Private cloud, hardware, and network resources for the exclusive use of one ‘tenant’, makes an attractive attack surface for cyber criminals.
Bad actors know this is where critical information lives for manufacturers, governments, financial institutions, energy companies, healthcare networks, and other industries that live at the intersection of regulatory requirements and vast amounts of PII data management.
Enterprises choose one, or several, configurations for private cloud, such as:
- On-premises / self-managed: This includes standing up a team to manage private cloud infrastructure and filling a dedicated space for hardware to run private cloud operations. This can be costly, but for some sectors, it’s the only way to ensure regulatory compliance to data management requirements.
- Third-party managed and hosted: A vendor partitions resources for dedicated use of one tenant. This third party can be a managed service provider or a major cloud service provider such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).
- Colocation data center: While the space is colocated with other tenants, the hardware is for the sole use of one entity. Contractors or employees gain access to the hardware to make upgrades and conduct maintenance. The benefit here is that hardware is housed in an ideal environment for optimal performance, extending hardware lifecycle and thereby reducing operational costs.
Two major threats to private cloud architecture include:
1. Slow patch management cycles, allowing application and OS vulnerabilities to go unchecked for too long make private cloud ripe for cyberattacks.
2. Inexperienced cloud management personnel, who aren’t properly configuring or customizing private cloud to meet operational needs and secure the network.
These threats to private cloud application security usually happen at enterprises with on-prem/self-managed private cloud. To address slow patching and runaway expenses, some enterprises outsource management of private cloud.
For instance, 37 Signals recently repatriated its workloads from AWS’s public cloud to a managed service provider that hosts 37 Signals’ workloads exclusively on hardware dedicated to the firm’s operations only.
Need for greater focus on private cloud application security
The shared responsibility model refers to cloud service providers’ requirement that users share in the responsibility of securing digital assets and protecting them from cyber security attacks. This usually refers to public cloud instances. That is, until now.
The shared responsibility model isn’t exclusive to public cloud, says Philip Bues, research manager for IDC Cloud Security.
"Even in a private cloud, security is a shared responsibility between the provider and the enterprise," Bues tells ITPro. "Understanding the demarcation points is crucial."
Bues also cites ensuring compliance, implementing advanced security measures, and fostering a culture of security awareness as three other ways to secure private cloud applications.
The CSPM market revenue is forecast to increase from $1.06 billion in 2022 to $3.32 billion in 2027, growing at a 25.7% compound annual growth rate (CAGR) during this period. The growth, driven by rising adoption of public cloud, private cloud, containers and serverless computing, signals the placement of private cloud security as a higher priority for IT leaders.
In the 2022 Infrastructure Cloud Survey, respondents reported an increase in IT budget for both public cloud (75%) and internal private cloud (77%) during 2022.
There are several key factors that directly influence the private cloud services market growth such as growing awareness for enhanced data security and private cloud, increasing the adoption rate of cloud among SMEs, and control over the data backup and data recovery.
Major private cloud application security solutions
While enterprises have strong reasons for hosting most critical workloads on private cloud networks, this strategy doesn’t ensure 100% security of digital assets. Major threats to private cloud security include:
Anti-DDoS measures
Distributed denial of service (DDoS) attacks remain a common threat to private cloud applications, according to research published in the Journal of Telecommunications and Information Technology.
“A best practice for enterprises is to implement comprehensive security measures, including DDoS protection strategies, even in private cloud environments to mitigate potential risks,” Bues said.
The Cybersecurity & Infrastructure Security Agency (CISA) encourages businesses to use network micro-segmentation to enable fast detection and mitigation of DDoS attacks. Isolating an attack on the virtual machine level and network function visualization via implementation of separate Virtual Private Cloud (VPC) instances to isolate essential cloud systems. If enterprises chose macro segmentation, CISA recommends VM firewall configurations to accompany the dividing of networks into broach categories such as user group and device type.
SSL
Secure Socket Layer (SSL) certificates provide the encryption barrier enterprises with private cloud infrastructure need to protect communication between browsers and servers. Transport Layer Security (TLS), which offers specific application-to-application security, is mentioned in the same breath as SSL. The two are vital for private cloud application security.
Identity and Access Management
One of the largest challenges for enterprises can be the expansion of identity and access management (IAM) resources across its entire IT landscape. For some companies, private cloud offers an even greater challenge as access to external applications still need governance, access protocols, and permissions flexibility; without sacrificing security of course.
Juniper Research released research findings that highlight the four key elements of IAM. IAM solutions that combat breaches of private cloud applications should include:
- Authentication - Answers the question ‘Who are you?’ prior to granting access to applications, usually following the 'something you know, have, and are' principle.
- Authorization - Once the IAM system identifies the user, it tests whether the user has access to a particular application, and which parts of the application they have access to.
- User Management - This is the administrative side of the IAM solution and features management of usernames, passwords, provision groups, identity and access updates. Of note is user lifecycle management which facilitates initial access to decommissioning of a user account.
- Central User Repository - This aspect of IAM aggregates access data and protocols for each application. Lightweight directory access protocol (LDAP) remains a pillar of central user repositories.
Anti-malware
Hackers continue to develop more sophisticated malware platforms. These usually target network clients, including email. An emerging strain of malware called Cuttlefish now specifically targets private cloud networks by attacking edge networks’ private IP addresses.
Cuttlefish features a ‘no click’ approach to malware and gathers user data from within a network’s edge. Similar malware platforms include HiatusRat, Storm-558, and Midnight Blizzard. No matter the name of the malware, enterprises that take the following steps make private-cloud specific malware less effective according to the research team that discovered the Cuttlefish malware, Black Lotus Labs:
- Monitor weak credentials (such as factory default passwords for network systems) and anomalies in login attempt patterns.
- Integrate monitoring of residential IP addresses, since private-cloud specific malware is bypassing geofencing and ASN protections.
- Continue to use TLS/SSL protocols to encrypt network operations.
Encryption of data passing between cloud services and private networks should be an area of focus for diligent IT security leaders, according to the Black Lotus research analysts.
Backup strategy
We know the stakes are high for data backup. Ransomware attacks get thwarted when companies have a strong disaster recovery stance. This includes:
- Classifying data: For leading enterprises, the delicate balance between cost and security starts with categorizing data based on its frequency of access, its importance to business operations, and how exposed it is to data governance regulations.
- Choosing backup types and frequency:
- Full - Full backups make a copy of all data. They’re time-consuming, expensive, and usually only done once to serve as a reference point for future backups.
- Incremental - Incremental backups match well with dynamic data.
- Synthetic - These provide quick access to large amounts of data (think large language models for AI applications).
- Differential - As the name suggests, differential backups fill the gap between what’s already backed up and what hasn’t been stored away yet.
- Selecting which data goes where: Will all of your data be held off-site or will it be on-prem, or will you store it in the cloud? Some enterprises opt for all three depending on the type of data they’re backing up. Hybrid cloud adds another layer of data management and security, though, that bears watching for the budget-realistic enterprise.
Private cloud backup strategies also integrate testing, monitoring, and documentation of the backup process.
Key Takeaways
The right private cloud security starts with the right cloud architecture, according to Bues, adding that enterprises must make security a primary part of cloud infrastructure planning.
"This [cloud infrastructure planning] involves understanding the shared responsibility model, ensuring compliance, implementing advanced security measures, and fostering a culture of security awareness," Bues said.
On the horizon, industry experts see growth in Zero Trust Network Architecture (ZTNA), where every access request gets scrutinized; and AI-based data management systems that take the load off of personnel when categorizing massive amounts of data.
