The way around this is to apply security principles to the environment. Logically separate specific use environments; make use of VPNs
Also, understanding the environment is key. Basically:
Orchestration + Known hardware = Secure infrastructure[Applying security best practices at the outset and consistently throughout the life cycle of the environment with known hardware can help service providers (IT or actual CSPs) to protect the environment.]
Payne identified some of the biggest threats to clouds:
API endpoints
Web dashboard
Information leakage*
VM breakout*
Hardware sharing
Default images
Secondary attacks
*Easily the biggest threats according to Payne.
Information leakage can be mitigated by using TLS to protect communications between API endpoints, the web dashboard, Log feeds, AD/LDAP and external storage. VM breakouts can be basically prevented by using mandatory access controls, removing unnecessary privileges from the physical node and by hardening the build, the compiler and physical nodes.
Other attacks of concern include control plane compromise (mitigated by layered security via bi-directional firewalling, limiting data propagation, unique passwords everywhere) and upstream vulnerabilities (mitigated by security audits, aggressive security update policies).
Ultimately, cloud needs to be secure at least as everything else in the enterprise and deserves our attention. That said, I don't think we should despair because of complexity; rather, we've been through this before as web browsing, e-commerce and virtualization came into their own over the past 20 years.
No comments:
Post a Comment