Abandon the Perimeter

We’ve grown dependent on a perimeter.  Vendors build tools that have no security at all without a robust perimeter.  This term colors the way we as an industry think about security.  The assumption of a perimeter makes decisions for us, we tend to assume that an internal system is better protected than one in the DMZ and give it a lower priority for security.  This mindset is difficult to shed, and dangerous to keep, when you move operations to the public cloud.

In the public cloud there is no perimeter.  The update server that the vendor wants “behind” a proxy is as much on the public internet as any proxy you would put in place.  In the public cloud, you don’t control the network, and you don’t control the hardware.  You do control the software.

How do we secure this environment without the same level of control that exists in the old model? We need to change the thought process.  Instead of looking at the network from the outside in, and from the network layer up, focus on the host and the software.

1. Deploy hardened server builds
   1. Work with your Ops team to automate the creation and configuration with tools like Puppet and Chef.
   2. Pre-define custom hardened build scripts for your general server types.
   3. Allow your Ops team the leeway to add and remove instances as needed.
   4. Work with Ops to design the best security possible while allowing the necessary work to get done.
2. Configure your security controls
   1. Create Firewall rules to define, in software, the allowed communication between server instances.
   2. Restrict communication to management interfaces based on incoming IP.
   3. Build alerts to notify you if sensitive files are modified.
   4. Configure alerts for changes to your servers, new users and other events.
3. Learn what is normal.  Doing this will allow you to quickly see what isn’t
   1. Know your environment. Most cloud implementations are elastic. You need tools to tell you what IPs are yours today.
   2. Monitor the logs, central logging and alerting helps.
   3. Monitor the servers.
   4. Pay attention to the alerts.
4. Detect and respond to anomalies
   1. Tune alerts to remove known unimportant items.
   2. Build intrusion detection rules to capture and alert on known bad events.
   3. Continuously tune email alerts to ensure that no alert making it to your inbox is routine.

The keys to successful public cloud security are: control of the software, a flexible security posture, focus on secure defaults, and anomaly detection.  At this stage of the game, if you’re relying on a perimeter for your security, you haven’t build a hardened environment, you’ve built a brittle one.