This guest blog comes to us from Dave Meizlik, Dome9 VP of marketing and business development. Dome9 is a featured member of the SoftLayer Technology Partners Marketplace. With Dome9, you get secure, on-demand access to all your servers by automating and centralizing firewall management and making your servers virtually invisible to hackers.
Tech Partners Marketplace: http://www.softlayer.com/partners/marketplace/dome9
Three Tips to Securing Your Cloud Servers
By now everyone knows that security is the number one concern among cloud adopters. But lesser known is why and what to do to mitigate some of the security risks ... I hope to shed a little light on those points in this blog post, so let's get to it.
One of the greatest threats to cloud servers is unsecured access. Administrators leave ports (like RDP and SSH) open so they can connect to and manage their machines ... After all, they can't just walk down the hall to gain access to them like with an on-premise network. The trouble with this practice is that it leaves these and other service ports open to attack from hackers who need only guess the credentials or exploit a vulnerability in the application or OS. Many admins don't think about this because for years they've had a hardened perimeter around their data center. In the cloud, however, the perimeter collapses down to each individual server, and so too must your security.
Tip #1: Close Service Ports by Default
Instead of leaving ports — from SSH to phpMyAdmin — open and vulnerable to attack, close them by default and open them only when, for whom, and as long as is needed. You can do this manually — just be careful not to lock yourself out of your server — or you can automate the process with Dome9 for free.
Dome9 provides a patent-pending technology called Secure Access Leasing, which enables you to open a port on your server with just one click from within Dome9 Central, our SaaS management console, or as an extension in your browser. With just one click, you get time-based secure access and the ability to empower a third party (e.g., a developer) with access easily and securely.
When your service ports are closed by default, your server is virtually invisible to hackers because the server will not respond to an attacker's port scans or exploits.
Tip #2: Make Your Security as Elastic as Your Cloud
Another key security challenge to cloud security is management. In a traditional enterprise you have a semi-defined perimeter with a firewall and a strong, front-line defense. In the cloud, however, that perimeter collapses down to the individual server and is therefore multiplied by the number of servers you have in your environment. Thus, the number of perimeters and policies you have to manage increases exponentially, adding complexity and cost. Remember, if you can't manage it, you can't secure it.
As you re-architect your infrastructure, take the opportunity to re-architect your security, keeping in mind that you need to be able to scale instantaneously without adding management overhead. To do so, create group-based policies for similar types of services, with role-based controls for users that need access to your cloud servers.
With Dome9, for example, you can create an unlimited number of security groups — umbrella policies applied to one or more servers and for which you can create user-based self-service access. So, for example, you can set one policy for your web servers and another for your SQL database servers, then you can enable your web developers to self-grant access to the web servers while the DBAs have access to the database servers. Neither, however, may be able to access the others' servers, but you — the super admin — can. Any new servers you add on-the-fly as you scale up your infrastructure are automatically paired with your Dome9 account and attached to the relevant security group, so your security is truly elastic.
Tip #3: Make Security Your Responsibility
The last key security challenge is understanding who's responsible for securing your cloud. It's here that there's a lot of debate and folks get confused. According to a recent Ponemon Institute study, IT pros point fingers equally at the cloud provider and cloud user.
When everyone is responsible, no one is responsible. It's best to pick up the reigns and be your best champion. Great cloud and hosted providers like SoftLayer are going to provide an abundance of controls — some their own, and some from great security providers such as Dome9 (shameless, I know) — but how you them is up to you.
I liken this to a car: Whoever made your car built it with safety in mind, adding seat belts and air bags and lots of other safeguards to protect you. But if you go speeding down the freeway at 140 MPH without a seatbelt on, you're asking for trouble. When you apply this concept to the cloud, I think it helps us better define where to draw the lines.
At the end of the day, consider all your options and how you can use the tools available to most effectively secure your cloud servers. It's going to be different for just about everyone, since your needs and use cases are all different. But tools like Dome9 let you self-manage your security at the host layer and allow you to apply security controls for how you use a cloud platform (i.e., helping you be a safe driver).
Security is a huge topic, and I didn't even scratch the surface here, but I hope you've learned a few things about how to secure your cloud servers. If the prospect of scaling out security policies across your infrastructure isn't particularly appealing, I invite you to try out Dome9 (for free) to see how easily you can manage automated cloud security on your SoftLayer server. It's quick, easy, and (it's worth repeating a few times...) free:
- Create a Dome9 account at https://secure.dome9.com/Account/Register?code=SoftLayer
- Add the Dome9 agent to your SoftLayer server
- Configure your policy in Dome9 Central, our SaaS management console
SoftLayer customers that sign up for Dome9 enjoy all the capabilities of Dome9 free for 30 days. After that trial period, you can opt to use either our free Lite Cloud, which provides security for an unlimited number of servers, or our Business Cloud for automated cloud security.
-Dave Meizlik, Dome9
These Partners have built their businesses on the SoftLayer Platform, and we're excited for them to tell their stories. New Partners will be added to the Marketplace each month, so stay tuned for many more come.