The Cloud is always Hybrid

Contributed by: Federico Simonetti

And how current IT practices are reducing its security

Synopsis

The Cloud and, generally speaking, all IT environments are always inherently Hybrid. Resources and workloads in public and private cloud environments need to interoperate with on-premise information and legacy systems. Moving literally everything to the (public/private) Cloud only widens the attack surface, particularly when it comes to certain critical information like identities, encryption keys and digital certificates, and highly sensitive files and databases. To enable interoperation, companies are carelessly deploying more and more VPNs, often without considering the security implications. The time has come for a radically new approach to Hybrid Cloud Security, a strategy that enables Hybrid interoperation while filling the security gaps left open by VPNs.

Why certain data should never be “handed off”

The gist of it is: sensitive information should never be replicated/synchronized to a shared location operated by a third party (like a Cloud service provider) to avoid losing control over its defense strategies.

When it comes to an identity database or a key vault, for example, the consequences of losing such control can be devastating. Imagine a clever hacker acquiring your entire identity database and all your digital certificates by performing a successful attack onto your Cloud-based IAM/SSO systems. This is happening, and countless reports of such break-ins can be found online, and have been reported by these IAM/SSO companies themselves. Any IAM and SSO system that involves a copy/replica of your identity database (namely your Active Directory) can be subject to this kind of attack.

So, it’s never a good idea to copy/replicate your most sensitive information to some Cloud-based service. Yet, there’s a business advantage in making such information “usable” from anywhere. But how to keep such data on-premise and make it “usable” while keeping it totally safe and unreachable at the same time? Please, read on…

VPNs are a good thing, but…

In most cases, VPNs are the perfect solution to allow remote nodes to access on-premise resources, particularly when interoperation with such resources requires two pieces of software to communicate over IP (TCP, UDP, …).

Because they are relatively easy to set up, their number can grow very quickly in a corporate environment, and rapidly become an IT management nightmare, if not handled properly.

Furthermore, because of their very nature and purpose (allowing IP communication between nodes physically connected to distinct networks) malware in general, and ransomware in particular, have quickly learned to take advantage of VPNs to infect entire networks from a single infected node allowed to connect. This is happening despite VPN vendors desperately trying to claim that VPNs can protect against such threats. The truth is that, once an infected computer is allowed to connect via VPN to a subnet of a corporate network, and has SMB/CIFS/LDAP (or any other type of operational) access to shared data and services in that same subnet, malware and ransomware can and will spread.

Effective backup and disaster recovery practices can corner the issue when the affected information is just a set of unstructured data (files and folders), but the challenge becomes a lot harder when the affected information is the corporate identity database, or the company’s encryption key/certificate vault, or a structured data repository. In such cases there is a need for something specifically designed to reduce the attack surface, something that – unlike a VPN – doesn’t allow generic IP traffic to reach the nodes where the sensitive information is stored.

A radically new approach, from a logical standpoint, is needed

Copying/replicating the sensitive data/service outside of your protected network perimeter is not a good idea, and allowing inbound traffic through the firewall to reach/use such information or service is an even worse one. Then how do we make an on-premise information or service available to users outside the protected network without incurring in any of the above-mentioned risks?

The only way is to design a communication channel that has the following characteristics:

  • * Communication channels should be established outbound to avoid inbound NAT/port-forwarding rules on the firewall
  • * Should feature two layers of strong encryption, and mutual digital signature verification should also be performed twice (once per layer) using different algorithms, featuring perfect forward secrecy key exchange mechanisms
  • * Unlike what happens with VPNs, the two endpoints should not be allowed to transfer generic IP traffic, but only a strict purpose-built, command-less, passive protocol, designed to accomplish a single narrow task

If properly designed, such communication strategy would not only greatly increase the overall security, but also enable the use of on-premise resources and services without moving them, and without requiring any network equipment reconfiguration.