Cloud Cyber Security
Best Practice Cloud Cyber Security
You cannot outsource accountability.
Deployment Model | Service Model | Service Model | Service Model |
Private | IaaS | PaaS (Cloud OS) | SaaS |
Public | IaaS | PaaS (Cloud OS) | SaaS |
Community | IaaS | PaaS (Cloud OS) | SaaS |
Hybrid | IaaS | PaaS (Cloud OS) | SaaS |
Regardless of who is responsible, a secure baseline should be established and all deployments and updates should be mead from a change and version controlled master image. Conduct automated and ad-hoc vulnerability scanning and monitoring activities on the underlying infrastructure to validate compliance with all baseline requirement.
The management network should be isolated physically and virtually.
OS hardening via Application Baseline
A baseline configuration should be established for each operating system and the virtualization platform in use. By establishing a baseline and continuously monitoring for compliance, the provider can detect any deviation from the baseline.
Capturing a Baseline.
- A clean installation of the target OS must be performed ( PHYSICAL or VIRTUAL)
- All non-essential service should be stopped and set to disable in order to ensure that they do not run.
- All non-essential software should be removed from the system.
- All required security patches should be downloaded and installed from the appropriate vendor repository.
- All required configuration of the host OS should be accomplished per the requirements of the baseline being created.
- The OS baseline should be audited to ensue that all required items have been configure property.
- Full documentation should be created, captured, and stored for the baseline being created.
- An image of the OS baseline should be captured and store for the future deployment. This image should be place under change management control and have appropriate access control applied.
- The baseline OS image should also be place under the Configuration Management system and cataloged as a Configuration Item (CI)
- The baseline OS image should be update on a documented schedule for security patches and any additional configuration and update as required.
Windows
- The use of a toolset such as the Windows Server Updates Service (WSUS) make a possible to perform patch management on a Windows hos and monitor for compliance with a pre-configure baseline.
- The Microsoft Deployment Toolkit (MDT) , either as a stand alone toolset or integrated into the System Center Configuration Manger (SCCM) product , will allow you to create, manage, and deploy one or more Microsoft Window Server OS baseline images
- One or more of the Best Practice Analyzers (BPAs) that Microsoft makes available should also be considered
Linux
- The actual Linux distribution in use will play a large part in helping to determine what the bassline deployment will look like. The security feature of each Linux distributions should be considered and the one that best meets the organization’s security requirements should be used. However, you still should be familiar with the CIS Benchmark recommended best practice for Linux baseline security
VMware
- VMware vSphere has built-in tools that allow the user to build custom baseline for their specific VMware deployments; These tools rang from:
- Host and Storage Profiles, which force configuration of an ESXi host to mirror a set of pre-configured baseline options.
- VMware Update Manage (VUM) tool which allows for the updating of one or more ESXi host with the latest VMware security patches to allow update to the virtual machine running on the host. VUM can be used to monitor compliance with a pre-configured baseline.
Patch Management
All organization must perform patch management, which is a crucial task Regular patch operating systems, middleware, and application to gauge against newly found vulnerabilities or to provide additional functionality.
A patch management process should address the following items:
- Vulnerability detection and evaluation by the vendor
- Subscription mechanism to vendor patch notifications
- Severity assessment of the patch by the receiving enterprise using that software.
- Applicability assessment of the patch on target system
- Ongoing of tracking recorded in cases of patch applicability
- Customer notification of applicable patches, if required
- Change management
- Successful patch application verification
- Issue and risk management in case of unexpected trouble or conflicting action
- Closure of tracking records with all auditable artifacts.
Configuration Management Process
- The development and implementation of new configuration; they should apply to the hardware and software configuration of the cloud environment.
- Quality evaluation of configuration changes and compliance with established security baselines.
- Changing systems, including testing and deployment procedures, they should include adequate oversight of all configuration changes
- The prevention of any unauthorized changes in system configurations
Configuration Management and Change Management
Change Management has to approve any changes to all production systems PRIOR to them taking place. In other words, there should NEVER be change that is allowed to take place to a Configuration Item (CI) in production system unless Change Management has approved the change first.
Backup and Restoration of Guest OS Configuration:
- The appropriate backup and restore capabilities for hosts as well as for the guest OS/s running on top of them are setup up an maintained with the enterprise cloud infrastructure. The choices available with regard to build in tools will vary by vendor platform being supported, but all vendors will be provide some form of built-in toolsets for backup and restore of the configuration and the guest OS’s as well.
The common list of best practice includes:
- Host hardening: Achieve this by removing all non-essential service and software from the host.
- Host patching: To achieve this, install all required patches provided by the vendor(s) whose hardware and software are being used to create the host server. These may include BIOS/Firmware updates, driver update for specific hardware component, as well as OS security patches.
Securing ongoing configuration maintenance:
- Patch management of hosts, guest operating systems, and application work load running on them.
- Vulnerability Scan: Periodic vulnerability assessment scanning of hosts, GUEST operating systems and application workload running on hosts.
- Penetration testing: Periodic penetration testing of host and guest operating system running on them.
Storage Controllers
Storage controllers may be in use for iSCSi, Fiber Channel (FC), or Fiber Channel over Ethernet (FCoE). Regardless of the storage protocols being used, the storage controller should be secured in accordance with vendor guidance plus any required additional measure. For example, some storage controller s offer built-in encryption capability that may be use to ensure confidentiality of the data transiting the controller. In addition, close attention to configuration setting and options for the controller is important, as unnecessary service should be disabled, and insecure settings should be addressed.
Initiators and Targets :
A storage network consists of two type of equipment: initiators and target.
- Initiators, such as host, are data consumer. iSCSI initiators must manage multiple parallel communication links to multiple targets.
- Targets, such as disk arrays or tape libraries, are data providers; iSCSI target must manage multiple parallel communication links to multiple initiators.
iSCSI: iSCSI is a protocol that use i to transport SCSI commands, enabling the use of existing TCP/IP networking infrastructure as a SAN. iSCSI presents SCSI targets and devices to iSCSI initiators (request).
iSCSI should be considered a local-area technology, not a wide-area technology, because of m issue and security concerns. You should also segregate iSCSI traffic from general traffic. Layer-2 VLANs are particularly good way to implement this segregation.
Best practice is:
- TO have a dedicated LAN for iSCSI traffic
- Not to share the network with other network traffic
- Not to oversubscribe the dedicated LAN.