Best Practices for Hardening Your Cloud Instances
Infrastructure as a Service (IaaS) solutions have been a boon to system administrators due to the versatility it offers datacenter professionals. Unfortunately the dynamic nature of cloud solutions makes them difficult to maintain. When instances are being created on the fly, security often becomes an afterthought. Fortunately you can use the guide below to ensure that you and your staff are aware of the best ways to secure cloud instances whether they are used for short or long term projects.
One of the biggest threats to any system is remote access. With regardless of the methods you use to access your server, be it a VPN, remote desktop, remote shell or a web console, poor credentials can bring down virtually any system. Additionally many attackers are now sniffing network traffic through rogue hotspots as a way to collect data without being detected.
- When possible, enable two factor authentication on all public facing and internal systems. This single step will protect you from brute force attacks and prevent most low level attackers from gaining access to your systems. If this isn’t possible, then try implementing a short-term and dynamic shared key system.
- Avoid using telnet and unsecure channels when accessing any cloud system. Due to its age, telnet hasn’t been built with modern security threats in mind. Instead, use secure shell (SSH), or if telnet is required, access it through a VPN.
- When using Microsoft’s Remote Desktop, Terminal Services Client or Remote Frame Buffer (RFB) by VNC, run them through a secure tunnel such as a VPN to add an additional layer of security.
One of the most commonly overlooked security threats system administrators commonly overlook is account hijacking. Phishing or targeted scams against key users within your organization can lead to an attacker gaining access to your entire infrastructure. Cross site scripting also is another technique commonly used to gain unauthorized access to accounts.
- Have routine staff training to inform them about best practices regarding the disclosure of sensitive information
- Prohibit staff from sharing account credentials between users, and as mentioned earlier, two factor implementation should be implemented when possible.
- Only assign permissions on an as needed basis to ensure that if an account is compromised, the damage can be mitigated.
The cloud era has brought an era where system administrators need to balance making their services available while limiting the ability for anonymous users to damage internal systems. With these systems, there needs to be a focus on ensuring that your systems can properly authenticate users and assign the appropriate permissions.
- APIs should use session-based authentication by a POST call or through an API key as a POST body or argument as a cookie. Information such as usernames, passwords API keys and session tokens should not appear in URLs since these can be stored in server logs.
- When possible store the session token or API key in a server-side cache.
- To protect against attackers using session information to impersonate other users, try using time limited encryption keys which are matched against the session token or API key, date and time, and incoming IP address.
Preparing Ahead of Time
Ultimately when it comes to technology, even the greatest system administrators will encounter some type of system failure during their careers. This is why all system administrators should have some routine backups in place to ensure you’re prepared for even the worst case scenarios.
Another proactive way to protect against digital threats is to use a quality monitoring solution on all your cloud instances. Aside from alerting system administrative staff about downtime, monitoring solutions also can be sued to ensure that resources are being allocated effectively across your network. By having this information in a central hub, administrators can focus their efforts on mission critical tasks.