Many organizations are choosing to adopt cloud and hybrid cloud architectures to integrate with infrastructure-as-a-service (IaaS) solutions. It’s easy to see why, given the many benefits and advantages. These include:

  • Flexibility to pay for only what is used and provisioned;
  • Economy of scale, which enables sharing of the investments across branches;
  • Vendor-provided, cost-effective and efficient IT maintenance and operation; and
  • Increased speed for faster innovation.

An effective cloud transformation requires engagement from all stakeholders across the organization. It is important to consider the company’s overall culture and security posture during the implementation process.

IaaS Security

Regarding security, expectations vary depending on the type of cloud the organization adopts. If it chooses to focus on IaaS, its main objective is to cut IT expenses and complexity without sacrificing security in the infrastructure or access processes. With a platform-as-a-service (PaaS) solution, however, the focus shifts to securing applications and data, as well as being in compliance with regulations.

Security should always be on the table whenever an organization decides to transform its infrastructure or adopt a new service, from the design phase to the final implementation. Cloud solutions introduce many advantages, but with these advantages come more complex security concerns.

When building a service, it’s important to consider all security controls to reduce the risk and increase the efficiency of each element. This means securing infrastructure and applications, managing identities and access, and securing all elements involved in the execution of a transaction. This also applies to services that have elements stored in the cloud. If a cloud service provider supplies the infrastructure, for example, it’s important to ensure the vendor will also provide the security controls.

Of course, this type of infrastructure can impact the service-level agreement and cause customers to demand transparency. If the infrastructure supplied by the cloud service provider comes under attack, for example, it’s important to alert the customer’s security information and event management (SIEM) provider.

About the Security Controls

Just because the application or database installed on the IaaS is secure doesn’t mean the overall service is secure. It’s usually ideal to have a single database protection capability with visibility and control over the database, cloud and on-premises tools.

The security controls in an effective IaaS program should include the ability to:

  • Manage data center identities and access.
  • Authenticate, authorize and manage users.
  • Secure and isolate virtual machines (VM).
  • Patch default images for compliance.
  • Monitor logs on all resources.
  • Isolate networks.

Failing to check any one of the above boxes means compromising the security of workloads moved onto the IaaS system. An effective IaaS provides customers with a multilayer security strategy.

Managing Data Center Identities and Access

IBM SoftLayer, for example, employs security staff to monitor its access sites 24/7. Access to the data center requires an ID badge and biometric authentication. Then each level of the data center requires its own set of credentials, and only staff members whose roles require access will be permitted to enter a given level. All access is logged and monitored by closed-circuit television.

Authentication and Authorization

An effective IaaS solution includes policies that enable clients to create and manage user accounts and assign privileges. It should be able to check source IP addresses, prevent users from accessing the portal, and monitor activity to implement and effectively manage an access policy.

IaaS provides user management and granular access/permissions capabilities for elements provided by the platform, including servers, storage and networks. Many solutions rely on the client to create and delete portal users. If the client is managing the servers, the service provider would defer to the client for this process. If the provider is managing the servers, it should work with the client’s team to ensure the proper user accounts and privileges are available to the correct personnel.

VM Isolation

What are the risks associated with insecure VM isolation? What are the consequences of isolation failure?

In short, they are multiple and serious: Cybercriminals can leverage weak VM isolation to manipulate assets inside the cloud IaaS. In a VM hopping attack, for example, bad actors compromise one VM to gain access to the other VMs located on the same hypervisor. The attackers use this access to switch off the system, compromise data and replicate multiple VMs to jack up the cost to the customer.

Patch Management

Patch management involves patching shared devices, such as switches and routers, within a period consistent with security best practices. A highly automated cloud environment can accomplish patching by the time a new compliant server or workload migration starts up.

Log Monitoring

An IaaS solution should provide monitoring and incident management services. It should also establish explicit policies and processes for logging security events. Logging capabilities must include:

  • Ongoing monitoring and management;
  • Monitoring of network traffic using various techniques; and
  • Analysis of security logs generated from the platform component related to irregular, suspicious activities.

Logged alerts should be handled in a timely manner and, if applicable, communicated to clients. The support and incident response teams should notify clients of any activity related to the infrastructure.

Network Isolation

IaaS solutions often use firewalls to control internet access to VMs. These capabilities enable clients to build secure, internet-facing environments, support shared and dedicated firewalls, and supply additional network controls.

More from Cloud Security

Is Your Critical SaaS Data Secure?

4 min read - Increasingly sophisticated adversaries create a significant challenge as organizations increasingly use Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) to deliver applications and services. This mesh of cloud-based applications and services creates new complexities for security teams. But attackers need only one success, while defenders need to succeed 100% of the time. Organizations are contending with an exponential rise in advanced threats that are not only increasing in volume but also sophistication. The IBM Cost of Data Breach Report 2022 found…

4 min read

Rationalizing Your Hybrid Cloud Security Tools

3 min read - As cyber incidents rise and threat landscapes widen, more security tools have emerged to protect the hybrid cloud ecosystem. As a result, security leaders must rapidly assess their hybrid security tools to move toward a centralized toolset and optimize cost without compromising their security posture. Unfortunately, those same leaders face a variety of challenges. One of these challenges is that many security solutions create confusion and provide a false sense of security. Another is that multiple tools provide duplication coverage…

3 min read

New Generation of Phishing Hides Behind Trusted Services

4 min read - The days when email was the main vector for phishing attacks are long gone. Now, phishing attacks occur on SMS, voice, social media and messaging apps. They also hide behind trusted services like Azure and AWS. And with the expansion of cloud computing, even more Software-as-a-Service (SaaS) based phishing schemes are possible. Phishing tactics have evolved faster than ever, and the variety of attacks continues to grow. Security pros need to be aware. SaaS to SaaS Phishing Instead of building…

4 min read

The Importance of Modern-Day Data Security Platforms

4 min read - Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

4 min read