We’ve moved in the cloud now what do we do?

Cloud environments make a lot of sense for businesses of all types. As we move to a more agile workforce utilizing cloud resources provide added functionality, which was often not obtainable for smaller to medium businesses. Cloud resources in their nature are highly available, highly scalable, and, easier to implement disaster recovery.

In the past, for a smaller company to scale up to meet demand it would require a huge up-front investment to acquire new hardware. That hardware would require time to set up and then configuration. With the advent of the cloud hosting these operations have become much easier and at a much affordable subscription model instead of previous up-front costs of hardware/licensing. I can see some situations which may still require on-site equipment for various, compliance, legal, or cost requirements. Those situations will be the exception, as most businesses will benefit from the cost savings associated with cloud hosting. Additionally, as more companies utilize Linux systems for web applications and their services that will also reduce cost as most Linux operating systems are open-source and do not require any licensing costs.

One misconception about migrating to a cloud environment is that by default they’re secure. I would say that is partially true but not completely. By default, AWS, for example, will utilize a deny all policy for its security groups. Utilizing a default-deny policy is a best practice that requires that any access to that system will require a security group (firewall) rule to specifically allow that traffic into the cloud resource. As best practice access should be opened up according to the need. In a cloud environment you are not responsible for the physical security of your cloud systems or underlying network but the security of your hosts and services is your responsibility. An application, which is only utilized by your employees, should limit access to those specific employees. This can be implemented by a direct connection, VPN, certificate to authenticate the device, or by whitelisting the specific IP addresses for those employees that require access (This can be painful if they are not static IPs for the users). Whitelisting IP addresses for remote workers would be cumbersome as those addresses can change but for smaller organizations, it could be feasible. If you have a web application which users should be able to access from anywhere in the world then you’ll need to open up access to everyone for that application.

Opening access to the world can be a scary concept. If your system is available over the open Internet expect it to be tested consistently. Regardless of the service, if something exists and is accessible to everyone on the Internet it will be discovered by crawlers some of these will be for research purposes and others will be for malicious purposes. This is a fact of life that every organization, government, and Internet user must face. In order to protect your systems, you must implement proper access controls, secure transmissions, and permissions to limit the possibility of unauthorized access.

Making a system secure requires multiple layers of protection in place. A layered approach can deter an attacker, as it may be too difficult to make an entry, it could also prevent a deeper breach or prevent an attacker from obtaining the keys to the kingdom (administrator access). Keeping an environment secure either in the cloud or on-premises will require the same concepts. Create a strong perimeter either on the network layer or if you’re following a Zero Trust model on the host itself. That means shutting down services, which aren’t required, utilizing a default, deny all rule and allowing specific traffic by exception into the host. Add multi-factor authentication to your remote access methods to further secure your access.

After securing the perimeter protections should be in place to limit file/network access to the user’s role. There is no need for a standard user to have privileged rights. Securing the perimeter and limiting user access will be a great start for a program but to fully secure systems techniques such as:

Centralizing Access – One Location which stores all of the user information and can edit permissions/access at a moment’s notice. Changes in this system are reflected in all systems.

Centralizing Monitoring – All Logs of all devices will send logs to a SIEM or Syslog server which can create metrics or trigger alerts for defined events.

Adding Network Detection/Prevention Systems – These systems can sit on a network and detect or prevent malicious activity and send alerts based on triggers. Different than a SIEM as these triggers can be set according to network traffic while SIEM triggers are based on logs.

Application Firewalls – If you have an application you own and it is exposed to the internet you should have an application layer firewall. These next-generation firewalls can detect and inspect application-layer traffic.

To some this rant up into something meaningful, your new and exciting cloud hosting will still require the same old boring security practices that helped keep your on-premise servers secure (mostly). As more organizations move to the cloud they’ll need to hire staff with skills to implement and utilize cloud features to make the cloud safe, secure, and cost-effective. Pick your vendors, contractors, and assessors wisely as they’re not all created equal. When you talk to your third party consultant make sure they understand how cloud infrastructures work and function. It is all too often we see items a previous assessment team missed completely, or they misunderstood and did not fully understand. Mistakes like these can go in either direction such as providing an organization a false sense of security or requiring an organization to perform wasteful remediation for a system that meets requirements but is just poorly understood. As not all cloud-hosting providers are created equal the same can be said about security organizations. Perform your due diligence as for the credentials of the team members, ask for references, and hold discussions with them to see if they’re on the level. Picking a partner to help secure your organization may be one of the most important choices you make.

Is it time to move to the cloud?

As out of office work has become more common all businesses must address the security of their remote workforce. Early during this pandemic’s quarantine, businesses were forced to become extremely agile and required to adapt and adjust to our current situation.  However, now that Covid-19 is with us for the near future we must pivot from making things work to making things work securely.

Once the pandemic eventually ends normal business operations will resume with a few resemblances of normalcy.  But one thing is certain compliance and regulatory requirements will remain and the new remote workforce will need to be secured.

Most modern businesses had already implemented remote access methods prior to the pandemic.  For organizations of all sizes adjusting to 100% remote for their workforce caused unexpected consequences. Many organizations had to develop a disaster recovery/business continuity plan in real-time. A common problem that most likely occurred for medium-sized businesses is a lack of available bandwidth for the VPN appliance.  Most VPNs are built for between fewer than 100-200 users and once that user threshold is met the device can become unstable for some or all VPN users.  Utilizing a high availability pair can provide load balancing for these types of events. In addition, a second VPN Appliance that often also performs double duty as a firewall can also help increase bandwidth over the VPN. Having a duplicate VPN Appliance can be costly as it doubles the cost as you’re now utilizing two appliances instead of one. That high cost can be justified for businesses that require high uptime or are performing critical work that can’t be delayed. But scalability will not end with your VPN and may need to be addressed for other services or functions as well.

Additionally, organizations must begin to consider the level of access given to its users. One problem with VPNs is that they provide network layer access to users, which is often unrestricted.   It is commonplace for a VPN user to have access to the entire network if the network is not segmented.  It is possible to limit VPN access or segment the network to avoid unauthorized access to subnets or networks which normal users wouldn’t require access too.  In networking the old philosophy of trusting traffic on the same access level is beginning to change.  The idea of Zero Trust addresses the very idea that all hosts are given Zero Trust and in order for a user to access any system it requires the same authentication process disregarding the user’s connection origin. The user attempting to connect to a host from a public Wi-Fi connection or plugged into a switch right next to the host, the traffic will be treated the same, requiring the same authentication process for either origin location.   Zero Trust utilizes systems, which are already established such as centralized access controls, multi-factor authentication, and device authentication.  A Zero Trust authentication will require a valid username/password that is tied to a central identity access system (ideally), then a multi-factor authentication token, and a certificate, which was issued to the device at deployment. This method effectively authenticates the user, the session, and the device. Zero Trust and cloud computing work very nicely and I’d suggest if you move to the cloud that is the time to implement Zero Trust. 

Having resources in the cloud can now be utilized by businesses of all sizes and can avoid requiring a VPN connection to the physical office. The older model of IT infrastructure utilized on-premises servers that contain resources such as file shares, desktop applications, or desktop environments.  This internal infrastructure would require a VPN or less secure alternatives to access the internal network’s services and functions which employees need to perform their job functions.   Some businesses may require to keep their equipment on-site however the vast majority will have the ability to move to the cloud. The cloud offers alternatives as you can utilize a cloud provider for file shares and web applications to replace the older desktop applications.  Pivoting to cloud resources can eliminate the need for a VPN and can enable a remote workforce to flourish.  

If you’re considering adjusting your organization’s infrastructure placement, you must ask a series of questions about your organization. 

  • Will the move be Cost-Effective?
  • Will the cloud satisfy my Compliance Regulations?
  • Will the cloud satisfy my Business Agreement Obligations?
  • Will the cloud satisfy my Legal Requirements?

The answers to all of these questions is most likely yes…

Once you’ve identified if you can move to the cloud an organization must determine what services are required. Do you need a complete virtual environment for workers or just a web application? As desktop applications become more obsolete web applications will continue to allow for more agility in our remote workforce.  Previously organizations may have had an internal application, which was only accessible on an endpoint in the office or over a VPN, as now a web application can be utilized. Access to a web application can be safe if you implement a centralized identity management system that utilizes a two-factor authentication token for verification.  As the potential web application would be exposed over the Internet the use of centralized identity management and two-factor authentication help compensate to prevent unauthorized access. 

One benefit of moving to a cloud environment is the idea that disaster recovery and business continuity can become much easier to engage. Spinning up a warm site or cold site can take time and require a large effort for physical hardware. But in AWS or Azure, it can be a few mouse clicks away by replicating a server to a different Availability Zone (AZ) in AWS and/or a different region to spread it across multiple data centers within your cloud provider.

Moving to the cloud does not guarantee a more or less secure environment. If you move to a cloud environment don’t forget the basics. Zero Trust is a great idea but it should be implemented along with the normal security operations such as limiting permissions for users, reviewing access, user awareness training, running frequent patching, and utilizing secure protocols for transmitting sensitive data. Often organizations look for security silver bullets and neglect the mundane tasks that will equate to a stronger security posture.   

An Assessors thoughts on Split Tunneling

Today’s modern networks require flexibility to allow workers to work from multiple locations.  One of the most common methods to achieve remote network access is a Virtual Private Network (VPN).  VPNs can come in all shapes and sizes, from hosted, to on premises, to in the cloud, and can be built to fit all needs.  However one topic that is often over looked is the topic of whether or not to allow VPN users to utilize split tunneling. Webopedia defines a split tunneling as “The process of allowing a remote VPN user to access a public network, most commonly the Internet, at the same time that the user is allowed to access resources on the VPN.” The idea is a user has a tunnel to the corporate network to access any apps or shared drives through the VPN connection while still utilizing the local internet connection of the remote user for access to the web or local resources. 

A common question assessors are often asked is if split tunneling is allowed for remote VPN connections.  Whether or not to allow split tunneling will come down two things.  First does your organization have specific legal or compliance requirements surrounding network access?  Additionally, the trust of the party using the remote access VPN must also be considered.

If user-owned devices are accessing your network the risk is that those devices are not meeting the basic policy compliance of your organization and are creating a possible attack vector to enter your organization’s network. And now by allowing split tunneling, it creates a broader situation. If the user’s remote device is compliant it is still possible for the remote user to become infected by malware or a virus while connected to the split tunnel VPN. An infection could spread from the remote users device across the VPN connection. 

In terms of security, the biggest risk of enabling split tunneling is the loss of a defense in depth strategy. By enabling split tunneling you now have an open connection to your network which can send/receive traffic which does not pass through your organization’s perimeter security devices such as a firewall, IPS or IDS. This will create a situation where your organization cannot monitor web traffic on the remote device through the VPN connection.

In addition, utilizing a split tunnel can increase the possibility to exfiltrate data out of the organization.  If any controls are in place to prevent copy and pasting of data these controls may now be ineffective because traffic is being sent outside of the organizations Data Loss Prevention system (DLP). Now it is certainly possible for this to occur with a full VPN tunnel however now the task of preventing that data loss becomes much more difficult with a split VPN tunnel.  

If the remote VPN user used a public Internet connection that user’s web traffic would not be encrypted. This can make that data not sent over the VPN susceptible to snooping if an unsecured protocol is in use. 

Protections to mitigate the risk of split tunneling should include first and foremost a valid BAA, which requires the third party to require security controls to verify the remote workstations are protected. Second, user training and a signed acceptable use policy should also be implemented. As far as the technical controls, a VPN agent, which can perform a health check and verify the device is compliant, should be implemented. This health check should verify that the operating system patches are installed, an anti-virus is installed, running and is updating regularly.

It is common practice to place a firewall in front of the VPN traffic however this firewall is generally not as robust as the perimeter firewall.  That firewall is the only protection for your network against malicious traffic traversing that VPN tunnel. If proper configuration of the VPN firewall is in place it will protect your network against any malicious VPN traffic but it is a single layer of defense.  As IT security is becoming more prominent it is common practice to implement multiple layers of defense in place to prevent a breech of data.  Disabling split tunneling for VPN access will help prevent some malicious traffic traveling over the VPN connection.

One of the most effective protections an organization can implement is strong network segmentation. Remote users should be limited to only access the systems that are required to perform their job functions. Restrictions should be in place to segment your network to prevent unlimited network access for remote users.  It is all too common that our security professionals see remote access VPNs that allow for complete unrestricted network access. Segmenting VPN connections to access only the required systems is paramount in creating a strong security posture. A Strong network-wide segmentation practice can be the deciding factor if a company will experience a minor breach or a massive breach.  

The benefits of split tunneling are based on needs. A split tunnel VPN will provide the remote user the fastest web browsing speed as now they can utilize the ISP they’re connected too instead of send that traffic through the business’s network.  From a network stand point, it will decrease the bandwidth in use for the VPN traffic as now only business functions will be sent over the VPN and other traffic will flow directly through the remote users ISP connection. A small benefit of a split VPN tunnel would be that now a remote worker could print to their local network printer while connected to the VPN.  This is a minor issue but it certainly is brought up a lot.           

The Hitrust CSF itself does have a requirement regarding split tunneling.  However, there is a specific requirement prohibiting split-tunnel VPNs but it’s not common in the Cyber Security Framework 9.2. This requirement is only applicable to larger organizations.  The decision to allow a split-tunnel VPN will come down to a few things.  One is there that legal or compliance requirement which must be satisfied?  Two does the reward of split tunnel VPNs outweigh the risk?  And third, do you have enough trust with the employees, contractors or vendors who may be utilizing that split-tunnel VPN.  Once an organization answers the three questions above they can make a determination if a split-tunnel VPN works for their organization.