In spite of the persistent questioning of cloud security by physical infrastructure partisans, in truth, the cloud is as secure as any other infrastructure platform — which is to say, it’s as secure as cloud vendors and cloud users make it.
If managed properly, the cloud and the virtual machines that run on it, and by extension the data they hold, are secure.
In this article, we’re going to take a look at six security practices that contribute to a secure cloud environment.
1. Virtual Machine Inventories
It’s incredibly easy to deploy cloud servers. That’s great from a user perspective, but it can lead to what’s been called virtual sprawl. Virtual machines are deployed for a specific purpose, but never spun down again. The VM your business activated three years ago to carry out a vital part of your business workflow is likely still doing its job flawlessly, even if no one remembers exactly what it’s doing or even that it exists.
Related: What Are Virtual Machines?
VMs like this are a risk because if no one is managing them, updating them, and monitoring them, they are likely to become a source of vulnerability. Security requires knowledge — your business needs to know which infrastructure it has deployed and ensure that someone is responsible for managing and maintaining it.
Cloud integration layers like ComputeNext make this task much easier: infrastructure from multiple vendors can be viewed and managed within a single interface.
The best way to make sure that data doesn’t fall into the wrong hands is to encrypt it using modern cryptographic technologies. Encryption of this sort is necessary for security, but not sufficient. It’s possible to encrypt data at rest, and, provided the cryptographic protocols are selected intelligently and key management is handled properly, it will be secure.
However, encrypting data at rest is only part of the problem. To be used or moved, data has to be decrypted, at which point it’s at risk without the strategies we’ll discuss in the next section.
3. Virtual Private Networks And HTTPS
VPNs and HTTPS help protect data in motion: data that is traveling over networks. Virtual private networks ensure that data is kept secure as it travels between servers within a network or to servers outside of the network.
HTTPS using TLS certificates — the same technology that protects website data as it travels across the internet — can be used to protect data as it’s used in web applications. Data locked up in cloud vaults is fine for storage, but not much use in ongoing business processes. Using TLS-encryption on data moving between the cloud and user’s browsers is crucial for mitigating the potential impact of man-in-the-middle attacks.
Your cloud provider’s API and web control interface should be similarly protected — there’s little point encrypting data at rest and in motion if malefactors can sniff your cloud account credentials and gain access that way.
4. Secure Password Policies
Much digital ink has been used lamenting the poor state of password education. The simple fact is that most users — even technical users we’d think better of — aren’t very good at managing passwords. They tend to choose simple passwords and use the same passwords on different services.
The best solution is to implement strict password policies that force users and employees to choose long, random passwords that are changed regularly.
5. Two-Factor Authentication
Given that passwords are often poorly managed and lead to potential vulnerabilities, enforcing an extra layer of identity verification can significantly reduce risk. Passwords are often described as “something the user knows.” A second factor — something the user has or is — make the job of data snoops significantly more difficult.
TFA is frequently implemented in the form of one-time codes delivered to the user with a mobile device, either a smartphone or a dedicated TFA dongle. Users enter the traditional username-password combination, but are also required to enter a string delivered to them by the verified device. TFA can make virtual machines and cloud management interfaces orders of magnitude more secure than passwords alone.
Firewalls are no less essential for guarding virtual machines than they are for guarding physical infrastructure. Implementing firewalls that strictly limit incoming and outgoing traffic from private cloud networks limits the opportunities attackers have to force entry.
In reality, the process for securing virtual machines is much the same as securing any IT infrastructure: know your network and make sure someone is responsible for managing every VM your business uses, protect data at rest and data in transit, limit the risk caused by the poor security practices of users, and put up a strong barrier between your cloud network and the rest of the web.