You did what! You put your jewels in cloud with no firewall?
An observation (read rant) by Mark Oakton, Security Director of Infosec Partners Group.
Placing your jewels in an an Azure (or AWS or Google) environment without your own firewall? I don’t get it. I really, really really don’t get it! We have all been around for years and gone through the transition from old school, basic packet filtering and layer 3 firewalls being the only protection for critical networks in the 80’s that were pretty much port block or allow function. We have then seen all (read most) enterprises add layers of protection and using next generation unified threat management firewalls with multiple DMZ’s and security zones, providing modern protection using all 7 layers, intrusion prevention, web application control, breach detection, isolation and deception technologies and advanced analytics and correlation to identify advanced in every detail of the traffic. These same organisations have enforced mandatory protection for remote access to systems, allowing access only once users have been through multi factor authentication and a remote access or privileged access portal
Now, what I really, really, really don’t get is that if we know all of that, then why the f*** are people moving their sensitive systems and data into Microsoft Azure without protecting the environment with a firewall? And then allowing direct remote access to all servers using only RDP over the Internet for ‘administration’ (read takeover)?
It’s fine, it’s Microsoft. Really?
Do any of us really believe that just because Azure is by Microsoft, just because they are big and clever, that they will protect us, that the protection built into the cloud is enough? The cloud is effectively a single tier, flat network fronted by a router, with port forwarding configured to allow inbound traffic on specific ports to hosted servers. RDP is permitted by default to allow simple administration and initial setup – this is the day one state to allow connection to new servers, it is not supposed to be left like that yet we find this setting nearly every time we perform an Azure Penetration Test. By default, all outbound traffic is allowed unfiltered – would anyone dream of implementing this structure in a physical platform? I think not.
So why don’t we all do Microsoft a favour and buy Azure a firewall for Christmas. Leading firewalls work natively in Azure and provide the same level of protection they do in the on premise platforms, so why are they not used by everyone, as I said, I just don’t get it. Cloud is great, but it’s different, that doesn’t mean you can use the “It’s new and I don’t understand it” line as a reason to not do the right thing. Cloud security is excellent and it’s easy, and it can be in and working to protect you in less than 3 hours.
Infosec Partners can help
The cloud offers flexibility, scalability and economies of scale, but as more data moves from centrally located server storage to the cloud, the potential for personal and private data to be compromised increases. When handing over data to a cloud provider, organisations need to ensure that their data stays private and secure. No matter which cloud platform you are using, whether it is Microsoft Azure, Amazon Web Services or others, there is always the potential for threats within the cloud environment. Software as a service (SaaS), Platform as a service (PaaS) or Infrastructure as a service (IaaS) will each have their own security concerns that need to be addressed.
Infosec Partners are trusted by significant organisations to optimise defences and protect their assets against cyber attacks located in the cloud, on-premise or in hybrid environments. Whether delivering a range of fully managed security services, independently testing your cyber readiness or providing crisis management and responding to incidents, Infosec Partners are proven partners of excellence and full-spectrum security experts that puts your security first.
Contact us today for more information and for your free consultation, by completing the adjacent form or call us to speak with one of our trusted advisors immediately: