Security is paramount to networks more so as all information moves to the cloud. At Alkira, being the first Network Cloud solution providing Network as a Service, it was apparent from the get-go, all the controls to the network need to be tight with no exceptions. Within the last 2 years of our journey, I had the opportunity to learn quite a few things in terms of security. Here are few practices, which go a long way in securely controlling and managing networks:
Access and Network Controls
Access via VPN, Always
As solutions move to the cloud, it doesn’t matter if users are connected from home, office or a public network. Provide access to the network only via VPN, secure the access and log the access. No one should be able to plug in a network cable or connect to WiFi and access company network anywhere. Period.
Firewalls
Once all entry points into the network are secured via VPN, the next level of security to resources should be front-ended by Firewalls. Bear in mind that resources are spread across co-locations, different cloud providers, private data centers, etc. Ensure access to these resources is stitched via Firewalls and only required access is opened up.
Network ACLs and Security Groups
Virtual networks implementations across various cloud platforms provide Networks ACLs and Security Group functions. Network ACLs control access at subnet level and Security Groups provide control at instance level. Make them part of your templates such that Network ACLs and Security Groups have default restrictive configurations and require explicit intervention to open up additional access.
Multi-Factor-Authentication
Gone are days of simple single common passwords, MFA has to be the de-facto to control access. Be it email, web pages, company resources, documents, all these are critical for a company’s survival. Most or all services have moved to the cloud, and all the new-era solutions provide MFA. Make MFA default and not an optional way to access your services.
Single Sign-On
With resources spread across various providers, needing access to various resources and services, a centralized way of accessing these will provide ease of control. Implement a secure SSO with MFA and provide consistent experience across services. It will help ease the pain for users as well.
Secure Production Access
With continuous integration and collaboration models, there is constant churn in features and upgrades of production environments. It is good to have separate access controls for development, staging and production environments. Production should be separate, secure, and limited. This helps in keeping tighter controls on production as companies strive to provide 99.999% uptime to users, internal or otherwise.
Due diligence
Alert Invalid Access and follow up each event
It is not enough to have an MFA and assure ourselves that network and services are secured. Enable the services to log all valid and more importantly the invalid access, follow up on each of these events until these are identified and resolved. Attacks can come in any form, and no alert is invalid, until it is ruled out.
Running Tests
Configuring and controlling being the first step, it is prudent to check if these methods are effective. Various open source tools available like OWASP Zap test, testssl, port scanners, and other security tools can be used for doing security scans and identifying issues. Make running these manually or better yet automate them and run frequently.
Compliance
Audits and compliance are stressful, it requires a lot of evidence collection, put down practices and continuous review of the network security. However, it helps in identifying any of overlooked items, forcing us to secure and practice sound solutions.
Conclusion
There is no way around the hard labor needed in securing your network. Having best practices and making them mandatory from the get-go helps to make following them easier than to adopt them later or change them when catastrophic events happen, it might be too late for a change.