The rise of cloud computing and cloud services has brought about tremendous new changes to how organizations handle their day-to-day operations and services. However, since utilizing the cloud means that more information is being sent to and stored in an Internet hosted service, there is a much higher probability of a data breach occurring. In this blog, we here at Harbor Technology Group want to discuss the basic architecture of how organizations connect to cloud environments and wherein this architecture cyber and information security measures are taken.
In most cloud computing architectures, there is a network (or networks) with its associated devices connected via the Internet to a Cloud Service Provider (CSP). An excellent example of a CSP is Amazon Web Services, for they are one of the largest cloud providers. There can be multiple instances of virtual networks, storage spaces, and databases within cloud environments. The entirety of a cloud environment’s elements can be very complex; however, this should provide you with a general sense of what a cloud environment looks like. In this architecture, there are a couple of places where security becomes a concern. First is the Internet connection between the users’ network(s) and the cloud environment. There is a high chance of a data breach occurring in this space without proper security measures installed. The second is in the cloud environment itself due to the entire domain being hosted on the Internet. The security of the instances inside the environment is handled by the user, while the CSP secures the cloud. What can be done to ensure that a safe cloud environment is maintained from the users’ network to the CSP’s cloud environment?
Let us first look at the first area of concern: The Internet connection between the users’ network and the CSP’s cloud environment. A secure connection can be made by using either a Virtual Private Network (VPN) or an Encrypted Secure Connection (ESP). A VPN is essentially a tunnel where a user’s data is encrypted and sent through a series of secure networks to reach its destination. An ESP, however, is a connection made via the open Internet, but the data itself is encrypted using an encryption method known as Public Key Infrastructure and trusted website certificates. Using either of those two options is determined by the instance that the user is attempting to connect to. If the user is trying to access an instance in the cloud meant for a development project where only the members of that development team are intended to have access, the best option to use would be a VPN. On the other hand, if the user attempts to access an external-facing instance in the cloud environment, such as an organization-wide file system, an ESP would be an excellent way to create a secure connection.
Now, when it comes to the cloud environment itself, where there can be multiple instances, each with their level of privacy and importance, security measures can be installed to ensure users can only access instances they are allowed to access. One of the most common steps is using what is known as virtual private clouds (VPCs). Essentially, a VPC is a separate network within a single cloud account that can have its subnets to separate instances. Each subnet in a VPC can configure permissions to allow access to users who are authorized to access appropriate instances and deny those who are not. Suppose an organization uses multiple VPCs within their cloud account. In that case, each VPC, by default, is not connected to the other, which means that if an attacker can gain access to one VPC, they cannot then use that access to infiltrate other VPCs. An excellent way to look at it is like this: say there is a house with three locked doors inside it that lead to other rooms. If someone can get into the house and is also able to get the key to one of the doors, they cannot use that key to then unlock the other doors. They cannot enter the room for which they have access to find a door inside the room to the other rooms, for there are no other doors in that room.
Along with these cloud-specific security measures, there are also the typical username/password login portals in the appropriate places (such as when connecting to a VPN service or entering the cloud environment). The cloud environment is an exciting service that allows for much innovation for many organizations. These cloud environments must be secured to ensure that any sensitive data and projects do not land in the wrong people’s hands.