Cloud IaaS: 15 recommendations for secure servers



Cloud services are perhaps most commonly recognized as IaaS (Infrastructure as a Service). This is probably due to the fact that this level of service wears the "halo" of virtualisation...
In an IaaS offer, the customer subscribes to an operating system hosting service that functions in a virtualised environment. Once the system is delivered by the service provider, it's up to the customer to secure his or her system. The extent of this security project will depend on the customer's needs and what the service provider does or does not provide.
Let's assume that you've just subscribed to an introductory level IaaS service. Now you've got to roll up your sleeves and raise your security to an adequate level.
Here are my 15 recommendations for securing a cloud-hosted IaaS virtual machine environment:
1. Encrypt all network traffic
2. Limit the number of services supported by an environment to one*
3. Increase the security of your operating system (Microsoft MBSA, Bastille Linux, etc.)
4. Enable the encrypting functions integrated into file or device systems in mass


5. Encrypt all data kept in storage areas (SAN, NAS, etc.)
6. Do not store your decrypting keys on the environment: these should only enter the system when decrypting
7. Open only the required minimum number of network ports on each environment
8. Regularly install security patches both for your operating system and applications.
9. Perform scans to detect recurring vulnerabilities
10. Except for public services like HTTP/HTTPS, limit the number of source IP addresses authorised to connect
11. Do not use access passwords in console mode; instead use customer RSA keys or SSL certificates
12. Regularly perform system back-ups and store them in a safe place
13. Install an intrusion detection system on the level of the operating system (for example, OSSEC, CISCO CSA, etc.)
14. If you suspect an intrusion, take a snapshot of the environment, then close it*
15. Develop your applications in a secure way (OWASP)
Normally, you should begin by identifying your security needs in order to choose your supplier(s). Then, you should add everything you want that they don't offer, in relation to standard services or optional services.

I haven't reinvented the wheel here: an IaaS server is pretty similar to a dedicated server hosted by a service provider.  Remove the layer of virtualisation and, essentially, you find yourself in a familiar world. Of these 15 recommendations, only 2 (indicated by an "*") require techniques linked to virtualisation.

PS: There's nothing spectacular about this for an experienced system/security administrator. Especially since the copy/paste of environments with virtualisation offers a level of industrialisation unknown in dedicated servers. Happy Clouding!

further information
discover IT solutions from Orange Business

Jean-François Audenard

Au sein de la direction sécurité du Groupe Orange, je suis en charge de la veille sécurité et de la sensibilisation à la sécurité. Franchise, optimisme et bonne-humeur sont mes moteurs quotidiens