Posted on

Cloud Security

Data breaches occur all too often. Tighter controls are imminent and will help protect Personally Identifiable Information. However, every person or business that posts or stores anything on a Cloud Platform MUST take full responsibility for that data. This includes understanding the security of the Cloud Service.

This blog is NOT a full and complete list of all security measures that could be implemented but I would like to highlight some of the measures that should be considered.

Risk Awareness

We all have data that is pretty much of very little value to anyone else. That picture of your new born baby might have massive sentimental value to you but is probably not going to be worth much in the hands of a criminal. We also have data that we intend to be publicly available: Your CV, for example, or a company’s marketing brochure.

Some data that will be stored in the Cloud could cripple or destroy  a business if it were to be compromised. Every  piece of data has a value to you and a value to others. The costs of securing data should be carefully weighed against those values.

Your CSP

Whilst a very large company investing millions in a Cloud Service might well want to spend money determining how secure a CSP’s datacentres are, for the most of us that is overkill. Cloud Service Provider’s (CSP’s) base their business case on providing a secure solution. For the most part, we can safely assume that data stored with a major player in the Cloud will be significantly more secure than storing it ourselves. (Yes, even if you keep it under your pillow … or your dog’s pillow)

dog-pillow

They will however expect you to do your part!

ENCRYPTION

Hopefully an obvious one but if you don’t intend your data to be publicly available then you should definitely encrypt it! However you have a number of options.

  1. Encrypt on premise and manage your own keys.
  2. Encrypt in transit using your own or a CSP managed key.
  3. Encrypt at rest using your own or a CSP managed key.

For the vast majority of us, trusting the keys provided by the CSP will be sufficient. If you are storing government secrets you may wish to manage your own keys.

Account Security

From when your account is first set up you should be sure that your access to your account cannot be compromised. If you allow someone else access to your account everything else becomes irrelevant. In many companies though access needs to be shared. There are a number of tools we can use such as   Multi-Factor Authentication that we can utilize to help us implement Least Privilege Access.

Least Privilege Access

It is essential that any Cloud Strategy simplifies the process for devolving access and responsibility for data. Practices that have been important in traditional computing environments for many years are even more crucial as we move to the Cloud. This includes appointing a data owner for every bit of data and managing the full life cycle of that data. Least privilege, as the name suggests, means that we only give the minimum amount of access to data that a person needs to accomplish the specific task in hand. Some CSPs allow a person (an identity) to assume a number of roles which allow differing levels of access.

Firewall Controls

All major CSPs offer a competent firewall service that can be trusted. This should be utilized to implement Least Privileged Access to the public. This would indicate that where a service has a public front end, the data behind that service is held in a place that is fire-walled off from the front end.

CI / CD

The perfect security solution lies in making security part of your release process. The most forward thinking companies have a process of Continual Improvement and Continuous Deployment. One of my favourite lines is that Etsy ask their new programmers to deploy to live on day one. It is possible to completely automate the processes that secure our data and our infrastructure in the Cloud. This is complex but will be valuable when done well. One day all code will be released this way (I hope 😉 )

Posted on

Rules for your 1st Cloud Steps

Your  might be considering Cloud for any of the following reasons:

 

You Need  Cheap Secure Offsite Backup. The Cloud can be an effective way to achieve this.

 

Your Server Hardware is Old. You have some applications running on a server that is aging and ought to be replaced. If “Cash is King” then saving the capital expense might be useful.

cash is king

You’d Like to Reduce Your IT Costs. Sometimes a service that is currently provided in house such as email can be delivered more effectively (and possibly cheaper) by a Cloud Service Provider (CSP).

Whatever your drivers are, it is essential that you resolve the following important issues!

 

Choosing the CSP. There are a number of providers. Which one(s) are a good fit for your business?

Account set up. The last thing you need is to set up the account in a way that will leave you frustrated later.

Cost Management. You need to be certain that costs cannot escalate horribly because of a poor design.

Security is essential. How can you be 100% sure that your data (and your customer’s) data is secure?

 

This blog expands on the topics above. I would be delighted to assist you with investigating and providing solutions for any of these. Insperitas is also able to provide support for Cloud solutions.

Choosing The CSP.

maze

The three largest providers are also the most flexible

Amazon Web Services (AWS) is the largest CSP on the planet and offers a very wide range of services. The tools are relatively well known and can be adapted easily. For many this is the go-to place when beginning a Cloud Journey. https://aws.amazon.com/choosing-a-cloud-platform/

 

Microsoft are good at providing a Cloud version of services that they would traditionally provide by selling applications. Email is a classic example. For larger companies MS also offer a mature Identity and Access Management Solution based on Active Directory. Microsoft have a large network of partners and are “Enterprise Ready” in the sense that they are the oldest and most mature of the Big 3 CSPs.

 

Google are slightly newer to providing Cloud Services when compared to AWS. Google Cloud Platform (GCP) provides a much smaller array of services than AWS. However the services which they do provide are very well executed. They have a stated aim to be the largest CSP in the world in the next few years. https://cloud.google.com/why-google/

Setting up the account

The important things to ensure when it comes to setting up your account in either AWS or in GCP are:

  • Dont get locked out! You need MFA but who will have ultimate control?
  • For AWS choose a good Phone number.
  • For Google, will you get an enterprise account or a Gmail account?
  • How can you give access to another account for support?
  • Can you make use of free services?

https://aws-tutorials.blogspot.co.uk/2017/04/setting-up-your-new-aws-account.html

Setting up the account

The important things to ensure when it comes to setting up your account in either AWS or in GCP are:

 

  • Dont get locked out! You need MFA but who will have ultimate control?
  • For AWS choose a good Phone number.
  • For Google, will you get an enterprise account or a Gmail account?
  • How can you give access to another account for support?
  • Can you make use of free services?

 

https://aws-tutorials.blogspot.co.uk/2017/04/setting-up-your-new-aws-account.html

 

Managing Costs

money
money

If you have teenagers in your house you will well understand the difference in attitude to electricity use between bill-payers and non-bill-payers (also known as freeloaders). When you are using your own hosted infrastructure you only have to make sure that you don’t fill up the hard drive or place too many demands on memory and processor. However when you use Cloud Services you need to be sure from day one that you will be warned if your monthly costs are going above your anticipated levels.

 

In addition you need to be sure that your costs are allocated correctly. This isn’t difficult but demands that you follow good Cloud practices right from the start.

Security

padlock

When I setup one of my first Cloud servers I was a little surprised to find out a week later that a virus had been installed on the server. I had left open a port to the server that could have been disastrous. These days whenever I build any service online I start with ensuring that it is secure. This isn’t complicated but it is necessary.

 

For a FREE assessment type code 1709FREE into the “Message” bar on our Contact page

Posted on

Principle 7: Prepare for failure

Design your services and components to cope with failure. Any single component failure should not impact the overall service.

When designing Cloud Solutions ensure that the load is spread in a way that will cater for failure. The extent of the spread will depend on the criticality of the service as more spread equates to higher cost.

Use Load Balancers effectively to separate stateless micro-services from each other.

 

 

Posted on

Principle 6: Create Scalable Microservices

Don’t build monolithic applications

Instead of a monolithic approach,  build a number of smaller applications that can call each other as necessary via APIs. Automated scaling allows you to keep costs down whilst ensuring demand is met.

Cloud technologies depend on good elasticity to be competitive. It’s easier to see which parts of your application are the most resource hungry (or the most utilized) and improves troubleshooting.

Building with micro-services is good practice is generally thought to be good practice. It allows improvement of individual services which adds agility.

Go Serverless where possible as this puts the onus on the CSP to  provide the automated scalability.

With fully Automated scaling, horizontal scaling occurs in response to your Alerts.

NB. Applications divided into micro-services need to be stateless!

Posted on

Principle 5: Measure Everything

Every Cloud Service should be measured and logged

In order to ensure that costs are kept to a minimum it should be possible at all times to know all there is to know about each service. Its important to realize that  when using elastic virtual servers, the logs could be deleted when the server is deleted. Therefore servers should log all data centrally in a way that can be readily interrogated.

  • Log everything. Modern Cloud Services provide detailed logs. Collect them ALL. These include Application Logs, Infrastructure Logs and Security Logs!
  • Good elasticity depends on having accurate usage data.
  • Failing to measure is a sure fire way to waste money.
  • Set alerts on services based on the metrics expected and your design.
  • Use Tags properly. Your 1st tag for each item should be Cost_Centre. Tagging Taxonomy is important to save future headaches.
  • A good logging tool is essential for intelligent interpretation.
Posted on

Principle 4: Security Everywhere

Seriously – Every interaction with Cloud Services should be handled in a secure fashion

  • Data should be encrypted in transit and at rest.
  • All Cloud connections should be secure.
  • Work on the principle of Least Privilege Access.
  • Consider Security as part of your CI / CD Pipeline.
  • Don’t leave security to be the responsibility of a specialized team.
  • Consider each of the Cloud Security Alliance “Treacherous 12” threats

For more detail check out this blog.

 

Posted on

Principle 3: Infrastructure as Code

Build everything as Code

Why?

All Cloud services worthy of the name can be used or accessed using their API.  By calling this API via code we can benefit from:

  • Faster Deployments. Deploying both the application and the infrastructure using code can dramatically speed up deployment and lead to Continuous Deployment
  • Reduce Error. Version controlled, repeatable scripts remove opportunities for human error. Auditing, which is essential to many companies success, is also made much easier.
  • Automatic Configuration. We can use script based tools such as Ansible to control and configure our whole Cloud environment.
Posted on

Principle 2: Automate Everything

Everything you build should be both automated and repeatable

Why?

What if your infrastructure breaks? What if there is a disaster? Rebuilding can take considerable time. If your solution is built from repeatable code then recovery can also be automated.

Chunks of well crafted repeatable code can be pieced together to form more complex solutions, saving time in the long run.

Continuous Deployment which is a pillar of agile entities can only be achieved with automation.

A complete and well defined automated solution creates a perfect staging environment, protecting your production environment without the need for human change control.

Posted on

Principle 1: Cloud 1st

Consider a Cloud Solution BEFORE you consider the alternative

Why?

  • Following the 10 Cloud Guiding Principles drives behaviour that will increase efficiency.
  • Cloud Solutions encourage change and enhance agility.
  • Cloud Solutions allow you to focus on what you do best rather than on the infrastructure.
  • The worlds latest technology can be yours –  without capital investment.
Posted on

10 Principles of a Sound Cloud Strategy

These are principles rather than laws. They apply in every situation, but how they are applied will differ depending on circumstances. If you would like to know more about how they will apply to YOUR organization, just send me a message from the contact page.

(In no particular order)

PrincipleBrief Description
1. Cloud FirstConsider using a Cloud Solution before you look at other options.
Why Cloud 1st?
2. Automate EverythingEverything you build should be both automated and repeatable
Read why here
3. Build Everything using CodeMouse Clicks on portals aren't automated. 🙂
Benefits of IaC
4. Security is ParamountSecurity shouldn't be an after-thought but should be built into everything.
Stay Safe
5. Measure EverythingTag everything. Log everything centrally.
Save money and future headaches
6. Create Scalable MicroservicesScale horizontally
No monoliths
7. Prepare for FailureAssume things will break. Build self-healing solutions.
here's how
8. Optimize for CostNever over-provide!
9. Consider PortabilityWill you need to use another Cloud Service Provider?
10. Follow Cloud Native Best PracticesAll applications should be designed in line with best practices