/* The following article is extracted from the "Information Security Newsletter" published by the JUCC IS Task Force. */

IaaS includes the entire computing infrastructure resources stack from the facilities to the hardware platforms that reside in them. It provides limited application-like features but enormous extensibility. This generally means less integrated security capabilities and functionalities offered on the part of the cloud providers. As such, the security measures at IaaS are mainly managed and secured by the customers.

1. Data Encryption

To prevent data leakage to unauthorised parties, encryption techniques shall be implemented on:

• All network traffic using protocols such as Secure Socket Layer (SSL), Internet Protocol Security (IPSEC), Secure Shell Client (SSH) or Hypertext Transfer Protocol Secure (HTTPS)
• File systems or device drivers
• All data kept in storage areas, such as Storage Area Network (SAN), Network-attached Storage (NAS), etc.

Moreover, never store decrypting keys in the IaaS environment. Those keys shall only enter the system when decrypting.

2. Operating System

Security in the operating systems used in IaaS can be enhanced via the following approach:

• Increase the security measures of the underlying operating systems using specific security hardening tools. For example, Microsoft Baseline Security Analyzer (MBSA), Bastille Linux, etc.
• Install an Intrusion Detection System (IDS), such as Open Source Security (OSSEC) and CISCO Security Agent (CSA), at the operating system level.
• Regularly install security patches at the operating system level and update virus definition of anti-virus software.

3. Network Management

IaaS are accessed via the Internet. Hence, the following conventional network security measures can still be applied:

• Use customer RSA security tokens or client SSL certificates instead of access passwords in the console mode.
• Limit the number of network ports to the minimum. Except for public services like HTTP/HTTPS, limit the number of source IP addresses authorised to connect, especially to administrative remote accesses services.
• Perform recurring vulnerability or penetration tests to detect new undiscovered vulnerabilities.

4. Application Development

Security considerations shall be included during the Software Development Life Cycle (SDLC). Security framework such as Open Web Application Security Project (OWASP) can be used in developing programs in an IaaS environment.

Reference:

http://blogs.orange-business.com/live/2010/05/cloud-iaas-16-recommendations-for-secure-servers.html

[Previous section] [Next section]