Tips for Achieving Secure Cloud Access

As more IT organizations adopt cloud environments, secure cloud access should be a top consideration

Businesses are moving to a cloud environment in huge numbers. A McAfee survey found that 97% of organizations worldwide use some type of cloud computing service. A Statista report on cloud usage worldwide in 2018 found that 80% of enterprises are both running apps on or experimenting with Amazon Web Services (AWS) as their preferred cloud platform. That same report found that 67% of enterprises are running apps on or experimenting on the Microsoft Azure platform. And 18% of enterprises are using Google’s Cloud Platform for applications today, with 23% evaluating the platform for future use.

No matter how you look at it, cloud and/or hybrid IT infrastructures are on the rise. But while there are many benefits of moving to the cloud, IT professionals don’t completely trust the cloud. They know that cloud computing makes it more difficult to control communications and filter out suspicious traffic than local or on-premises data centers.

In the cloud, each individual server with a public IP address is associated with its own security policy. There is no dedicated network device that enforces inbound and outbound rules. These security policies could be reused. And every user of the cloud computer has to access it remotely. There are no more local users with physical devices in the cloud environment. This can create risks by making virtual servers accessible from the outside and exposing them to the internet.

Secure Cloud Access

When implementing cloud infrastructure, there are four main option for accessing cloud computers: direct access, VPN, virtual private cloud and a session manager. IT professionals need to assess these options and find the right balance between simplicity to access computers with a well-thought-out and planned security strategy that can be monitored and enforced by the virtual network administrator.

Direct Access

The simplest and easiest method to log in to a cloud computer is direct access, which opens the necessary port in the server security policy. This involves Amazon’s AWS Security Groups (sg) and Microsoft’s Network Security Groups (NSG). Windows computers need RDP or VNC ports open for remote desktop access or PowerShell (WS-Management) port for PowerShell scripting. Unix computer need SSH port for the shell or everything that goes through SSH (X-Windows, SQL, etc) or VNC for the desktop access.

An IT admin can set up and configure the security policy easily and open access to the port only for connections made from certain IP addresses. The IP range filtering helps limit port exposure; however, the list can grow quickly once users realize that they need to access cloud computers from multiple locations.

Direct access can seem like a risky solution as it shifts port protection to the server itself, exposing the computer to all kinds of internet attacks. However, protocols including RDP or SSH are considered sufficiently secure and IP range limits risk exposure. This method might work as a quick or temporary solution. One drawback to direct access is the difficulty in monitoring large numbers of security groups. For the large virtual networks, it is difficult to close specific ports or remove IP ranges from multiple security groups. This method also has limited access to auditing capabilities or accessing of lists.

VPN

Both Amazon (Amazon AWS VPC Gateway) and Microsoft (Microsoft Azure VPN Gateway) provide services that allows IT professionals to configure VPN connection between on-premises network and cloud networks (site-to-site) or from on-premises computers and a cloud network (point-to-site). It’s important to note that the VPN connection typically requires additional hardware or third-party software for establishing a secure connection between cloud and on-premises networks.

While a VPN provides secure (although slower) connection between on-premises and cloud data centers, it requires substantial configuration efforts. Once configured and rolled out, it joins local and cloud networks into a single addressable space hiding all computers from outside threats. However, this method can open computers to inside risks and leave cloud computers inaccessible from outside locations (similar to a local data center). Another challenge to this method is the lack of audit capabilities required for many companies.

Jump Server: A Gateway in the Cloud DMZ

The Virtual Private Cloud (VPC – Amazon) and Virtual Network (Microsoft Azure) make it possible to isolate multiple cloud computers in the private environment with a hidden IP space and not expose it to the internet. System architects use virtual networks in scenarios when most of the computers in the network do not expose any services outside of the network. Users access the system through a single portal and computers inside the network connect to each other when needed. An example of this is a web server exposed to the internet accessing hidden local database.

You can log in to hidden virtual computers using a dedicated Virtual Network gateway, a computer located inside a cloud virtual network and exposing a remote connection protocol to the internet. Users can RDP, SSH or VNC into the gateway, and from there they can remote to other computers on the local virtual network. The network that contains such gateways is called the DMZ, which is vulnerable to outside threats but does not contain any sensitive information or important software that is difficult to rebuild. In the network world, such gateways are called jump servers.

A remote access gateway located in DMZ is moderately simple to set up. It provides a good level of security and protection to the computers inside the virtual network. These computers are completely shielded from outside threats and provide a single point of entry for sufficient auditing and access controls. Such gateways do not perform well when too many users are trying to access the virtual network. However, they serve as a good entry point into the virtual network for occasional use. Also, many gateways could be set up to perform this function for the heavier load scenarios.

Session Manager

A session manager expands on the idea of remote access gateway and is quickly becoming the preferred method by many companies. A session manager is a specialized software deployed at the jump server that is located at the cloud computer at DMZ. It accepts HTTPS traffic from the internet and converts it to RDP, SSH or VNC protocols to establish connections to the computers in the virtual cloud network. The user of the system just needs a regular browser to interact with remote computers without having to install an RDP, SSH or VNC client. Session manager can support multiple sessions simultaneously and can maintain the list of computers in the virtual cloud network to which it can open connections. In addition, the session manager keeps identities (passwords and certificates) to these computers and connects to them without exposing these identities to the end user, simplifying system maintenance and security. Session managers provide auditing and out-of-the-box support for many compliance and industry regulations. This makes it an ideal solution for companies in highly regulated industries.

In the past, session managers were difficult to maintain and were on-premises-based software. Today there are cloud-aware, simple to set up and simple to use session managers that can provide secure access to cloud computers located in cloud virtual networks. These solutions use a modern, agile architecture; are agentless, cloud-ready, scalable and affordable. While session managers are third-party solutions, there are free downloads that allow you to try the software first. This makes evaluating this option easy and painless.

Summary

As more organizations move their data centers to the cloud, CIOs and IT professionals need to plan out a strategy for secure cloud access. It is essential that you consider all options on how to access virtual computers at Amazon AWS and Microsoft Azure cloud data centers. The goal should be to maintain a balance—selecting a method that is simple to set up and use and provides secure network configuration, whether it is two-node WEB site, complex extension of a corporate data center or multithousand-nodes research cluster.

Additional References:

Featured eBook
7 Reasons Why CISOs Should Care About DevSecOps

7 Reasons Why CISOs Should Care About DevSecOps

DevOps is no longer an experimental phenomenon or bleeding edge way of delivering software. It’s now accepted as a gold standard for delivering software. It’s time for CISOs to stop fearing DevOps and start recognizing that by embedding security into the process they’re setting themselves up for huge potential upsides. Download this eBook to learn ... Read More
Security Boulevard
Mark Klinchin

Mark Klinchin

Mark Klinchin has more than 20 years of experience developing and leading content management and security software companies. As CEO of Xton Technologies, he leads the product development for XTAM, a next generation Privileged Account Management software. Mark was co-founder and CTO of MetaVis Technologies, a leading software solution for managing information architectures in the cloud which was acquired by Metalogix in 2015. Mark has also served as chief product architect for VitalPath.

mark-klinchin has 2 posts and counting.See all posts by mark-klinchin