Infrastructure as a service (IaaS) configuration management is an important aspect of cloud security, but not all...
industry best practices align perfectly. Security configurations from the Center for Internet Security, Microsoft, and other operating system and application providers are just a few of the approaches available for securely configuring these environments.
In this tip, let's examine the different baselines and ways to apply server configuration hardening practices within IaaS clouds.
Amazon Machine Images
The good news for most enterprises is that major IaaS providers have a variety of options available for getting servers properly secured within their cloud infrastructure. The simplest way for smaller organizations to get started is by downloading an image built by the cloud provider. In Amazon, users can start with a variety of Amazon Machine Images (AMIs) that come directly from Amazon or from the AWS community or marketplace. Any image from an external source should be carefully assessed before building on top of it. For most organizations, it's better to start with internal hardening policies and controls, and then apply them to the AMI or VM template. Amazon has a site dedicated to AMI security practices for AMI developers.
Locking down IaaS VM instances
Aside from foundational security practices from DISA, the Center for Internet Security, Microsoft and others, there are some best practices for ensuring IaaS VM instances are locked down as much as possible, given their increased exposure level. Among those best practices:
- Ensure no local accounts or weak credentials are built into deployed templates. This is one of the most common ways systems are compromised. All IaaS VMs should use multifactor authentication and domain accounts where possible.
- Implement a more rigorous patching schedule than normal. IaaS systems are more exposed, and often multi-tenant environments facilitate greater access to them. Keeping patches as up to date as possible is a smart idea for all types of systems deployed to IaaS environments.
- Severely limit services running on the systems in the cloud. Many organizations neglect to purposefully turn off all unrequired services, even if they're running only locally. This can have disastrous consequences, especially if network access to the IaaS systems isn't restricted.
- Enable rigorous logging and monitoring on the IaaS systems. All user access -- successful and failed -- and certain object/file access should be monitored. All logs should be sent to a central log store or service, either in the cloud or within the core data center.
- Perform vulnerability scans and penetration tests against VM template builds to ensure nothing was missed. Ideally, this would happen both before and after deployment to the cloud.
- Add configuration items that prevent interaction with the underlying hypervisor within the IaaS provider environment. Many hypervisors facilitate data interaction -- copy and paste, drag and drop, etc. -- with VMs, and these should be explicitly disabled. While most IaaS providers will disable this functionality at the hypervisor level when possible, it's prudent to also configure these settings for all VMs running in the cloud.
- Consider using a host-based IDS or IPS on the cloud instances. There are traditional agents from antivirus, whitelisting and file integrity monitoring companies, as well as lightweight agents from cloud-based monitoring and configuration services like CloudPassage and Dome9.
IaaS configuration management will echo the approach used for internal, on-premises server configurations today in many ways. However, organizations should be stricter with controls applications for cloud systems. For example, the CIS benchmarks for Windows, Linux and other platforms are broken into several tiers. Usually, the first tier is the baseline set of controls that most can accommodate. The second set goes beyond the first in truly locking down the system. For IaaS VMs, the second set would be a more appropriate goal if it's possible to attain without breaking key capabilities needed for normal operation.
By applying well-known security configuration and patching controls, with emphasis on more strict application of controls than might be expected in the internal network, IaaS systems can be properly secured for most organizations.
About the author:
Dave Shackleford is the owner and principal consultant of Voodoo Security LLC; lead faculty at IANS; and a SANS analyst, senior instructor and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering, and is a VMware vExpert with extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as CSO at Configuresoft; as CTO at the Center for Internet Security; and as a security architect, analyst and manager for several Fortune 500 companies. Dave is the author of the Sybex book Virtualization Security: Protecting Virtualized Environments, as well as the co-author of Hands-On Information Security from Course Technology. Recently, he co-authored the first published course on virtualization security for the SANS Institute. He currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.
More best practices for cloud security from expert Dave Shackleford.