By Dave Meizlik, Dome9
If you’re like most today, you’re looking to the cloud with cautious optimism to help make your enterprise more efficient and agile. I say “cautious” concerns for security, cost, and complexity in the cloud run rampant. Will my infrastructure be more or less secure? How much will the cloud really save me? What do I have to do (or give up), and what will it get me? These are just a few of the questions you’re likely mulling over.
Cost is highly dependent on your infrastructure, so I’ll focus mostly on how to simultaneously tackle the issue of security and complexity, by making your public cloud, private.
First off, what is a private cloud and why would you want one?
A private cloud is a piece of infrastructure operated solely for a single organization. Private clouds are growing in popularity as a more secure means to get more control over an infrastructure-as-a-service (IaaS). It lets you segregate your cloud from other organizations, building a cloud infrastructure that is – in essence – an extension of your network.
The truth, however, is that creating a private cloud and applying your legacy approach to networking and security creates complexity and drives up cost – two things you’re moving to the cloud to avoid, and doesn’t necessarily increase your security. You pay a premium for a private cloud so you can isolate your infrastructure from others, create secure connectivity (using VPNs), and maintain control over your security. The truth is, there’s a better way to achieve the same result, but at a much lower cost and with far less resource.
Instead of creating an expanded perimeter around your cloud by making it private, simply isolate each individual server in a public cloud via a firewall management service, locking down each individual server with dynamic policy controls for remote access, on demand. This way you’re, in effect, making your public cloud servers, private. Note the emphasis on “servers” in my last sentence. That’s because each server is locked down and isolated, rather than the entire cloud. Each server, in isolation in a public cloud, is just like one big private cloud.
By example, imagine you have a cluster of application servers and databases in a public cloud. Using a firewall management service, you can close administrative service ports like SSH, and RDP, and configure server-to-server communications for MySQL and other services. Then, using the firewall management tool, you enable secure, time-based remote access only when and for whom you authorize with the click of a button. This ensures protected access to your servers without exposing them to risk (e.g., brute force attacks and vulnerabilities from open service ports). What’s more, it makes your cloud servers virtually invisible to hackers and eliminates the need for clunky, pain-in-the-tail VPN clients. In effect, you’ve made your public cloud, private!
This approach saves you significant time and cost, both upfront since you can safely leverage a public cloud infrastructure. And it makes it easier on you and your team, since remote access is available anytime, from anywhere, without having to connect back through a VPN. Moreover, this approach actually provides increased security, since you’re controlling access to each individual cloud server rather than the entire network (i.e., through a VPN).
Now because you’re managing potentially thousands of individual server firewalls, you need a firewall management service to make this efficient. With a firewall management service you can automate policy administration and secure access, on-demand. You can, for example, apply a group-based policy for all your web servers. That’s one policy for multiple machines. Then, with a click of a button, your web developers can self-grant secure access to any machine on-the-fly, with time-based controls to ensure that while they’re accessing the servers, the cloud server’s firewall port(s) are open only for the machines from which they are connecting. Bye-bye VPN clients!
You can also setup multiple group-based policies with a firewall management service. For example, one for your SQL databases, another for your web servers, a third for your application servers, and so on. And you can create role-based access controls with user-administered (yet monitored) secure access. This lets your developers and IT staff do their jobs, securely, for hundreds if-not thousands of servers, while making management easy and scalable.
Now there aren’t too many firewall management services out there. Like the cloud itself, this is a new space. However, as you may have guessed, I work for one called Dome9. A description of Dome9 is below, and you can learn more at www.dome9.com, but first let me take a minute to list out a few important things you should consider in a firewall management service:
#1) Agent-based vs. API-based deployments – Some firewall management solutions provide only agent-based solution. But if you’re an AWS or OpenStack user, you will benefit greatly from managing the existing firewall capabilities of these environments by connecting them to your firewall manager using your cloud provider API keys instead of installing agents on each server. API-based deployments into your cloud give you immediate-on firewall management, without the need to deploy an agent on each server. That’s rapid scale!
#2) Automated access controls – You don’t want to have to leave ports open all the time, even for trusted IPs. Instead, look for a service that lets you dynamically open and close service ports with time-based controls. This way your ports are only opened for specific users, services, and time-periods, and your cloud servers are virtually invisible to hackers.
#3) Multi-cloud & server policy groups – You likely have (or will) multiple servers across multiple infrastructures. Regardless of the distribution, you’ll want to abstract security as an application layer across them all, and employ group-based policy management to ensure you’ve got consolidation with your security management. That’s one policy set across multiple servers, even in multiple infrastructures.
Hopefully this has given you some ideas for how you can get more value from public cloud computing without having to jump through all the hoops of setting up a private cloud. As you explore the topic more, I invite you to visit www.dome9.com and sign up today for free to see how we can help you Secure Your Cloud™.
Dome9 is one of today’s fastest growing cloud security services. With over 1,200 customers, worldwide, Dome9 provides cloud-based firewall management to centralize and automate policy controls for any server running in any infrastructure.