Infrastructure as a service (IAAS) is one of the most popular cloud computing service models. It is entirely safe when used properly. IaaS security does, however, need to be kept front and center at all times. With that in mind, here is a quick guide to the main IaaS security concerns and some best practices for addressing them.
Most IaaS security concerns relate to the need for access management and user verification. Here are five of the most common IaaS security issues businesses need to consider and address.
In the early days of the public cloud, there was a lot of concern that cloud service providers (CSPs) might accidentally allow data to leak between clients (tenants). Time has shown these concerns to be unfounded. In reality, the main cause of data leaks is human error.
Staff training can help with this. Realistically, however, even with the best training, human error is a fact of life. You, therefore, need to ensure that there are automated systems checks in place to protect against them.
The steps for protecting against data breaches in an IaaS security environment are exactly the same as the steps for protecting against data breaches in any other environment.
Firstly, you ensure that all data is always stored encrypted. At a minimum, all sensitive data must be stored encrypted. This ensures that data will not be compromised even if there is a data breach.
Secondly, you must have a robust backup strategy. This includes being sure that you can recover from your backups. Again, the rules for backups are essentially the same as they are in other environments. You need a local backup and an offsite backup. It is fine if the offsite backup is in a different cloud.
There are two key steps all businesses need to take to prevent account compromises. Firstly, your IT team should be on top of all user accesses. They should ensure that all users only have the accesses they need to perform their role. These accesses should be reviewed periodically regardless of whether or not there are any known changes.
They should be reviewed automatically and immediately if there are any known changes. This is particularly important if the change is that the employee leaves the company. There is a reason companies fear disgruntled ex-employees. Even if the employee leaves the company on good terms, it is no longer their responsibility to protect their user access.
Secondly, your IT team should be enforcing robust user verification. These days a password on its own is only sufficient for the most basic level of user access. It is highly unlikely to be appropriate in any business environment. Dual-factor or even multi-factor authentication is the only way to go.
It is advisable to implement dual-factor authentication via an authenticator app rather than a text message. Firstly, this is more secure as there is a vastly lower risk of interception (e.g. sim-jacking). Secondly, it avoids issues with the delivery of text messages. This can be variable at the best of times and if you send a lot of messages you may be flagged as a spammer.
Very much the same comments apply to account misuse. It is, however, worth noting that account misuse is far more likely to be caused by ignorance than malice. In fact, in the real world, the likeliest cause of all is probably people trying to take shortcuts because they are in a hurry.
This has three implications. Firstly, you need to make sure that all staff members are clear on what the rules are. Even with training, your staff members are unlikely to be able to remember all of them all of the time. This means that the rules need to be documented and the documentation needs to be easily accessible.
Secondly, you need to ensure that people have the time they need to do their work. Thirdly, you need automatic checks in place to pick up on inappropriate user behavior.
In the context of IaaS security, the main cyberattacks are, currently, interface hacking, API hacking, and DDoS attacks. The best defense against these is to build security into everything you do. In particular, you need to build in protection against them in your web servers, database, and applications.
Taking the time to do this properly will probably add to the time and hence the cost of any project. You should, however, look upon this extra time and cost as an investment. This is particularly relevant with IaaS security as security attacks, especially DDoS attacks, can lead to significant extra charges.
It is also worth noting that failing to bake security into applications before they are placed on the CSP’s secure infrastructure can lead to serious bottlenecks later. When that happens, resolving the issue can turn into a case of “unscrambling eggs”. It is therefore clearly better to avoid it happening in the first place.
Discover the DataBank Difference today:
Hybrid infrastructure solutions with boundless edge reach and a human touch.