Infrastructure Security Design (Public Clouds)
As we discussed in my previous post, transparency or more control is need of the hour with regards to security on the cloud. Let examine how this is done by the popular cloud providers and understand the method and the technologies. We need to secure the infrastructure, network, endpoints, applications, processes, data, and information and overall have a governance to mitigate the risk and meet the compliance. Let us take the infrastructure to begin with.
The key areas for a security team to design for with regards to infrastructure security are
- Managing datacenter identities
- Securing virtual machines
- Patching default images
- Monitoring logs on all resources – VMs and hypervisors
- Ensuring network isolation
Let us start looking at the public cloud implementations to understand how they are managing these aspects.
Almost all the vendors – IBM, Amazon, Microsoft, Salesforce provide a means to do SSH with keys to the Guest OS. The protocol runs over SSL and is authenticated with a certificate and private key which could be generated by the customer.
IBM SmartCloud is designed with enterprise security as a top priority. Access to the infrastructure self-service portal and application programming interface (API) is restricted to users with an IBM Web Identity. The infrastructure complies with IBM security policies, including regular security scans and controlled administrative actions and operations. Within our delivery centres, customer data and virtual machines are kept in the data centre where provisioned, and the physical security is the same as that for IBM’s own internal data centres. With virtual private network (VPN) option, customers can isolate their servers in the IBM SmartCloud on a virtual local area network (VLAN) that can act as an extension of their internal network. This VPN capability can also be used to create security zones in an Internet-facing configuration to better protect their servers against attacks.
IBM LotusLive employs a security approach based on three three-pillars that includes ensuring security rich infrastructure.
- Human-centered security: Making personnel roles across LotusLive and their access authorizations are recorded in a Separation of Duty matrix.
- A security-rich infrastructure: Security configuration reviews and periodic vulnerability scanning of all systems and infrastructure.
- Policy enforcement points providing application security: multi-layered compliance with periodic programs that address all elements of the service environment.
And if you these posts interesting dont forget to rate the post (click on the stars) and if you got an extra minute do put in a comment on what apsects you find interesting or need discussion.