Defending Cloud Environments
In a world where threats to information security systems present themselves in a variety of ways—from nation-state threat actors to natural disasters—it is more important than ever for organizations to have a well-rounded information security program. One method includes shifting traditional on-premises infrastructures to cloud hosting providers, like Microsoft Azure or Amazon Web Services (AWS).
Moving to a cloud infrastructure further enhances an organization’s information security program through the ease of backups and auditing. It also reduces risk posed by natural disasters because resources are hosted in geographically disparate areas.
Despite the security enhancements provided by cloud infrastructures, vulnerabilities still exist, and multiple layers of defense, known as Defense in Depth, should be applied. PeopleTec’s cybersecurity experts encounter and eliminate these vulnerabilities through Defense in Depth practices as they architect, secure, and defend cloud environments on a daily basis.
PeopleTec’s cloud engineers develop cloud architectures for a variety of customers. For most of our U.S. government customers, we leverage Microsoft Azure while adhering to DoD Secure Cloud Computing Architecture best practices.
Microsoft Azure offers several features to help manage Identity and Access Management policies, which are a crucial component of any security system. One of the primary ways we implement Defense in Depth with Microsoft Azure is by mandating multi-factor authentication to add an extra layer of security to our Identity and Access Management policies.
Multi-factor authentication requires users to provide two or more forms of authentication to access resources, such as a password and a biometric factor like a fingerprint or facial recognition. In Microsoft Azure, multi-factor authentication can be enabled by simply creating a new conditional access policy under Azure Active Directory and applying it to the appropriate users or groups. By using multi-factor authentication, companies can reduce the risk of unauthorized access to their systems and data. For example, in the event of a password compromise, an adversary still must satisfy the multi-factor authentication requirement prior to gaining access.
Microsoft Azure also allows for conditional access policies, which give security engineers more granular ways to control access, as shown in the image below. If on a corporate network or a registered device, a user may be asked to provide a password and acknowledge the request through an application on their registered device. However, if the user is remote or requesting access from a personal device, additional verification factors may be required.
Defense in Depth can be implemented at other layers, as well, including virtual networks, network firewalls, and host-based firewalls. As seen below, there are multiple layers of defense which protect you from an adversary moving laterally through your architecture if one of your lines of defense are breached.
Virtual networks provide isolated environments for users to deploy resources in a “sandboxed” environment, allowing them to create a more secure network infrastructure. Virtual networks also allow users to create Virtual Private Networks (VPNs), which enable secure encrypted communication between remote users and resources. By using virtual networks and VPNs, companies can significantly reduce the risk of unauthorized access to their resources.
Network Security Groups are a type of network firewall that allow users to filter network traffic based on specific rules. For example, users can create Network Security Group rules that allow traffic from specific IP addresses or block traffic from known malicious IP addresses. By using Network Security Groups, companies can reduce the risk of attacks such as Distributed Denial of Service attacks.
Host-based firewalls are software-based firewalls that run on individual machines, providing an extra layer of protection against attacks that may bypass network-based firewalls. Microsoft Azure provides several options for host-based firewalls, including Windows Firewall and Azure Security Center’s Just-In-Time Virtual Machine Access. Just-In-Time Virtual Machine Access allows users to restrict access to their virtual machines by granting access only to authorized users and only for a limited period of time. By using host-based firewalls, companies can reduce the risk of malware infections and unauthorized access to resources.
Hybrid Environments with Amazon Web Services (AWS)
In addition, many organizations are making use of hybrid environments, which are environments that consist of an on-premises infrastructure connected to a cloud environment. PeopleTec’s Commercial Cyber Business Unit offers cloud-based log centralization/aggregation, analysis, and threat hunting through an offering called Security Operations Center as a Service (SOCaaS). SOCaaS leverages a hybrid approach by connecting to a network through a site-to-site VPN from an AWS-based Security Operations Center.
In a hybrid environment, we implement Defense in Depth at varying levels, but specifically to control the flow of traffic. Rules to determine what traffic can enter and exit the environment can be implemented at the on-premises firewall, AWS firewall, and the Security Group levels tied to each of the AWS instances. This approach results in a more secure infrastructure where, if a failure occurs at one level, there are many other resources conducting checks to ensure only expected traffic passes through.
By properly managing network access to and from the cloud environment, restricting traffic flow, and controlling what ports and protocols traverse between the on-premises infrastructure and the cloud environment, PeopleTec secures our customers’ networks and resources and appropriately mitigates threat actor compromises.