Cloud IaaS: 16 recommendations for secure servers


Cloud services are perhaps most commonly recognized as IaaS (Infrastructure as a Service). This is probably due to the fact that this level of service wears the "halo" of virtualisation...
In an IaaS offer, the customer subscribes to an operating system hosting service that functions in a virtualized environment. Once the system has been delivered by the service provider, it's up to the customer to secure his or her system. The extent of this security project will depend on the customer's needs and what the service provider does or does not provide by default.
Let's assume that you've just subscribed to an introductory level IaaS service. Now you've got to roll up your sleeves and raise your security to an adequate level.
Here are my 16 recommendations for securing a cloud-hosted IaaS virtual machine environment:

  1. Encrypt all network traffic using protocols such as SSL, IPSEC, SSH or HTTPS
  2. Limit the number of services supported by an environment to only one*
  3. Increase the security of your operating system using specific hardening tools (Microsoft MBSA, Bastille Linux, etc.)
  4. Enable the data encryption functions integrated into filesystems or devices drivers
  5. Encrypt all data kept in storage areas (SAN, NAS, etc.)
  6. Do not store your decrypting keys on the environment: these should only enter the system when decrypting
  7. Open only the required minimum number of network ports on each environment
  8. Regularly install security patches at the operating system level and for any applications.*
  9. Perform recurring scans to detect new undiscovered vulnerabilities
  10. Except for public services like HTTP/HTTPS, limit the number of source IP addresses authorized to connect (epsecially to admin remote accesses services)
  11. Do not use access passwords in console mode; instead use customer RSA our SSH keys or client SSL certificates
  12. Regularly perform system back-ups and store them in a safe place
  13. Install an intrusion detection system at the operating system level (for example, OSSEC, CISCO CSA, etc.)
  14. If you suspect an intrusion, take a snapshot of the environment, then shutdown the compromised virtual system *
  15. Develop your applications in a secure way (follow OWASP guidelines)
  16. Install an antivirus software and make sure it's being updated on regular basis.

Normally, you should begin by identifying your security needs in order to choose your supplier(s). Then, you should add everything you want that they don't offer, in relation to standard services or optional services.

I haven't reinvented the wheel here: an IaaS server is pretty similar to a dedicated server hosted by a service provider.  Remove the layer of virtualisation and, essentially, you find yourself in a familiar world. Of these 16 recommendations, only 2 (indicated by an "*") require techniques or are based on features linked to virtualization.

PS: There's nothing spectacular about this for an experienced system/security administrator. Especially since the copy/paste of environments with virtualization offers a level of industrialization unknown (or very difficult to achieve) with dedicated physical servers. Happy Clouding!

Jean-François Audenard

Au sein de la direction sécurité du Groupe Orange, je suis en charge de la veille sécurité et de la sensibilisation à la sécurité. Franchise, optimisme et bonne-humeur sont mes moteurs quotidiens