Infrastructure as a Service (IaaS) services offer virtualized computing resources, virtual networks, and virtual storage accessible over the Internet. Popular IaaS services include Amazon's Elastic Compute Cloud (EC2), Microsoft Azure, and Google Compute Engine (GCE).
IaaS is increasingly adopted by organizations, driven by several key benefits. IaaS has low upfront cost, it does not require organizations to purchase or maintain hardware, and is more scalable and flexible than maintaining an on-premise data center. Cloud infrastructure can grow on demand and scale back down when it's no longer needed, which eliminates the need to over-provision resources for temporary peaks in demand.
However, IaaS is also a prime target for cyber attacks. A few examples of attacks specific to IaaS services are denial of service (DoS) attacks against cloud-based compute resources, compromised cloud compute instances used in botnets, and hijacked IaaS resources used to mine cryptocurrencies.
Compute resources are not the only target of cyber attacks. In many data breaches, cloud-based storage resources and databases are the attacker’s main target. Storage resources are often misconfigured, which can leave an open door for attackers. Attackers may also try to compromise cloud system accounts and identities, using them to gain access to cloud resources and also to other parts of the enterprise architecture.
IaaS providers manage cloud security via a shared responsibility model. Typically, the cloud provider is responsible for securing its infrastructure and any managed elements of the environment, while the cloud customer is responsible for securing its workloads, applications, and data. This makes it critical to understand what security capabilities the cloud provider offers, and what your organization needs to do to secure its workloads in each cloud platform.
In this article:
Here are security issues and challenges to consider before and after implementing IaaS:
IaaS vendors deliver scalable on-demand infrastructure services. It provides flexibility and eliminates the costs and maintenance associated with setting up infrastructure on-premises. The downside of this unique advantage is that you lose control over the infrastructure. If the vendor is affected by a security breach, you will also be affected.
IaaS vendors provide a cloud control plane to control assets created within the cloud environment. The more services, environments, assets, and interfaces you use, the more difficult it becomes to configure everything properly. However, once you introduce misconfiguration into the infrastructure, you expose it to malicious actors.
Once a cloud user escapes from a VM, serverless sandbox, or container, they can obtain unauthorized access to the hypervisor or operating system that runs other cloud users’ workloads. If a threat actor reaches the hypervisor, they can perform various malicious activities, including modifying code, stealing secrets, and installing malware on instances on the same hardware.
Threat actors can obtain credentials to these accounts by installing a keylogger on an admin’s computer. Once threat actors gain unauthorized access to accounts with permissions to provision and terminate VMs and other cloud resources, they can use the cloud’s API or UI to destroy services and grant access as desired.
Each business has unique compliance and regulations requirements, depending on the industry and the location. Compliance is particularly complex for businesses working internationally or with governments worldwide that require adhering to standards a cloud provider may not provide.
Before adopting an IaaS service, IT and security teams should ensure that they understand the security model of the product provider. It is important to realize that:
Vendors use different terms for similar concepts. For example, AWS uses “tags” to organize assets, while GCP uses “projects”. This affects how cloud security policy changes are implemented, so it is important for implementing security policies.
There are different security features available in each cloud environment. It is important to understand what the cloud provider is offering, changes that might be required to operations to use it effectively, and gaps in cloud provider security which need to be filled by third party tools.
It is a good idea to create control charts to compare access controls and security features between providers. This is especially important in a multi-cloud environment, because it can help security teams consistently enforce policies across all environments.
All major cloud providers provide the ability to encrypt VMs created on IaaS platforms. This encryption feature is usually available for free or low cost. Users can choose to manage their keys or have them managed by the cloud provider.
Taking advantage of this encryption feature is a wise decision because of its low economic and operational impact. However, before activating encryption, determine how it will affect other services offered by the provider, such as backup and recovery.
In the public cloud, it is the customer’s responsibility to keep your workloads up to date, including operating systems and software. Cloud workloads require the same attention to patching and maintenance as on-premises servers. Consistent patching plays an important role in maintaining IaaS security by reducing the attack surface and preventing known vulnerabilities.
It is important to monitor all cloud assets. Cloud providers offer various monitoring mechanisms through different interfaces, you may have your own third-party monitoring infrastructure, and there may be a need to invest in cloud-specific monitoring solutions. Ensuring visibility in an IaaS environment requires careful planning.
It is also important to keep an inventory of compute instance images. The IaaS console lists what is available, but doesn't necessarily contain details about who is using the VMs for what. It is useful to maintain inventory through relevant notes or tags in the inventory system and IaaS console. This allows security teams to identify workloads at a glance and track them across cloud providers.
for up to 20 instances