06/17/2020 | News release | Distributed by Public on 06/17/2020 12:16
Before I bought a house a few years ago, my understanding of mortgages was pretty shaky at best. I only kind of knew what a mortgage was, but because everyone else around me seemed to have totally grasped the concept, I didn't want to ask questions and come off as stupid.
In the many conversations I've had with security professionals, I've found the same to be true of the cloud. There's still a gap in understanding, even at a very basic level, but most don't know where to turn and are certainly not asking their peers for fear of feeling behind or uninformed.
In this blog post, I'm going to provide an introductory primer on the cloud and cloud security for security professionals who want to fill in the blanks and stay up to speed with the security community. Let's get started!
In short, the cloud is software or hardware you access over the internet.
A common question we get asked is about the difference between cloud infrastructure and cloud software. It's an important difference to understand. We often hear customers say they're migrating to the cloud by moving from Microsoft Office to Office 365. While this is a cloud migration, it's generally not the cloud migration that many organizations are undertaking or thinking about starting.
Cloud-based software (also called 'software-as-a-service' or SaaS) includes software like Google Docs, Salesforce, and Netflix. It's software you access using a web browser, as opposed to software that you install on your computer. So, the move from Microsoft Office to Office 365 is an example of a migration from legacy software to a SaaS solution.
Cloud-based infrastructure (also called 'infrastructure-as-a-service' or IaaS), on the other hand, is computer hardware that you access via the internet. Moving workloads from on-premises servers and mainframes to cloud infrastructure is usually the migration organizations are referring to when they talk about moving to the cloud. Most organizations use public cloud infrastructure from a service provider like Amazon Web Services (AWS), Microsoft Azure, or the Google Cloud Platform (GCP). In the public cloud, customers effectively rent infrastructure capacity from the cloud provider.
When it comes to cloud providers, the good news is you don't have to choose just one. About 60% of companies use more than one to take advantage of the strengths of each or to avoid getting locked in with one vendor. Some companies also make use of private cloud infrastructure, which is hardware exclusively used by one organization.
For the remainder of this conversation, we will be discussing IaaS provided by public cloud service providers like AWS, Azure, and GCP.
Many of the cloud infrastructure components are the same as on-premises but without many of the drawbacks. The two key benefits of the cloud are speed and ease of deployment. Whereas adding a new server in an on-premises environment would require you to order a new server, wait a few weeks for it to arrive, spend a few hours installing it (and a few more configuring it), the cloud lets you do all of this in a mere 30 seconds. This easy access to infrastructure allows for rapid development and innovation.
The challenge with this as a security professional is finding a way to secure the cloud without slowing down developers. The moment you step in as a roadblock for development, they'll simply go around you. It's your goal to enable them to develop and deploy quickly-but securely.
This is a huge mindset shift for security. In earlier days, security was seen as the 'bad cop' saying no to innovation and change because it meant lack of security. Today, it's about finding ways to put guardrails up to guide developers down a secure path instead of stopping them.
You've probably heard the word 'instances' thrown around by your developers, so let's explain what they are and why you need to know about them from a security standpoint. An instance is essentially a server. It's the same thing as a virtual machine that you'd have in an on-premises network but without needing to manage any hardware.
If your company is running on AWS, instances are called EC2 (Elastic Cloud Compute). In Azure, they're called Virtual Machines, and in GCP, they're called Compute Engines. Regardless of what they're called, these are the core components of most cloud environments.
As a quick security aside, inside EC2 instances are something called security groups. These are essentially mini-firewalls around each EC2 instance rather than one firewall located at the network level. See this overview and this rules reference guide for more information.
Instances have different types and sizes. This is important to know as a security professional so that if a developer is using this terminology, you can decode it, and if you are securing an instance, you'll know what kind it is. The instance type denotes what it's designed for. AWS uses the following letters:
In essence, the letters tell you what kind of hardware is being used for the instance type. You can read more about this here.
Then there are instance sizes. These refer to the number of CPUs and the amount of memory the instance has. Let's say you choose an AWS M5 instance. You then need to determine how much memory and CPUs you need, so you can choose large or extra-large (again, see this chart).
Each instance type has a different hourly rate, which is why it's important to choose the right instance type that's the most cost-effective for what you're trying to do. Knowing how to decipher these names can help clear up a big language barrier between you and your developers and help you understand what it is you're securing.
What is auto scaling?
One more thing you'll probably hear in relation to instances is auto scaling. In an auto scaling group of instances, the number of instances will automatically increase or decrease based on the current demand. For example, if you have instances hosting a website, you can increase the number of instances when there's a lot of traffic and reduce the number of instances when there's less traffic. With auto scaling, not only are you able to support highly variable demand, but you only pay for what you use.
To run software on an EC2 instance, you load an Amazon Machine Image (AMI) onto it. AMI is just AWS' term for a virtual appliance. A virtual appliance is essentially a software bundle that contains the operating system plus any additional software you want to run on your EC2 instance. AMIs are what allow an EC2 instance to be ready to run as soon as it's created. In Azure, AMIs are called VM images, and in GCP, they're called boot discs.
It's important as a security professional to have visibility into these, since they're the building blocks of your instances. If someone within your organization is using an AMI with an outdated operating system that contains vulnerabilities, then every EC2 instance that's spun up using that AMI will have the same vulnerabilities on it.
Data travels at the speed of light through fiber optics, and the more distance it has to travel, the longer it takes to get to its destination. This is why the cloud providers offer regions. You don't want to use a server on the East Coast of the U.S. that is pulling data from Sydney, Australia because there's a delay. Even millisecond delays add up and create lag over time.
With regions, you can choose an instance to run in close proximity to where you'll be pulling data from. So if you have an office in Boston, Massachusetts, you'd choose the East Coast Region. If you're in Europe, you'd choose the closest European region. To that end, with respect to GDPR, European customer data cannot leave the EU, meaning if you have EU customers, you need a European region to store their data specifically.
Inside each region are availability zones. This is just another term for a data center, so when AWS says it has three availability zones in a region, what it means is it has three data centers in the region. This is important for reliability and durability because you can set up your cloud infrastructure to be duplicated in multiple availability zones. AWS, Azure, and GCP all provide tools that automatically detect when there's an issue in one zone and shift traffic and workloads to another zone.
Regions and zones are important to know as a security professional because they can be taken advantage of by attackers. Many cloud attacks don't even steal data, but rather they're stealing computing power so they can do things like mine for cryptocurrency while you foot the bill. They 'steal' compute power from whichever region is closest to them or in a region you're not actively using, so it's important that you keep an eye on all regions, even those you're not using.
If your organization is using AWS, you may have heard the term 'S3 bucket' floating around. It stands for Simple Storage Service and is essentially bulk, long-term storage. The Azure equivalent is blob storage and the GCP equivalent is Cloud Storage. This type of storage is commonly used to do things like hold backups and log files. You can think of an S3 bucket as an industrial version of Dropbox-it can be accessed from anywhere, anytime, and any sort of file can be stored here. With that said, it's important as a security professional to ensure the right privacy settings are used on S3 buckets, as the wrong settings can make them publicly accessible.
A Virtual Private Cloud (VPC) is another fundamental building block of AWS environments. It replicates the control you get with an on-premises network. In Azure, a VPC is called a Virtual Network, and GCP uses the same term as AWS. From a security standpoint, when you combine VPC controls with EC2 security groups, you're able to enjoy features such as network access control lists to enable inbound and outbound filtering at the instance and subnet level. This allows you to restrict what endpoints can see what's on your network, the kind of traffic that goes through your network zones, and so on.
We hope this overview is helpful to you in navigating cloud-specific terms and concepts so you can get up to speed quickly and start speaking the same language as your developers. We'd love to hear if there are additional cloud concepts you'd like to learn about, so send us a tweet @Rapid7!