Using the Cloud as a security boundary…? No way!
Posted Monday, 21 May 2012 by estherNinja
A huge misconception about the Cloud is that it will almost definitely decrease your security. But Cloud expert, Rocky Heckman, explains how Cloud computing can actually decrease attack surface.
Today organisations that provide internet based services to their customers or other organisations typically have three (or more) tiers in their architecture. For the sake of simplicity we’ll just discuss things in three tiers. These three tiers are normally a presentation tier, a business tier or service tier, and a data tier.
The presentation tier is usually where the front end web servers are hosted that provide the access points for web users and external organisation service calls to interact with the host application or service. This is separated from the business tier by one or more firewalls, proxies, and other networking protection layers. The business tier hosts the business logic, service bus, messaging systems, back-end or internal services, etc. This business tier is also normally separated from the data tier by a similar conglomeration of network security mechanisms as the presentation to business tier with perhaps slightly different rules and v-lans and is often not as restricted as the Presentation to Business separation.
This diagram shows the general layout of this kind of structure at a very high level:
Figure 1 Classic N tier application configuration
In these architectures the servers in the DMZ are normally hardened and there is a lot of extra security scrutiny applied. In fact the effort that goes in to creating hardened systems, network separation, auditing, logging, intrusion prevention / detection in this layer is huge. This is still a very common approach to providing internet based services to clients.
There are few things in this approach that have been presented at various levels which show how a compromised web application can open the keys to the proverbial kingdom to an attacker. This is usually done through a compromised account on the web server, or the database server. The web servers are most commonly exploited through buffer overflows, and the database servers through SQL Injection. In both cases, accounts are compromised that have authority on the local network to one extent or the other.
In the case of an exploited web server, the account is usually a service account that the web server process is running under or the account credentials of the web application depending on how things such as application pools have been configured. Depending on the security hardening level the organisation has gone through, the privilege of these accounts ranges from a restricted application account that follows the least privilege practices and can’t do much damage, to a local system or even domain administrator account which has nearly unlimited damage potential. In the majority of cases, the accounts have enough privilege to effectively attack the Business and Data tiers from the presentation tier.
In the case of an exploited database server, the account is usually a service account that the particular database has been configured to run under. Unfortunately there are still a lot of applications in use today where the default root or SA account was used to set up and run the database as because “everything just works”. When one of these databases is compromised if it hasn’t been configured properly it is possible for an attacker to not only modify the database, but they can even create their own admin accounts.
In both cases above, the organisation is in a difficult situation. Anonymous users have to be able to initially touch infrastructure sitting on the corporate network. If an attacker can compromise a machine, they have access to the corporate infrastructure. To try to prevent that, there are network hardening practices mentioned previously. These hardening practices take a lot of time and effort to keep up with. It doesn’t stop when the application is deployed. After that, there is monitoring, patching, upgrading, and dealing with failed hardware.
The benefits of cloud computing from an economic standpoint are well known. There is no more worrying about capital depreciation, patching, hardware upgrades, or failures. It just makes good economic sense. But there is another aspect that is not as widely known, keeping external users off of your network.
The ideal solution in this context is to move everything to the cloud.
Figure 2 All internet facing application components in the cloud.
In this configuration there are no components that reach back into the corporate network. The corporate network only contains systems and services that apply to internal use. External facing applications are kept outside the corporate network to prevent potential attackers from having attack avenues to exploit that are on the corporate network. However this is not possible in all situations. Especially when issues of Data Sovereignty are present.
While Cloud Computing may not be perfect for all of your internet based applications, for most of them it will work very well. If we take the DMZ based web applications, and move them into the cloud, the corporate network is isolated from the users on the internet. The cloud based servers take care of handling the user contact points. The cloud based presentation tier can be securely plugged into the corporate business tier or data tier to allow communications between the tiers. This is accomplished through the mechanisms such as Windows Azure Connect.
So now our architecture would look more like this:
Figure 3 Presentation in the cloud
Depending on the types of applications in service, and the type of up-front processing that needs to be done, this could be taken one step further by putting the Business Tier into the cloud as well which provides one more layer of separation and the ability to do a lot more pre-processing of the data before it touches internal systems.
Figure 4 Compute (Presentation and Business tiers) in the cloud
This is even less infrastructure for the organisation to worry about, and provides quite thorough data examination before it arrives in the corporate network.
The accounts that applications in the presentation and business tier now automatically have restricted access to the platform they run on, and more importantly they do not need corporate credentials to run and therefore if compromised, can do very little damage to the corporate data and no damage to the corporate network. The only occasion where this may not help is in the case of poor application design, and poor database management which may result in SQL injection attacks being possible. However the application servers are now useless as an attack vector to attack the organisations network.
This design also encourages development teams to not create SQL Injection vulnerable applications because direct SQL Commands to the data tier are eliminated. This forces developers into using a service based system to communicate from the Business tier, rather than direct commands to the database. This allows for better practice through parameterised stored procedures, and a service endpoint buffer between the database and the business tier.
One of the benefits to this kind of structure that is often overlooked is that there is no longer any public access to the organisation’s infrastructure. In most circumstances the organisation can close all incoming ports on their firewalls. The connection between the cloud deployed application and internal data is made over secure encrypted point to point VPN connections rather than opening up various web site and web service ports.
Overall, this form of Hybrid architecture provides benefits around data sovereignty, and security. It allows organisations to take advantage of Cloud Computing gaining a large portion of the financial and management overhead benefits, while keeping critical data on premises. With these kinds of architectures available, utilising cloud computing becomes the obvious choice for increased ROI, ease of management and allowing organisations to decrease their attack surface creating a more secure data bunker for their critical data.