Amazon cloud security best practices

By: Huan Liu

Many of our clients are interested in migrating to cloud, but all of them are concerned about security. I wrote before that a cloud is more secure than one’s own data center. Following on that thread, today I will focus on a set of security best practices you can follow to enhance your cloud security even further. Since a lot of our clients are evaluating Amazon cloud as a potential choice, I will focus on the best practices in Amazon cloud, but the principles should apply to other clouds as well.

1. Check before connecting.

Since a cloud VM (virtual machine) is outside your firewall, you have no control on the path to reach it. For example, it is well known that one can hack DNS servers. Just a few months ago, china’s largest search engine Baidu suffered a DNS attack. So it is likely that your VM could be hijacked too. One best practice is to always check your VM’s signature before connecting. Amazon instances generate a random SSH server key on boot up. This SSH server key can be obtained by querying Amazon’s (secure) API for the console output. This key from the console output should always be checked against the SSH key reported when you SSH into your VM. To ensure the best practice is always followed, for our clients, we wrote a wrapper around a SSH client, which automatically checks the key before connecting. You can quickly code up something like ours.

2. Encrypt as much as you can.

You should always use SSH or SSL to connect to your VM, which encrypts all traffic. In addition, you should encrypt your data to guard against hard disk theft or inappropriate hard disk disposition. On a Linux OS, this is easy to do because you just need to install an encrypted loopback file system. On Windows, there are a number of products you could use to encrypt.

3. Wipe when you quit.

As an added precaution, you should wipe out the encrypted loopback file when you shut down your instances. This will prevent the most determined hackers from trying to decrypt your bits, if they got a hold of your file, for example by stealing the hard disk. When you shut down your Linux instances by calling Amazon’s  API, the proper shutdown procedure is invoked. All you need to do is to hook into the shutdown script and wipe out the hard disk in the process. In our experiments, we find that there is enough time to wipe out about 7GB of data before your instance is just killed. That should be long enough for you to wipe out the most critical section so that no one can reconstruct your bits.

4. Stand all by yourself.

One key difference between cloud and your internal data center is that your VM may sit next to some strangers’ VM on the same physical hardware. Even though hypervisor isolation has been robust so far, there is always the concern that a vulnerability could be discovered someday and your VM may be hacked by the neighboring VM. One solution is to launch a VM onto its own hardware all by itself. We analyzed Amazon’s cloud hardware configuration recently, and concluded that there are two types of instances that occupy the whole physical hardware. Since Amazon does not have any capability to online migrate your VM to another hardware, you can be sure that your VM is standing all by itself. You will receive an email notification if Amazon needs to change the underlying hardware, which happened to us recently.

5. Open to only those you trust

Amazon offers a powerful software firewall, called Security Group. You can have any many Security Groups and as many rules per Security Group as you want. You should use Security Group to lock down access to your application to as narrow a list as possible. For example, if you enable SSH access, you should open port 22, but make sure you only open to the IP addresses from where you will access it. Never open it to the whole world (i.e., 0.0.0.0/0) unless your application is public facing.

Because the fine grain control a cloud offers you, if you follow the above best practices, you can be sure that your application is more secure if hosted in cloud than hosted in your own data center. 

Research Manager for Accenture Technology Labs, Cyber Security (Trusted Computing & IT Resiliency)

Location – Washington, DC

Requisition number: 00092201

View Job Description: http://bit.ly/cVNtgU

Email resumes to: kevin.daprile@accenture.com

R&D at the Labs: Working on technology’s frontier, Accenture Technology Labs finds bold new ways to achieve high-performance for Accenture and its clients. Our differentiator? We apply new technologies to solve real-world challenges. “We combine the creativity and deep expertise of our PhDs in the Labs with the real-world knowledge and business acumen of our global network of technologists who work with clients every day,” explains Don Rippert, chief technology officer. “As a result, we are uniquely able to help CIOs and business executives envision the future and to prioritize their investments in-and use of-technology innovation to achieve high performance.

Accenture seeks to hire a senior researcher to lead projects in the areas of intrusion-tolerant computing and self- healing infrastructure.  The research lead will define, manage and collaborate on new research problems and able to effectively collaborate with the science and technology community. Successful candidates will demonstrate a proven ability of presenting within workshops and interfacing with senior civilian and military leaders.

Primary Responsibilities:

  • Responsible for conducting scientific research related to tamper-resistance, metaphors of complex systems, fault-tolerance and methods and techniques to secure foundational Internet infrastructure
  • Responsible for helping with the commercialization of research outcomes either by turning work into project proposals or software/hardware products or services
  • Responsible for developing security architectures and models for virtualized environments and putting together working prototypes
  • Responsible for writing research papers and proposals and maintaining credentials through publications, presentations, external collaboration with the research community
  • Pursue and capture funding from DARPA, DoD, DHS, DoE and similar agencies

Qualifications

Basic Qualifications:

  • PhD in Computer Science, EE, Computer Engineering or direct related field
  • 2+ years experience practicing information assurance and computer network defense (CND) 
  • 4 + years programming skills
  • 2 + years experience conducting research in areas such as: secure virtualization, trusted path computing and network attack resiliency architectures

 

Preferred Skills:

  • Excellent verbal, interpersonal and communication (presentation & writing) skills and able to conduct interactive dialogues on research topics with clients
  • 1+ years experience working with hyper-visor technology, IPV6 and DNSSEC
  • 3+ publications at refereed conferences and journals with presentation at security forums
  • Working experience with current techniques in memory data protection and infrastructure redundancy/fail-over/load-balancing
  • Demonstrated ability to apply mathematical techniques that support the derivation of integrity and integrity checks 
  • Demonstrated experience with NSA’s High Assurance Platform, Trusted Platform Module specification or other techniques for hardware-assisted agreements and core trust arbiters
  • Background in cryptography and Public Key Infrastructures
  • Demonstrated experience with as NISTSP 800-30/37/39 and NIST SP 800-53
  • Hands on working experience with VMWare
  • Familiarity with federal funding procedures, regulations, policies and practices
  • Proven track record of program capture is preferred
  • A background in national security related issues is a plus

  

 Applicants for employment in the U.S. must possess work authorization which does not require sponsorship by the employer for a visa.

EOE

Advertisements

Leave a Comment so far
Leave a comment



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s



%d bloggers like this: