Cloud for Beginners: Securing IaaS Infrastructure
A similar situation is observed in Russia. The focus is gradually shifting towards the clouds, so companies have to pay attention to security issues. In our material today, we would like to dwell on this point in more detail and give a few recommendations that will protect the cloud. / photo by Henri Bergius CC

Cloud physical protection
Since we are talking about cloud infrastructure, the tasks of controlling physical access fall on the shoulders of the cloud provider. Therefore, you should make sure that no strangers are allowed to the hosts. If you are denied excursions or do not provide important information on how to protect the infrastructure from unauthorized access, then this is a reason to worry.
If the provider demonstrates machine rooms, engineering and other service rooms, allowing you to look at the "kitchen" from the inside, then this is a good sign. For example, the provider, whose services IT-GRAD uses, provided comprehensive information on where the cloud is located, how communication systems work, and security is ensured at the facility. We described all this in one of our materials.
It is worth noting that you need to trust your data only to data centers that have passed certification. It is possible to assess the state of the data center independently, but it can take a lot of time. In addition, you should study the legal status of the data center and find out if the provider has all the necessary state licenses and contracts for system support in the event of an emergency.
Data Leakage Protection
“Organizations suffer from a wide and widespread range of threats, which is certainly a cause for concern. Successful attacks have a direct impact on customers' businesses and are destructive, ” says Darren Anstee, spokesman for Arbor Networks.
Therefore, data transmitted to the provider's cloud must be protected. You need to knowwho got access to the information, what operations were carried out with it, from what address the request came. All these issues can be resolved with the help of services for managing the rights to access business critical data. It is also worth thinking about creating a "self-destruction" policy for important information that does not need to "live" indefinitely outside the corporate data center.
One way to protect the transmitted data is encryption. To protect information properly, it’s worth implementing encryption at every stage of the data life cycle. If applications on mobile corporate devices cache data, this approach will prevent leakage in the event of a gadget loss.
There are many solutions on the market to provide data encryption in the cloud. For example, one of them is Trend Micro's SecureCloud. The system encrypts virtual machine drives using the encryption keys stored in SecureCloud, which initiates the encryption / decryption processes of protected storage modules. Architecturally, the solution consists of a management system provided as a service with access through the console and agents installed on protected virtual machines.
Several other popular cloud encryption services have been proposed by Reddit users.
API Access Protection
It should limit access to the Web Console as an unauthorized access to the API can be extremely damaging to systems. Those who use application programming interfaces should use the access control and authentication management functions.
Perhaps the most powerful tool is the whitelist of IP addresses, which allows you to specify a limited number of addresses for each API call. In addition to this, it makes sense to use other ways to connect to the API. For example, you can use a combination of UUID / API keys instead of a username and password to share access to the API and the web console.
Authentication and Authorization
Here you should consider the use of multi-factor authentication types. The introduction of an additional level of security provides more effective protection of systems against unauthorized access.
At the same time, cloud providers must provide their customers with the ability to configure access levels for each user in accordance with company security policies. For example, one employee can generate requests for the purchase of goods, and another, having other access rights, confirm them.
Activity monitoring
When virtual machines are created and migrated between servers automatically, you cannot know for sure where your information is located. Therefore, for the cloud to work efficiently, it is necessary to configure logging and reporting systems.
Such systems are important for service management and optimization. Make sure that all operations with storage and memory are recorded in the event logs, which are stored in several protected places with limited access.
It also makes sense to pay attention to the technology of deep traffic analysis DPI (Deep Packet Inspection) and CASB technology (Cloud Access Security Broker). As for DPI-solutions, they are able to conduct behavioral analysis of packets. Studying protocols, ports and signatures, such a system categorizes incoming packets and applies appropriate measures to them.
CASB is a security tool for administrators, allowing you to identify potential system risks and provide a high level of protection. The solution is a single point of control for cloud applications used by the company, and works in conjunction with the provider's IT infrastructure, offering the ability to monitor shared files. This gives administrators all the information about when and to whom the content is transferred.
A list of other monitoring tools was suggested by users of the Quora and Reddit platforms. You can find them on the links here and here .
Security strategy
In conclusion, we note that the most important aspect of the work of any environment, not just the cloud, is the developing plan for maintaining the security of infrastructure. The image below shows a diagram that highlights the key components of cloud security. Among them, there are several most important.

- This is a physical access control to ensure the security of the environment in which the hardware is located.
- This is a regular software update. Software supplied by vendors, hypervisors, components of security systems must have current versions. In this case, any changes must be recorded and analyzed.
- This is a centralized monitoring of system components: the presence of a team of specialists, the use of monitoring tools (such as DPI systems), assessment of the activity of solutions. All this will allow you to quickly respond to emerging threats and problems.
- This is conducting tests to identify vulnerabilities.
Proper management of the environment as a whole requires the competent management of all these processes in order to minimize risks and keep the infrastructure safe.





