While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
The Infrastructure as a Service cloud computing model gets IT managers out of the hardware business — servers, storage and network equipment are all someone else’s problem to procure, maintain and upgrade. IaaS enables organizations to rent virtual machines from a cloud provider while retaining full administrative or root control of the underlying operating system.
As organizations prepare to move to IaaS, they first need to get their houses in order. To migrate workloads as seamlessly as possible, there are several key steps to take:
Before beginning an IaaS migration, ensure you have an accurate inventory of applications and the servers that run them. Tackle this from both directions: Work from applications toward servers, and then move from servers to applications to see what was missed.
Your inventory should be application-focused. If necessary, devise new application names such as “Active Directory forest root” to combine elements not traditionally thought of as applications.
Each application in the inventory should have business and technical owners, security criticality information, pointers to documentation, and linkages to other major applications, such as databases or authentication APIs. From there, start listing various instances (such as production, test and development), and attach each instance to Windows and Unix servers and any platform services required for the application to operate, such as Apache or IIS, Java, PHP, .NET and so on.
The inventory should also include security details for each application instance — firewalls, load balancers, proxies — and the configuration of each. This is critical information needed to migrate any application to the cloud.
The traditional approach to security — putting a firewall in front of a data center — doesn’t work in the world of IaaS. Few providers will allow you to install a physical firewall, which means organizations will need to consider virtual firewalls, virtual private network concentrators, intrusion prevention systems and load balancers.
Think carefully about how you’re going to manage all these network security services, because one sacrifice organizations make when deploying IaaS is the ability to treat their network like a set of building blocks where they can connect any kind of device they want between any two servers.
If you’re particularly adventuresome, you can consider alternative server-located security technologies, such as host-based firewalls and clustering. IaaS is great for making elastic, resilient and scalable applications, but it’s up to the customer to balance loads and secure the various elements.
Microsoft shops will be particularly challenged because the tight linkage between internal infrastructure such as Windows Active Directory and application servers isn’t designed to sit bare on the Internet. Enterprises with a mix of Windows and Unix application servers should migrate Unix applications first to gain experience with IaaS services.
Who hasn’t dreamed of clearing out their data center and starting over? IaaS migration not only offers that opportunity, but works best if you take the time to standardize, virtualize and minimize the environment.
While organizations can support as many virtual machines as they want, they still retain responsibility for managing and patching them. Moving everything to a standard VM base helps keep servers synchronized and up to date. Build template systems using Unix and Windows hardening guidelines and use the same base to deploy every VM.
Integrate every server into a patch management solution and use that to keep operating systems and platform services up to date. Windows administrators will gravitate automatically to Microsoft Systems Center, although good third-party alternatives can handle cross-platform management. If you have a heavy Unix server load, consider using tools such as Puppet and Chef to go beyond patch management into configuration management.
And don’t forget that in addition to security and patch obligations, every VM you spin up has a monthly cost associated with it. While the pendulum has swung in recent years towards VM sprawl, a migration to IaaS should also include an analysis of systems with a goal of reducing the total count