What you Need to Know to Secure your Cloud Infrastructure

    There are a few important things you need to know about securing your cloud Infrastructure. All the benefits of building and launching an app in the cloud do come at a risk. As a CTO or CEO you want to save money wherever you can. Moving your infrastructure to the cloud is a great way to save time, money, and optimize your resources.

    So how do you begin to work with all the risks? For example, what would you do if your cloud services provider goes out of business? How do you secure your application and server in the cloud that you don’t own and physically can’t touch?

    Here’s a few pointers to get you started.

    Data and Application Availability:  

  1. Pick an established provider that has a great track record and is known for good reliable service.
  2. Regularly create backups of your entire website, database, components and architecture.
  3. Although unlikely, have a plan in place to migrate your website in case you lose your provider services.


    4. Network Security:  

    You will most likely be protected here since the upkeep of the external network that your app lives on is typically managed by your cloud provider.  But only the availability of the overall network is provided by cloud services. Your server and application are managed by you.

    Your responsibility typically begins at the your server firewall. To control access to your server and application you will need to implement access controls via firewall security rules, cloud resource access, and application level user roles.

    Secure network access to your server:

  4. Only give external access to the ports that you want public users to access (ie: 80 for http and 443 for https).
  5. For server system access, limit your file transfers and system level access to the secure remote access port SFTP/SSH port (22).
  6. Make sure only your IP has access to this port. And remove the access when you don’t need it.
  7. In addition, use the SFTP/SSH option via a certificate verify your identity and encrypt your remote connection when you make file and system level changes.
    See https://kb.iu.edu/d/akqg


    8. Control who can access your cloud services via system level user entitlements.

    Many cloud providers help you control access to your service resources via identities. In Amazon web services, for instance, this is called Identity and Access Management (IAM) where a user is granted access (via entitlements) to specific resources (those that they are authorized to use).  This access is specific to the cloud resource and not the web application itself.
    For example, the ability to access email services from your server would be accomplished by creating and leveraging a user that has access to cloud email services (SMTP) to send email.

    Control access to your app via application level user entitlements:

  8. Manage access to your web application by creating user accounts.
  9. Give those accounts specific roles that only allow access to the application level resources that they require.  For instance, if you have a Rails e-commerce application that requires updating of its product catalog then create a specific role entitlement to update the catalog.
  10. Admin functionality should be applied only to admin users. Features like modifying a system config is a privileged use that should not be co-mingled into a customer based user account, even if its owned by the same person.


    11. Test accounts and default usernames:

  11. Make sure you remove all your test users accounts and change default passwords.
  12. Don’t use easy to guess default usernames like admin and user.


    13. Secure data transfer between your web app and browsers:

    Purchase and implement your own SSL certificate. See https://www.sslshopper.com/ssl-certificate-wizard.html  for a comparison of what may work best for you.

    Let me know if you have any questions or require any help!

    I can be contacted at [email protected]

     

     

     

Posted on October 5, 2015 in my blog

Share the Story

About the Author

Phil is a technology expert with 15+ years experience architecting and building web solutions. He started in digital agencies like PixelPark and Xceed and has worked in creating cutting-edge web solutions, including being an early technology adopter with live events such as Intel Music Festival. He was also the founder of All Media Interactive Group. He specializes in open source development using LAMP, iOS, Node.js, Java, PHP, Magento, and Drupal. At Citigroup/SmithBarney, he served as Development Lead and Tech Program Manager for the Applications Development Division and also headed up Applications Data Security as a certified CISSP for Smith Barney, leading architecture domains and creating standards and best practices for the Applications Development group. In addition, Phil has built integrated social media, informational and commerce database solutions from the ground up for the mobile and desktop platforms of Queen of Raw and Favoire. Phil served as a mentor at the Branson Centre for Entrepreneurship and was a Finalist for the $1M Verizon Powerful Answers Award and a Top 15 Fashion Tech Founders of the Future Finalist at New York Fashion Tech Forum.

Designed and built by Phil Derasmo

Back to Top