Cloud Security Technology and Tips

Cloud computing is here to stay, with many small to midsized enterprises either actively adopting or at least considering cloud computing at least in some form.  One aspect of cloud computing that I see my clients constantly underestimating is bandwidth connection.  We have become accustomed to LANs at 100Mbps and many of us even at 1Gbps for quite a while now.  We connect to our servers at that high speed and the data moves across our LAN almost instantaneously.

Now we are moving our servers to the cloud and we forget that this means we are connecting to them via our Internet link, which is rarely fast, and almost never 100Mbps.   This is especially true in the SMB, but can be valid for large enterprises as well.  Although they may have much more bandwidth, they also have many more employees using it, and bandwidth saturation may actually be higher.   So, one tip – when you move your servers to the cloud, consider how relevant access speed is for your users; if very relevant, keep the server in-house until you can guarantee very high bandwidth internet connection.

Another aspect of the same issue – continuity of service.  We move to the cloud because this guarantees redundancy and continuity of service, but we forget to get a second Internet link for our own LAN.  So if our ISP connection goes out and we lose connectivity to our servers “in the cloud” – how is our productivity impacted?   Either get a secondary ISP, or don’t move to the cloud those servers that are fundamental for your users’ productivity.

There are several products that guarantee remote access to the cloud servers without the need for a VPN.  I cringe every time I see that.   None of these products can guarantee the same level of access security as a VPN.  It is not only a matter of encryption; rather, it is a matter of identification, credentials, access control.

An SSL VPN connection requires a private certificate and key – that is strong authentication.  An application like RDP simply requires a login ID on the server, and an open port in the firewall.   Hence the security of your server at that point is only as strong as your weakest password.  We have spent a decade improving our best practices to define how to control remote access; it is hard for me to believe how many companies are putting their data in the cloud and allowing access via RDP without source IP limitation, thus exposing their servers’ login to the entire world.  Remember, hackers have all the time they want, and know all the tricks.  You expose a login ID to them and sooner or later they’ll find a way in.

Networking in the cloud for SMBs is rather simple – usually it ends up being a small subnet with a handful of servers connected to a virtual switch, behind a virtual firewall, connected to a virtual router.  One thing I would recommend – ensure your servers are not in any way accessible from any other subnet that doesn’t belong to you.  This may come as a surprise, but there are hosting companies that do not properly enforce this elementary aspect of networking and lump many servers on one subnet even if they don’t belong to one customer!