controlled using a defined security policy to grant access to a system or data. Users do not have the ability to change or overwrite this policy and grant access to other users.

 

Discretionary Access Controls

  • Unlike mandatory access controls, this method is configured by giving users the ability to grant or assign rights to objects and make decisions for themselves as compared to the centrally controlled method used by mandatory access controls.
  • Users can use their discretionary access control rights to give other users or systems rights  if they have control over a system.
  • This approach allows users with the correct permissions to manage their own rights as they own the objects and are allowed to make decisions on rights such as security, read/only, read/write, and execute on those objects.

 

Multifactor Authentication (MFA)

  • Multifactor authentication is an access control technique that requires several layers of authentication to gain the access.
  • MFA implementations usually require to put username/password combination, and then use a device or an app to authenticate via token or passcode.
  • Because there are more than one requirement for authentication to access a system, MFA systems are inherently more secure than single factor authentication systems such as a username/password.

 

Single Sign On (SSO)

  • It is an approach that reduces the need to sign in multiple times to access multiple systems. SSO allows a user to log in just one time and be granted access rights to multiple systems.
  • SSO allows centralized authentication of multiple systems that are configured in a same network.
  • Active Directory servers using LDAP is the best example of SSO systems. Users log into the network once and based on users rights, they are allowed to access various systems in the network.
  • This approach eliminates the need to remember multiple username and password combinations and it is also effective when terminating a session. The directory services will log out the user from the multiple systems when user is signs out.

 

Federation

  • This method allows multiple organizations to use the same data for identification & authentication when accessing any application or resources.
  • Users who share  common set of policies and access rights across multiple organizations can use this approach.
  • The difference in  SSO and federation is that  SSO can be implemented within one organization, whereas Federation can be implemented between multiple organization.
  • The federation approach can be used for machine to machine or application to application communications between organizations. Good example of federation is the users can use gmail credentials to login to various social networking sites like Facebook and twitter without signing up separately.

 

Introduction to Encryption 

Encryption is the process of encoding the information so that only authorized personnel are allowed to access and read the information. Some common technologies and techniques used to secure the cloud applications are PKI, IPsec, SSL/TLS, and ciphers.

PKI A public key infrastructure (PKI)

  • PKI is a standard framework which provides authorization and enforces security policies by creating set of roles, policies, and procedures to manage, distribute, use, store, and revoke digital certificates and manage public/private key encryption.
  • PKI is an encryption framework which uses a public and private cryptographic keys to encrypt and decrypt the data. Only the private key performs the decryption operation.
  • PKIs are commonly used to control access and encrypt data across VPN connections, perform secure authentication,  protects website traffic with Secure Socket Layer (SSL) technology., data filesystems encryption; IPsec network,  protect (LDAP) based directory services and meet security compliance & regulatory laws.
  • In Cloud deployments, PKI framework is also used to provide identity, authorization, and encryption services for email, databases and other applications.
  • With the cloud advancements,  there are services which offer PKI as a Service (PKIaaS) and Cryptography as a Service (CaaS) which offers hardware and software tokens, authentication services, and encryption offerings as a software as a service offering to vendors.

 

IPsec IP Security (IPsec)

  • IPsec is a security framework that uses many different protocols to provide integrity, confidentiality and authentication of data on a TCP/IP network.
  • IPsec implementations are commonly used for VPN connections, application security, and network security which is implemented in routers and firewalls.
  • IPsec can be configured in two different modes which is transport mode and tunnel mode. The main difference between these two modes is based on where the IPsec functions take place.
  • In transport mode, the source and destination hosts both will perform the cryptographic functions and the encrypted data is sent through an encrypted session to the remote host. This allows for end-to-end security.
  • In tunnel mode, either router or a firewall will perform all IPsec functions, and all traffic passing over the IPsec connection is encrypted and decrypted by the network or security device.  This offloads the security processing from the servers and enables a central point of control. 

 

Secure Sockets Layer (SSL) & Transport Layer Security (TLS)

  • These protocols operates on top of TCP connection to provide an encrypted session between the client and the server, commonly seen on websites as the Hypertext Transport Protocol Secure (HTTPS) protocol.
  • SSL/TLS is used to secure both web services and TCP based communications. When a browser connects to a secure website and a TCP connection is made, an SSL handshake takes place and is initiated by the client’s web browser.
  • The browser then transmits to the server the SSL/TLS version, encryption and compressions methods to be used. When the basic handshake is completed, the server will send a certificate using PKI services to the client.

 

Ciphers

  • Ciphers encrypts the data by changing its readability and meaning so that attacker can have hard time to read. Ciphers range from the basic level to the highly complex.
  • A simple cypher replaces the data in the stream to hide its meaning by replacing the characters. De-encrypt the data is only done if the remote host is aware of the cipher.
  • With the cloud datacenters, more complex methods are employed for creating the ciphers and there are two basic types of ciphers and they are the block cipher and the stream cypher. 
  • The main difference between the two types of ciphers is how the encryption is applied. With a block cipher, the data is broken into blocks, and then the encryption process runs on each block.
  • Whereas the stream cipher applies the encryption to each byte and they are common in symmetrical encryption.

Below are some of the most commonly used ciphers 

Advanced Encryption Standard (AES) – It is a symmetrical block cipher  which can encrypt 128, 192, and 256 bits. AES 256 is a very secure encryption technique and it would take lots of time and processing pwoer to breaking the code. 

Triple Data Encryption Standard (3DES) –  This is the old technique and it is now replaced by AES. It is also a symmetrical cipher and it was an extension of the DES standard. It is call triple because three encryption keys of various lengths are used. 

RSA – It is an asymmetrical encryption technique that uses a private and public key framework that uses protocols such as RSA for encryption. 

Digital Signature Algorithm (DSA) –  It operates similar to RSA but it is slower than RSA for encryption but faster for decryption. Although DSA and RSA serve the same function and operate in much the same way, RSA is more commonly found in cloud implementations.

Rivest Cipher 4 – RC4 uses a shared key to encrypt and decrypt a stream of data and it was commonly used to secure wireless connections and web transactions as an encryption protocol used in SSL. Currently browsers and security implementations no longer support RC4 as it found that it is susceptible to compromise by hackers.

Rivest Cipher 5 – RC5 is the replacement for RC4 and it is also a symmetrical block cipher algorithm that uses a variable length key. Encryption is applied at both transit and at rest.

Sponsored Links

You might also like to read

Anil K Y Ommi
Anil K Y Ommihttps://mycloudwiki.com
Cloud Solutions Architect with more than 15 years of experience in designing & deploying application in multiple cloud platforms.

Leave a Reply

AWS Certified Solutions Architect Professional – Free Practice Tests

This AWS practice test helps you to pass the following AWS exams and can also helps you to revise the AWS concepts if you...