The Access Control Gap in IaaS
| DevOps |
Agile control plane and system administration security is the missing link in enterprise IaaS.
It still seems like cloud adoption is driven by startups and non-sensitive data. Security and compliance concerns, along with inertia and turf-defense, are holding enterprises back from the cloud.
In this post, we posit that the remaining concerns that are holding sensitive workloads back from the cloud are rooted in the Systems Administration and Control Plane tiers. The nature of these systems is quite different from the traditional, on-premise data center.
Zero-trust systems, infrastructure as code, DevOps, and continuous delivery all present access control challenges that are not well-addressed by the last generation of access control and secrets management systems. Conjur exists to meet this need in a way that fits the needs and workflows of business, compliance, security, operations, and development.
Consider the basic elements of a typical IAAS-driven security stack:
At the top is the firewall, which may be a simple proxy server, or a more advanced piece of technology like a web application firewall. This is a pretty well understood problem; good solutions are available for both on-premise and IAAS.
Behind the firewall is the application tier, providing end user authentication and authorization via code that’s built into the app. It may also leverage some external providers like Active Directory or SAML. Most of the application-level security is built into the application code, which is the same whether it’s deployed on-premise or in IAAS. Extending the backend auth provider to the cloud has some challenges (especially for AD), but there are established companies today which provide LDAP services in cloud, including the Amazon Web Services Directory Service.
Whether on-premise or cloud, applications run on physical servers or virtual machines. Access to these machines is a back-door to all the application data and security controls. Therefore, the “gates” which control machine access, including secrets like database passwords as well as gatekeeper systems like SSH, are critically important for security purposes. The management of secrets in a cloud + DevOps environment is a problem without an established solution; Conjur provides robust, programmable secrets management that supports developer, ops, security, and combined (SecDevOps) workflows.
In IAAS systems, machines and other resources like queues and databases are increasingly managed not by human admins, but by trusted services running in a “control plane” that sits below the level of applications. For examples of control plane services think of Netflix Asgard auto-scaling and deployment service or configuration management tools like Chef, Puppet, Ansible, and SaltStack. In Continuous Delivery scenarios in which code is automatically packaged, tested, and deployed, the control plane even extends to systems like Jenkins and Github. Proper management of the control plane is a big challenge in the cloud. Conjur’s secrets management and LDAPS and HTTPS authorization APIs can be used very effectively in the control plane. For an example, see our now-classic blog post on Conjur and Jenkins.
Beneath the control plane sits the internal network. This network encompasses all of the VPNs, security groups, VPCs, subnets, NATs, routers etc that govern the flow of traffic in the system. IAAS has greatly expanded the possibilities for networking topologies however, best practices are still evolving.
Finally, beneath the network sits the physical infrastructure. Whether on-premise or IAAS, if you look far enough down the stack, everything is housed in a physical facility. The physical security of hosted IAAS systems is undeniably better than just about any on-premise facility. One could say that in IAAS, the physical security of data centers is a solved problem.
After looking at the areas described above, we at Conjur feel that the security aspects of Firewall, Application authn / authz, Networking, and Physical Infrastructure are well-understood and well-addressed in cloud. The next missing piece is access control for the cloud control plane that works with the cloud.
If you would like to find out more, please contact us.