Best Practices for Service Providers: 2nd in a series of 3 Cloud Security Blogs
Welcome back to our cloud security week! Today our cloud security series has a focus on how CenturyLink Cloud manages its cloud environment, per the shared responsibility model described in this week’s earlier post and our recently released Cloud Security Overview.
With security as the top IT concern for many years, it’s no surprise the industry worked hard to alleviate enterprise customer security concerns. Today many organizations actually feel more comfortable with security in the cloud than they do with that of their on-premises data center. One customer noted, “when we were running our own datacenters, it was a full time job just to evaluate and install all the required security patches. We just didn’t have the ability to get to them all. That was creating risk.”
Let’s look at some best practices in critical areas under the cloud security domain, including APIs, user management, logging, and identity and access management.
Securing API Calls
Application Programming Interfaces (APIs) allow you to integrate your cloud-based application with myriad other systems regardless of their locations or platforms. They’re great for business agility, but they introduce an additional attack surface that must be properly protected. CenturyLink Cloud offers API authentication mechanisms that are resistant to replay and man-in-the middle attacks. These measures can be used to provide cryptographic validation of the API messages being sent. The authentication mechanism ensures that API commands can only be issued by properly authenticated endpoints and that each message is authentic and hasn’t been tampered with using cryptographically sound techniques.
Multi-Tier User Management and Billing
The security controls on the cloud side need to map to the roles and responsibilities of your organization. The cloud management platform should ideally offer a flexible account structure that enables you to roll up billing and usage information at the top level while enforcing complete segregation of networks and hosts at the sub-account level. This practice gives you control over which sub-accounts can be isolated, even from the parent account, and which sub-accounts are allowed to exchange data freely. For instance, you might want to isolate production from development/QA, perhaps meeting a regulatory “segregation of duties” requirement that people in operations roles cannot access development environments while developer cannot access production systems.
Logging and Reporting
Cloud security practices call for extensive logging. CenturyLink Cloud offers a tight integration with our partner Alert Logic, one of the most popular cloud logging services available. These capabilities give you detailed logging of management actions performed through whatever control interface the platform offers or through API calls. You should be able to access log data in the platform user interface as a reporting function and in a real-time publish/subscribe method so your existing log management system can consume the data. If you don’t already have a well-developed log management and alerting mechanism, it is a recommended practice to find a knowledgeable cloud security consultant to help you devise one, perhaps integrating with third party tools.
A Versatile Tool for Securing Your Data
A cloud IaaS platform can be a highly versatile tool for securing your data and applications. Virtual servers should be deployable on fully-redundant hardware connected through private high-speed virtual LANs at data centers audited by third party security experts. CenturyLink Cloud is designed with multiple layers of security, including redundant firewalls, intrusion protection, DDOS, certificate-based VPNs, role-based access controls, the potential for two-factor authentication, and integration with existing identify and access management systems.
The Network: Firewall Wall/VPN/Connectivity Options
The best practice is to protect your cloud environment with a series of redundant firewalls that employ Unified Thread Management (UTM) technology. You should also be able to use secure connections such as Persistent\User VPN, Direct Connection, or MPLS. CenturyLink offers all of these combinations, plus a physical private network among your CenturyLink environments. A recommended practice is to set up your cloud security so access to your servers can only be done via a certificate-based VPN connection, unless you have explicitly opened specific public ports. Ideally, you’ll also have the ability to extend two-factor authentication, perhaps via a standard such as LDAP (Microsoft Active Directory or OpenLDAP on Linux) for additional security where needed.
Identity and Access Management
Identity and Access Management options from CenturyLink Cloud includes granular Role-Based Access Controls (RBAC), as mentioned in the first post. For integrated identity, which has become a key enabler to quickly provision and de-provision access to company resources and data, it is best to integrate with your existing processes through Security Assertion Markup Language (SAML) 2.0. SAML lets you leverage your existing identify management processes and tools and mechanisms. CenturyLink Cloud supports SAML enabling single-sign-on (SSO). For example, the platform could enable SSO against Microsoft Active Directory Federation Services (ADFS), Oracle Identity Manager, Microsoft Forefront Identity Manager, and others.
Cloud security has become a well-established discipline within CenturyLink, as it’s been for managed hosting and the network. You need a partner who can help you prepare for and respond to diverse threats with a holistic approach to security, protecting your assets anywhere they live, monitoring threats and responding quickly to incidents. CenturyLink can enable this wherever you need it – in the cloud, at your location, or in one of our 60+ global data centers.
In our final post, we will cover cloud security tools and services offered by CenturyLink that allow you to secure your users, data and applications in the cloud and hybrid environments. Stay tuned.