Now here’s a fun topic I wanted to share, as I’ve been looking more and more into this. When many people think of the cloud, in my experience the ideas of networking and security are what has changed so vastly compared to what they think of in a normal circumstance.
At its core, there is a mindset shift between the way on-prem data centers, and cloud based networking function. And its important to remember these fundamental differences or else you run into a variety of problems down the road. It’s easy to get overwhelmed to be honest, and I don’t mean for this to seem complete by any stretch of the imagination. But you have to start somewhere right.
The most important thing to remember is that some elements of security just don’t apply anymore, at least not in the traditional sense. And here are some of those concepts:
- Perimeter Security is not what it used to be: This is the hardest thing for a lot of people to realize, but everyone still tries to cling to these notions that the only way to secure a workload is through locking down every public endpoint, and build a perimeter around your application, and then call it a day. Do a search online of the number of companies who implement perimeter security practices and how many times it blew up in their face. Security Threats, attack vectors are always changing and to consider the idea that you can build a fence and that’s good enough is just ridiculious.
- Authentication / Authorization are the new IP address: Another situation that I see all too common with the cloud is people clinging to IP whitelisting. IP Whitelisting is not sufficient for many of the more sophisticated attackers any more. And to be honest, your preventing yourself from taking advantage of cloud based services that are more secure than what you are capable of implementing yourself. The idea of Zero trust has been growing more and more, and here we assume that no sending is safe, without credentials. This ensures better security overall.
So what do we have to look at to start. I wanted to provide some ideas of potential areas to focus when it came to security for the Cloud and those options are here.
- Here is a quickly consumable “Best Practices” for IaaS workloads for security.
- Additionally there is a link to security documentation for azure, and this provides a lot of details on different topics and questions.
And here is a reference on the Microsoft Shared Responsibility model for Security.
- Network Security Options: Here is a list of options for network security.
- Network / Application Security Groups: NSGs are a great way of limiting the traffic within a virtual network. But additionally in this space, we provide service tags, which allows you to manage the different azure services you might allow to communicate for rule creation. Things like “AzureTrafficManager”, “VirtualNetwork”, “Sql”, “Storage”. Additionally there is an option with Application Security Groups (ASGs), which enable you to configure the NSGs to be based on the application architecture.
- Virtual Network Service Endpoints: This provides an option to extend your virtual network private address space to Azure services without traveling the public internet. So the intention here would be, I want my machines to access “KeyVault”, but I don’t want it to be accessible outside of the vNet. This is important as it allows you to further lock down your networking and access.
- Virtual Network Peering: As you identified in your network diagram, you were implementing two virtual networks. If you want communication to occur across the different virtual networks, you would need to implement vnet peering to enable that traffic.
Ultimately as I mentioned above, Zero Trust security models are really the direction of the future from a Cyber Security direction. A great site that covers the idea of Zero trust, and all the considerations can be found here. As well as a great whitepaper here.