Security principles for cloud architectures
The use of external providers to augment or replace internally provided services is rapidly becoming the
norm. The value proposition ranges from cost-savings from reducing physical footprint in local data
centers to the simplification of deployment strategies by leveraging the flexibility to rapidly provision
services. The way security is built into these new paradigms has to change as well so as to help deliver
on that value without taking on excessive risk.
At the highest level, the responsibilities of an information security organization can be boiled down to
the prevention of, detection of, and response to activities that are counter to established information
protection policies and requirements. These responsibilities of prevention, detection and response
correspond to the sequential stages of the cyber attack life cycle (often referred to as the cyber kill
chain). The level of effort and where it is applied across these three high level capabilities is based on an
understanding of the threats the organization faces and the risk associated with those threats, balanced
against the operational needs of the organization.
In HUIT Security, we have focused more, though not exclusively, on the detection and response aspects
of this life cycle. This has been due to the wide range of operational needs of the community and the
limitations on controls that can be broadly enforced across the community. However, for high-risk data
(e.g. SSNs and other data with substantial regulatory controls), policy dictates and HUIT supports
controls that fall within the prevention category as well.
Required
For all data For high-risk data
Capability
Prevent (P)

Detect (D)




Respond (R)
Related technical capabilities
Network and application firewalls, configuration
management, intrusion prevention, antimalware, vulnerability scanning, application
whitelisting
Intelligence analysis, centralized system and
network logging, intrusion detection, change
detection, system analysis and interrogation
Centralized system and network logging,
forensic system analysis capabilities
Presented here is the current understanding of some of the specific technical capabilities that HUIT
Security is expected to be able to deliver, regardless of where servers or services are located. The way
these capabilities will be realized will very likely need to change with the transition to cloud
deployments, and the cost/benefit analysis of delivering some of these capabilities may need to be
revisited. It should also be noted that how we achieve some of these capabilities today is incomplete or
flawed – the transition to the cloud represents a mechanism whereby these mechanisms can potentially
be improved.
Technical capability
Principle
Current mechanism
Value proposition
High level
association
Insight into network
traffic accessing and
being accessed by
Harvard resources
There must be a
means for the
identification of
traffic flows into
and out of cloud
networks
SPAN ports from
perimeter routers
feeding into
QRadar/Splunk
Insight into actions
being performed on
systems and services
Systems and
applications must
use centralized
logging services
and log security
related activity
Centralized logging
into Splunk
Ability to uniquely
associate traffic
observed on the
network with a
specific system
Private (RFC1918)
IP addresses
assigned to cloud
resources should
not overlap
NOC controls
internal routing
Ability to identify a
business/technical
owner responsible for
a system
A point of contact
who can provide
technical and
business details
must be identified
for each system
Network registration
process
Ability to control
ingress and egress
traffic from a system
There must be a
means to control
traffic in a stateful
fashion at least up
to layer 4 in the
network stack
between any
system and the
Internet
Cisco/Fortinet
firewalls in place at
various points in the
network
Router ACLs at
perimeter
Network traffic
enables the
identification of
potentially
compromised
systems based on
intelligence about
malicious activity
and allows for the
development of
intelligence based
on analyzing the
traffic from
compromised
systems
Log data from
systems enables the
identification of
compromised
systems and allows
for forensic analysis
to determine the
extent of
compromise and
data loss
Ability to associate
observed traffic
with a specific
system enables the
other capabilities
on this list
Ability to assess
suspected
compromised
systems and to
determine impact if
the system is
removed from the
network
Ability to limit
traffic to and from
systems to that
which is required
for the systems
function
Ability to restrict
known malicious
activity based on
D, R
D, R
D, R
R
P
Ability to provide
security protection
and gain situational
awareness through
standard services
Wherever feasible,
HUIT provided
services (e.g. DNS)
should be used
Various services
(DNS, IAM, AD,
Puppet, Chef, etc.)
Ability to provide
additional layer 7
network security
controls between
systems
As security needs
and capabilities
change, there
should be a means
to provide
additional types of
protection into the
network where
warranted
Separation of
duties between
application
owners, system
owners and
security providers
Various methods
based on control of
the network
Some examples
today include
FireEye and
TippingPoint IDS
Limitation to the
extent to which a
single individual can
undermine the
security controls of a
system
Ownership of
network firewalls
and ACLs is in the
NOC, host-based
firewalls and
controls in the SOC,
application controls
in the development
group
Numerous system
level controls
(authentication and
authorization,
hardening and
patching, etc.) are
also affected by this
capability
port, protocol,
source and
destination
Ability to leverage
intelligence to
detect malicious
activity
Ability to provide
protection based on
intelligence
Ability to enforce
security controls
Ability to introduce
services into the
security stack as
needed (e.g. WAF,
IDS/IPS)
Ability to enforce
security controls
Ability to limit
impact of loss of
credentials/insider
threat
P, D, R
P, D, R
P (may
impact D
and R
depending
on the
control)