Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Abandon the Perimeter

DZone's Guide to

Abandon the Perimeter

· DevOps Zone
Free Resource

Download “The DevOps Journey - From Waterfall to Continuous Delivery” to learn learn about the importance of integrating automated testing into the DevOps workflow, brought to you in partnership with Sauce Labs.

Written by  for the CloudPassage blog.

We’ve grown dependent on a perimeter.  Vendors build tools that have no security at all without a robust perimeter.  This term colors the way we as an industry think about security.  The assumption of a perimeter makes decisions for us, we tend to assume that an internal system is better protected than one in the DMZ and give it a lower priority for security.  This mindset is difficult to shed, and dangerous to keep, when you move operations to the public cloud.

In the public cloud there is no perimeter.  The update server that the vendor wants “behind” a proxy is as much on the public internet as any proxy you would put in place.  In the public cloud, you don’t control the network, and you don’t control the hardware.  You do control the software.

How do we secure this environment without the same level of control that exists in the old model? We need to change the thought process.  Instead of looking at the network from the outside in, and from the network layer up, focus on the host and the software.

  1. Deploy hardened server builds
    1. Work with your Ops team to automate the creation and configuration with tools like Puppet and Chef.
    2. Pre-define custom hardened build scripts for your general server types.
    3. Allow your Ops team the leeway to add and remove instances as needed.
    4. Work with Ops to design the best security possible while allowing the necessary work to get done.
  2. Configure your security controls
    1. Create Firewall rules to define, in software, the allowed communication between server instances.
    2. Restrict communication to management interfaces based on incoming IP.
    3. Build alerts to notify you if sensitive files are modified.
    4. Configure alerts for changes to your servers, new users and other events.
  3. Learn what is normal.  Doing this will allow you to quickly see what isn’t
    1. Know your environment. Most cloud implementations are elastic. You need tools to tell you what IPs are yours today.
    2. Monitor the logs, central logging and alerting helps.
    3. Monitor the servers.
    4. Pay attention to the alerts.
  4. Detect and respond to anomalies
    1. Tune alerts to remove known unimportant items.
    2. Build intrusion detection rules to capture and alert on known bad events.
    3. Continuously tune email alerts to ensure that no alert making it to your inbox is routine.

The keys to successful public cloud security are: control of the software, a flexible security posture, focus on secure defaults, and anomaly detection.  At this stage of the game, if you’re relying on a perimeter for your security, you haven’t build a hardened environment, you’ve built a brittle one.

Discover how to optimize your DevOps workflows with our cloud-based automated testing infrastructure, brought to you in partnership with Sauce Labs

Topics:
cloud ,devops ,security

Published at DZone with permission of Tatiana Crawford, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

SEE AN EXAMPLE
Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.
Subscribe

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}