Weaveworks 2022.03 release featuring Magalix PaC | Learn more
Balance innovation and agility with security and compliance
risks using a 3-step process across all cloud infrastructure.
Step up business agility without compromising
security or compliance
Everything you need to become a Kubernetes expert.
Always for free!
Everything you need to know about Magalix
culture and much more
In this final article of our 3-part series on Cloud Asset Management and Protection, we explore cloud asset management for network assets.
It’s important to manage and protect cloud network assets because they enable communications between all other cloud assets, and between these assets and the outside world.
Network assets also perform some security functions. For instance, a Virtual Private Cloud enables organizations to keep their entire application private from other customers on the cloud, and ensure that it’s only accessible via a VPN (Virtual Private Network) or other private link. Another asset – TLS certificates – encrypt data to help secure Internet browser connections and transactions. Similarly, a reverse proxy protects applications by inspecting requests for malicious content. It compares such requests to a database containing both allowed and disallowed content, and drops requests found to be malicious.
Cloud networking assets act as “gatekeepers” to applications and data. But to create reliable, resilient and available cloud networks, it’s vital to configure, manage and protect these assets including:
It’s also important to maintain an asset inventory, monitor locations and dependencies, and keep track of changes.
A VPC is a secure, isolated private cloud that’s hosted within a public cloud. The key technologies that support this isolation are:
A VPC provides the cost savings, scalability and convenience of a public cloud, with the data isolation capabilities of private clouds. It enables organizations to create separate virtual networks to isolate their applications from other customers using the same cloud.
To protect VPC assets, regular network scanning is crucial. This enables organizations to understand how these assets are performing, and identify and address vulnerabilities. But for scans to be effective, network scanners need good inputs – and this can only happen if a good inventory of all VPC assets is maintained.
A CDN is a network of linked hosting servers that distribute and route content globally to reduce access latency, and ensure fast and secure content delivery.
When deployed on the cloud network’s edge, a CDN works as a virtual “fence” to prevent attacks on assets or applications. However, an attacker with access to the CDN can introduce malware into the content, or even launch Distributed Denial-of-Service (DDoS) attacks. Domain fronting is another risk. This attack enables hackers to “mirror” the reputable traffic flowing through the CDN, and get back-door access to the network.
To minimize such risks, it’s important to track and monitor the CDN, and protect it with strong authentication, access control, and SSL/TLS encryption.
Domain Name System (DNS) records provide information about a domain, including what IP address is associated with it, and how to handle requests for it.
It’s important to track DNS records and registrars. One key reason is that the DNS is susceptible to many kinds of attacks, including:
Transport Layer Security (TLS) connections offer protection against DNS spoofing. However, not all browsers support TLS, so those users remain unprotected from such attacks. In addition to redirecting them to a malicious server, the attacker may also steal their data (e.g. credentials), or read, manipulate or steal the data going to the legitimate site.
Another reason for tracking DNS records (e.g. domains) is to ensure that domains are renewed on time. Not doing so can lead to service outages and affect business continuity.
With a robust policy enforcement and compliance engine, organizations have a seamless and reliable way to secure all their cloud network assets.
A TLS certificate (X.509 certificate) is a digital certificate issued by a Certificate Authority (CA). It verifies that a particular domain name belongs to the entity the certificate has been issued to.
When a user tries to connect to a server, the server sends them the TLS certificate for the domain, to help establish a secure connection. This verification process relies on cryptographic keys such as RSA or ECC. These keys protect the domain from spoofing attacks.
It’s important to track TLS certificates to understand who has access to the private keys. If these keys fall into the wrong hands, they may be able to impersonate the legitimate site. Tracking also makes it easy to reissue an entire class of certificates, say because the cryptographic algorithm was weak. Finally, a missed TLS certificate renewal can lead to service outages. Tracking certificates can prevent this from happening
A load balancer distributes traffic across multiple application instances to improve performance and reduce access latency. A reverse proxy server sits in front of web servers to protect them from DDoS attacks. It also provides load balancing, performance, and reliability benefits. A Web Application Firewall (WAF) helps protect web applications from attacks like cross-site-scripting (XSS), cross-site forgery, and SQL injection.
All these assets can see and modify the network traffic flowing to and from applications. That’s why robust access control is critical. And for this, proper inventory management is invaluable.
This brings us to the end of our 3-part series on Cloud Asset Management and Protection. Do take a look at our other two articles here Part 1 and Part 2
Magalix enables companies to enforce security-as-code across their entire cloud networking infrastructure. The Magalix platform is robust, scalable and extensible – ideal for securing your cloud network infrastructure. The engine supports a “build once, enforce everywhere” approach with 100s of built-in policies and templates that can be easily customized and implemented.
Protect your cloud network assets with Magalix and Security-as-Code.
Self-service developer platform is all about creating a frictionless development process, boosting developer velocity, and increasing developer autonomy. Learn more about self-service platforms and why it’s important.
Explore how you can get started with GitOps using Weave GitOps products: Weave GitOps Core and Weave GitOps Enterprise. Read more.
More and more businesses are adopting GitOps. Learn about the 5 reasons why GitOps is important for businesses.
Implement the proper governance and operational excellence in your Kubernetes clusters.
Comments and Responses