Infrastructure-as-a-service (IaaS) provides virtualized computing resources, virtual networking, virtual storage, and virtual machines accessible over the internet. Popular infrastructure services include Amazon’s Elastic Compute (EC2), the Google Compute Engine, and Microsoft Azure.
IaaS usage is increasing due to the low upfront cost. Organizations that use infrastructure services do not need to purchase or maintain hardware. This makes IaaS appealing to organizations of all sizes.
IaaS is also more scalable and flexible than hardware. Cloud infrastructure can be expanded on-demand and scaled back again when no longer needed. This level of scalability isn't possible with on-premises hardware.
However, IaaS can be a target for cyberattacks attempting to hijack IaaS resources to launch denial-of-service attacks, run botnets, or mine cryptocurrencies. Storage resources and databases are a frequent target for data exfiltration in many data breaches. In addition, attackers who successfully infiltrate an organization's infrastructure services can then leverage those accounts to gain access to other parts of the enterprise architecture.
How to secure IaaS
IaaS customers are responsible for securing their data, user access, applications, operating systems, and virtual network traffic. Organizations often make the following mistakes when using IaaS:
Unencrypted data: In hybrid and multi-cloud environments, data moves between on-premises and cloud-based resources, and between different cloud applications. Encryption is essential to protect the data from theft or unauthorized access. An organization can encrypt data on-premises, before it goes to the cloud, or in the cloud. They may use their own encryption keys or IaaS-provider encryption. An IT department may also want to encrypt data in transit. Many government and industry regulations require sensitive data to be encrypted at all times, both at rest and in motion.
Configuration mistakes: A common cause of cloud security incidents is misconfiguration of cloud resources. Cloud provider may offer tools for securing their resources, but the IT professional is responsible for correct use of the tools. Examples of common errors include:
- Improperly configured inbound or outbound ports
- Multi-factor authentication not activated
- Data encryption turned off
- Storage access open to the internet
Shadow services: Shadow or rogue cloud accounts are most common in software-as-a-service (SaaS) solutions but can also occur in IaaS. When employees need to provision an application or resource, they may use a cloud provider without informing their IT department. To secure the data in these services, IT needs to first identify the services and users through an audit. To do this, IT can use a cloud access security broker (CASB).
Shadow services: Shadow or rogue cloud accounts are most common in software-as-a-service (SaaS) solutions but can also occur in IaaS. When employees need to provision an application or resource, they may use a cloud provider without informing their IT department. To secure the data in these services, IT needs to first identify the services and users through an audit. To do this, IT can use a cloud access security broker (CASB).
Solutions for IaaS security
Many organizations use multi-cloud environments, with IaaS, PaaS, and SaaS services from different vendors. Multi-cloud environments are becoming more common but can also cause security challenges. Traditional enterprise security solutions aren’t built for cloud services, which are outside the organization’s firewall. Virtual infrastructure services (like virtual machines, virtual storage, and virtual networks) require security solutions specifically designed for a cloud environment.
Four important solutions for IaaS security are: cloud access security brokers, cloud workload protection platforms, virtual network security platforms, and cloud security posture management.
- Cloud access security broker (CASB), aka cloud security gateway (CSG): CASBs provide visibility and control over cloud resources, including user activity monitoring, IaaS monitoring, cloud malware detection, data loss prevention, and encryption. They may integrate with firewalls and cloud platform APIs, as well as monitor IaaS for misconfigurations and unprotected data in cloud storage. CASBs provide auditing and monitoring of security settings and configurations, file access permissions, and compromised accounts. A CASB may also include workload monitoring and security.
- Cloud workload protection platforms (CWPP): CWPPs discover workloads and containers, apply malware protection, and manage workload instances and containers that if left unmanaged, can provide a cybercriminal with a path into the IaaS environment.
- Virtual network security platforms (VNSP): VNSP solutions scan network traffic moving both north-south and east-west between virtual instances within IaaS environments. They include network intrusion detection and prevention to protect virtual resources.
- Cloud security posture management (CSPM): A cloud security posture manager audits IaaS cloud environments for security and compliance issues, as well as providing manual or automated remediation. Increasingly, CASBs are adding CSPM functionality.
IaaS provider considerations
IaaS providers are responsible for the controls that protect their underlying servers and data. IT managers can evaluate IaaS providers based on the following characteristics:
- Physical access permissions: An IaaS provider is responsible for implementing secure access controls to the physical facilities, IT systems, and cloud services.
- Compliance audits: IT managers can request proof of compliance (audits and certifications) with relevant regulations, such as healthcare information security laws or privacy requirements for consumer financial data.
- Monitoring and logging tools: An IaaS provider may offer tools for monitoring, logging, and managing cloud resources.
- Hardware specifications and maintenance: The hardware that underpins cloud infrastructure services impacts performance of those services. An IT organization can request the provider’s hardware specifications, particularly the security devices such as firewalls, intrusion detection, and content filtering.
As data centers move into the cloud, IT managers need to create IaaS security strategies and implement cloud security technologies to protect their essential infrastructure. Cloud security from Skyhigh Security enables organizations to accelerate their business by giving them total visibility and control over their data in the cloud. Learn more about Skyhigh Security cloud security technology.