There are a few important things you need to know about securing your cloud Infrastructure. All the benefits of building and launching an app in the cloud do come at a risk. As a CTO or CEO you want to save money wherever you can. Moving your infrastructure to the cloud is a great way to save time, money, and optimize your resources.
- Pick an established provider that has a great track record and is known for good reliable service.
- Regularly create backups of your entire website, database, components and architecture.
- Although unlikely, have a plan in place to migrate your website in case you lose your provider services.
- Only give external access to the ports that you want public users to access (ie: 80 for http and 443 for https).
- For server system access, limit your file transfers and system level access to the secure remote access port SFTP/SSH port (22).
- Make sure only your IP has access to this port. And remove the access when you don’t need it.
- In addition, use the SFTP/SSH option via a certificate verify your identity and encrypt your remote connection when you make file and system level changes.
- Manage access to your web application by creating user accounts.
- Give those accounts specific roles that only allow access to the application level resources that they require. For instance, if you have a Rails e-commerce application that requires updating of its product catalog then create a specific role entitlement to update the catalog.
- Admin functionality should be applied only to admin users. Features like modifying a system config is a privileged use that should not be co-mingled into a customer based user account, even if its owned by the same person.
- Make sure you remove all your test users accounts and change default passwords.
- Don’t use easy to guess default usernames like admin and user.
So how do you begin to work with all the risks? For example, what would you do if your cloud services provider goes out of business? How do you secure your application and server in the cloud that you don’t own and physically can’t touch?
Here’s a few pointers to get you started.
Data and Application Availability:
You will most likely be protected here since the upkeep of the external network that your app lives on is typically managed by your cloud provider. But only the availability of the overall network is provided by cloud services. Your server and application are managed by you.
Your responsibility typically begins at the your server firewall. To control access to your server and application you will need to implement access controls via firewall security rules, cloud resource access, and application level user roles.
Secure network access to your server:
Control who can access your cloud services via system level user entitlements.
Many cloud providers help you control access to your service resources via identities. In Amazon web services, for instance, this is called Identity and Access Management (IAM) where a user is granted access (via entitlements) to specific resources (those that they are authorized to use). This access is specific to the cloud resource and not the web application itself.
For example, the ability to access email services from your server would be accomplished by creating and leveraging a user that has access to cloud email services (SMTP) to send email.
Control access to your app via application level user entitlements:
Test accounts and default usernames:
Secure data transfer between your web app and browsers:
Purchase and implement your own SSL certificate. See https://www.sslshopper.com/ssl-certificate-wizard.html for a comparison of what may work best for you.
Let me know if you have any questions or require any help!
I can be contacted at firstname.lastname@example.org