October 27, 2020 | Matt Pacheco
Q&A: Understanding Security Architecture for Private Cloud
Private cloud security architecture is much different than security architecture for public clouds. It also has a longer history, thankfully, which is part of what makes private clouds the better choice to protect highly regulated data. In this post, we explore private cloud security architecture, ways to mitigate cyber threats to private clouds, and the most important aspect of cloud security that all business should consider. We spoke with TierPoint’s Tyler Reese, Cyber Security Architect, to learn more.
Read the previous posts in our Cloud Security Architecture series:
Private cloud security architecture
Interviewer: Why do organizations choose a private cloud security architecture?
Tyler: Private clouds often protect highly regulated data, such as personally identifiable information (PII), payment card industry data (PCI), and patient health information (PHI). A private cloud security architecture can be more secure than a public cloud security architecture because we can add more controls and processes in an established private cloud security framework. For example, CleanIP managed next-generation firewall services provide continuous protection to mitigate vulnerabilities.
Most organizations are more familiar with the operations of a private cloud than a public cloud, which reduces the learning curve, although they may not have the staff or desire to allocate resources to manage a private cloud themselves in an on-premise data center. TierPoint is a managed security services provider (MSSP) and cloud service provider (CSP); we take on the burden of cloud security expertise and administration for our clients.
Interviewer: What are the ways a strong cloud security architecture could provide cybersecurity protection against attacks on a private cloud?
Tyler: Attacks start at ingress and egress points, so private cloud security architecture starts there, whether for a hosted private cloud or edge compute. In either case, a cloud security architecture will include an intelligent security device or intrusion prevention system (IPS)-enabled firewall to be that point of visibility. It will have the ability to watch all of your network traffic as it flows in and out.
If you need SSL inspection, the device can capture any malicious traffic passing through a secured session, providing a deep level of visibility. Inspecting encrypted traffic creates a large computational overhead on any physical or virtual device, so the use in a private cloud of purpose-built processors for those activities can offload that computing function from the CPU to dedicated hardware chips. For that reason, performance will be better in a private cloud than in most public clouds.
A security integration fabric, which provides a centralized management point across all the security technologies, is a force multiplier for both managed security service providers such as TierPoint and their customers. It feeds into a unified centralized security tool with a single pane of glass to ensure the correct security controls are applied to different segments of the private cloud and to bring them together for centralized control and consistent cloud security policy.
The key to cloud security architecture
Interviewer: What is the most important aspect of cloud security that all businesses should consider?
Tyler: The most important aspect of cloud security — for private, public, and on-premise clouds — comes down to privilege access management. The largest attack vectors compromise your end user base—via a targeted phishing attack or a drive by link download, for example. In most cases, threat actors want to steal credentials used in your organization — such as end user credentials, service accounts, and API keys. Even if the credentials are hashed, threat actors have mechanisms to crack them — and in some cases, they don’t even need to crack them, they can just replay them.
To mitigate this threat, organizations can use end-user behavioral analytics and a robust privileged-access management tool or program, so a compromised credential does not present elevated rights to multiple machines or personnel.
Best practices for sensitive data
Interviewer: Any last thoughts to leave with our readers?
Tyler: Yes, even though people hear on the news that the US government is starting to adopt cloud platforms, such as the Jedi contract to Microsoft, public cloud platforms are by no means the direction for a majority of sensitive data. Secret and above data remains on-premises behind stringent security controls, including HAIPE encryptors and an air gap. Although public cloud hyperscalers are available, and cloud security architecture is effective, it’s necessary to understand your risk level and the type of data your organization needs to protect to decide what type of cloud platform is suitable for that data.
As an additional tip, a helpful list called Commercial Solutions for Classified (CSfC), which comprises commercial off the shelf (COTS) physical equipment, is published by the NSA. The US government has vetted this equipment for industry use to achieve better cybersecurity, regardless of whether or not your business delivers services to the US government.
More on cloud security architecture
Whether you have a private cloud, public cloud, or both, you want to ensure that your IT security infrastructure properly protects your customer data and applications. Sometimes, it can be daunting to undertake a cloud security architecture with the resources in your own organization. TierPoint is a managed security services provider (MSSP) and cloud service provider (CSP). Reach out to us to discuss how we can help you.
