Once you've determined how to run your application and provide the network and infrastructure services that it needs, you must determine how to make it secure. In the early phases of the cloud, many people simply ran virtual machines on the public Internet and weren't careful about firewall rules. That very poor security practice can lead to machines being taken over by hackers. You need to be aware of some important security concepts and take additional steps to protect your cloud resources. One of the fundamental security resources in IaaS cloud computing is the virtual local area network (VLAN). Here are some best practices for security on the cloud:
- Run your virtual machines in a virtual local area network. Much like having your own data center, this setup prevents other people on the Internet from accessing your virtual machines. You'll need to set up a firewall or virtual private network (VPN) server to connect to the VLAN. Putting your virtual machines on a VLAN and accessing them through a VPN is similar to accessing your company's network via your laptop at home via a VPN. In fact, site-to-site VPNs are used in traditional computing to connect enterprise networks in remote locations over the Internet. In this way, cloud computing has become more like traditional computing.
- Be aware of the firewall rules. Open only the ports you need. Consider tunneling all traffic for ports that won't be accessed by end users. Typically, this rule means closing all ports except SSH (22), HTTP (80), and HTTPS (443). All system administrative and other utilities should be accessed by tunneling over SSH or a VPN. Use iptables on Red Hat Enterprise Linux and YaST on SUSE to manage the firewall.
- Operate SSH securely. For remote access, use SSH certificates, not username and password, as passwords can be cracked with dictionary tools. Disable direct remote access to root. Always log in as an end user and then use sudo to run as root when needed. These are the defaults for the virtual machine images on SmartCloud Enterprise, and they shouldn't be changed.
- Harden all web applications to application-level network attacks. This list includes injection attacks, cross-site scripting, and cross-site resource forgery. This can be a substantial task, but if your web applications are exposed on the Internet, this protection is essential. Use a tool such as IBM's Rational AppScan to check that you have adequate protection. Consider restricting access to your application to a VLAN until you've completed this step.