How to secure IaaS
IaaS customers are responsible for securing their data, user access, applications, operating systems, and virtual network traffic. Organizations often make the following mistakes when using IaaS:
Unencrypted data. In hybrid and multi-cloud environments, data moves between on-premises and cloud-based resources, and between different cloud applications. Encryption is essential to protect the data from theft or unauthorized access. An organization can encrypt data on-premises, before it goes to the cloud, or in the cloud. They may use their own encryption keys or IaaS-provider encryption. An IT department may also want to encrypt data in transit. Many government and industry regulations require sensitive data to be encrypted at all times, both at rest and in motion.
Configuration mistakes. A common cause of cloud security incidents is misconfiguration of cloud resources. According to the McAfee Cloud Adoption and Risk Report, the average organization has at least 14 misconfigured IaaS instances running at any given time. This results in an average of 2,269 misconfiguration incidents per month. As an example: 5.5% of Amazon Web Services (AWS) S3 buckets in use are misconfigured to be publicly readable, which could result in significant loss of data.
The cloud provider may offer tools for securing their resources, but the IT professional is responsible for correct use of the tools. Examples of common errors include:
- Improperly configured inbound or outbound ports
- Multi-factor authentication not activated
- Data encryption turned off
- Storage access open to the internet
Shadow services. Shadow or rogue cloud accounts are most common in software-as-a-service (SaaS) solutions but can also occur in IaaS. When employees need to provision an application or resource, they may use a cloud provider without informing their IT department. To secure the data in these services, IT needs to first identify the services and users through an audit. To do this, IT can use a cloud access security broker (CASB).
User role-based permissions. It is a best practice to protect access to cloud infrastructure by ensuring that developers and other users have only the permissions they need to do their jobs—and no more. Lock root account credentials that can provide an attacker access to all resources, and deprovision inactive accounts.
Solutions for IaaS security
Many organizations use multi-cloud environments, with IaaS, PaaS, and SaaS services from different vendors. Multi-cloud environments are becoming more common but can also cause security challenges. Traditional enterprise security solutions aren't built for cloud services, which are outside the organization's firewall. Virtual infrastructure services (like virtual machines, virtual storage, and virtual networks) require security solutions specifically designed for a cloud environment.
Four important solutions for IaaS security are: cloud access security brokers, cloud workload protection platforms, virtual network security platforms, and cloud security posture management.
Cloud access security broker (CASB), aka cloud security gateway (CSG). CASBs provide visibility and control over cloud resources, including user activity monitoring, IaaS monitoring, cloud malware detection, data loss prevention, and encryption. They may integrate with firewalls and cloud platform APIs, as well as monitor IaaS for misconfigurations and unprotected data in cloud storage. CASBs provide auditing and monitoring of security settings and configurations, file access permissions, and compromised accounts. A CASB may also include workload monitoring and security.
Cloud workload protection platforms (CWPP). CWPPs discover workloads and containers, apply malware protection, and manage workload instances and containers that if left unmanaged, can provide a cybercriminal with a path into the IaaS environment.
Virtual network security platforms (VNSP). VNSP solutions scan network traffic moving both north-south and east-west between virtual instances within IaaS environments. They include network intrusion detection and prevention to protect virtual resources.
Cloud security posture management (CSPM). A cloud security posture manager audits IaaS cloud environments for security and compliance issues, as well as providing manual or automated remediation. Increasingly, CASBs are adding CSPM functionality.
IaaS provider considerations
IaaS providers are responsible for the controls that protect their underlying servers and data. IT managers can evaluate IaaS providers based on the following characteristics:
- Physical access permissions. An IaaS provider is responsible for implementing secure access controls to the physical facilities, IT systems, and cloud services.
- Compliance audits. IT managers can request proof of compliance (audits and certifications) with relevant regulations, such as healthcare information security laws or privacy requirements for consumer financial data.
- Monitoring and logging tools. An IaaS provider may offer tools for monitoring, logging, and managing cloud resources.
- Hardware specifications and maintenance. The hardware that underpins cloud infrastructure services impacts performance of those services. An IT organization can request the provider's hardware specifications, particularly the security devices such as firewalls, intrusion detection, and content filtering.
According to Gartner, IaaS will be the fastest-growing segment of the public cloud services market, forecasted to grow by 27.6% in 2019 to reach $39.5 billion, up from $31 billion in 2018. Moreover, Gartner projects that by 2025, 80% of enterprises will have shuttered their physical data centers in favor of cloud infrastructure services, compared to just 10% today.
As data centers move into the cloud, IT managers need to create IaaS security strategies and implement cloud security technologies to protect their essential infrastructure. Cloud security from McAfee enables organizations to accelerate their business by giving them total visibility and control over their data in the cloud. Learn more about McAfee cloud security technology.