By Chris Brenton, Director of Security, CloudPassage
As software developers, we heavily rely on our tools. Arguably one of our most important tools is the programming environment itself. This can become problematic if we are attempting to test and support multiple software versions, libraries, etc. The level of complexity can be raised even higher if we need to validate interactions with external resources. For example what if I need to be able to test how my application interacts with both MySQL and PostgreSQL databases located on an external server? Clearly the time required to allocate and configure the proper resources could take nearly as long as the application development itself. Public cloud responds to this need by turning servers into commodity items, which can quickly be provisioned and decommissioned. However there are security concerns that we need to be mindful of in order to ensure our intellectual property does not become compromised.
The most commonly used public clouds are those offering Infrastructure as a Service (IaaS). Common examples are Amazon EC2, Rackspace and GoGrid. When you initialize a server in one of these environments, they typically start up with no patches installed. For example spin up a Windows 2008 R2 server, and it will boot up missing about three years worth of patches and security fixes. What makes this situation even worse is the fact that the server is located in a public environment, so it may be reachable by the entire Internet. So far this year we’ve seen two remote code execution attacks (CVE-2012-002 and CVE-2012-0173) against the Windows Remote Desktop Protocol, which is used for remote management. The flaws are exploitable without requiring the attacker to first authenticate with the system. So if I spin up an unpatched Windows 2008 R2 server, it is immediately vulnerable to these attacks.
Luckily there are cloud management tools that can help. RightScale provides a slick management interface that can manage virtual servers in both public and private clouds. You can define templates that identify how each server should be configured, and quickly deploy those servers when needed. The cloning function not only permits you to copy individual servers, but entire groups of servers all at the same time. So if my development environment requires complex interconnections between multiple systems, I can quickly copy the corporate standard and tweak as needed. If RightScale is not a good fit for your environment, you can check out similar tools such as Chef and Puppet.
In order to leverage a cloud management tool to configure and patch your servers, you first need to know which configurations are incorrect and which patches are missing. This is where a vulnerability assessment tool comes onto play. A vulnerability assessment tool can quickly check your servers to see what security tweaks are required. In the past, security professionals have relied on network based vulnerability scanners. However many public cloud vendors place restrictions on what type of security scanning can be performed. With this in mind, your best bet is to go with a host based solution. A host based vulnerability scanner performs a local system check, thus keeping suspicious traffic off of the cloud provider’s network. Further, host based solutions are usually better at finding local exploits.
You may also wish to verify that critical system files have not been modified by unauthorized personnel. If an attack breaks into your system, they will usually modify base system files to help hide their tracks. File Integrity Monitoring (FIM) tools are designed to both detect and alert when unauthorized changes take place. In the old days, FIM tools required you to monitor each server separately. However modern day cloud server file integrity monitoring tools recognize that all cloned servers can be managed from a single policy. For example, let’s say I make 20 clones of a specific application server. With older FIM tools, I would be required to both baseline and monitor each of those servers separately. With an FIM tool written for the cloud, I simply baseline the original image and apply that dataset to all 20 servers. This not only ensures that unauthorized changes get detected, but that all of the clones continue to be mirror copies of each other.
Finally, all modern operating systems ship with a built in firewall. A highly rated cloud server firewall automation tool will permit you to manage each firewall through a single interface, regardless of which public or private cloud the server happens to be running in. Of course consider it a bonus if the cloud security tool you are evaluating is capable of performing all of the above security functions.
Leveraging public cloud resources is an excellent way to expedite the software development process. However care has to be taken to ensure that security is properly addressed.
About the Author
Chris Brenton is Director of Security for CloudPassage, the industry leader in IaaS cloud security. He is also a fellow instructor for the SANS Institute. He is one of the founding members of the original Honeynet Project, as well as one of the original Internet Storm Center handlers. During his career, Chris was instrumental in the foundation of Dartmouth college’s Institute for Security Technology Studies (ISTS) and CSO of one of the nation’s first managed security providers, ALTeNet Solutions. Chris has been credited with the discovery of numerous security vulnerabilities and is a published author of various books on networking and network security. In his spare time, Chris is an extremely active blogger.