The Benefits of a Cloud Security Network Architecture Review

Introduction

As cloud computing and networks increase in size and complexity, it is important to consider the design of these cloud networks and architectures. While many of these networks are designed with scale and usability in mind to ensure maximum efficiency, security has not been a priority for many of these networks. This blog post emphasizes the value of a cloud security architecture review for clients and security teams.

 

 

Cloud Architecture Example

The following diagram shows a sample Amazon Web Service (AWS) architecture designed for a large enterprise. The components shown in the diagram are typically found in an AWS network, and similar components may be present in other popular cloud platforms such as Microsoft Azure and Google Cloud Platform.

 

Image
Cloud Network Security Architecture Review_img1.png

Figure 1: AWS Architecture (Source: Wondershare Edraw Max)

 

Below, we provide some guidelines to keep in mind for gaining stakeholder buy-in to conduct a security architecture review, in addition to performing the review.

 

 

Benefits of a Cloud Network Security Architecture Review

 

  1. Organizational awareness of the complexity of cloud architecture
  2. Identification of weak network security groups (NSG) and access control lists (ACL), as well as other security loopholes that attackers can leverage to breach networks
  3. Fine-tuned architecture to incorporate more resilient and less redundant components to ensure failover and secure architecture
  4. Compliance with various regulations that the company must adhere to
  5. Optimized architecture for better performance and security and lower costs

 

 

How to Perform a Cloud Network Security Architecture Review

 

Image
Figure-2-Process-Diagram.jpg

Figure 2: Process Diagram

 

 

What Cloud Network Security Architecture Reviews Help Solve

Below are some common problems that organizations face, with explanations for how a cloud security architecture review can help.

 

Organizations often neglect to review the system design process and fail to ensure the overall security, scalability, performance and cost-efficiency for their cloud platforms. The architecture review not only focuses on improving the security of the overall network, but also on enhancing the scalability and reducing the overall operating costs of the cloud environment.

 

→ Technology Rationalization - Organizations sometimes do not have a clear goal for the development or operation of a cloud environment. For instance, User Acceptance Testing (UAT) environments may be identical to pre-production environments. Hence, it costs more to maintain two environments to achieve the same functions. Cloud architecture reviews can help consolidate the environments and reduce the overall operating cost of the application and network development process.

 

→ High-Availability Environment Transitions - Certain organizations heavily rely on the high availability of the environment. Cloud networks, for the purpose of resiliency, will have primary zone and a secondary zone that acts as a failover network. The secondary network is configured identically to the primary network. In case the primary network goes down, the secondary network will be brought online or failover will be conducted. This is to improve business continuity and disaster recovery (BCDR). However, if the sync process of such an environment breaks, then a technician might only initiate a fix when the primary environment goes down. Attackers usually seek out high-availability environments as prime attack surfaces for gaining initial access to vulnerable systems. The cloud architecture review can make sure the sync process is clear and consistent, so that it is a simple process to switch environments at any time in the case of an attack or network outage. Optiv’s architecture review team can also tackle the passive environment and scale it up to the point where it can be ready to act as a primary environment in the event of a quick transition.

 

→ On-Premises vs. Cloud Architecture Migration – Migration from on-prem to cloud environments is usually a result of configuration changes, which make the overall environment vulnerable. The architecture review can help organizations review the cloud configurations to ensure that default values are not carried over to the new cloud environment. The review might also include suggestions for hardening the on-prem environment based on the existing setup. The architecture review is a core component of security, scalability and cost-performance for both on-prem and cloud environments.

 

→ Secure Automation - Certain ad-hoc deployments need a specialized, containerized environment that does not create flaws during the automation process. For instance, a developer might deploy a specialized Docker container to run the segment of the code library, which they can treat as a micro-service for the main application. The architecture review process can ensure that these automated components are always deployed with specific security standards and meet the security baseline policy of the organizations.

 

→ Monitoring for Unauthorized Changes – Organizations – specifically the security operations center (SOC) – may struggle with a lack of auditing within their cloud environment. This can result in high costs, low performance and a lack of controls and accountability. The architecture review reduces the overall SOC cost and streamlines the process of handling the cloud environment to produce the maximum results.

 

→ Architecture Documentation Management – A lack of documentation within a cloud environment is a primary concern for organizations. Small yet significant changes are not always documented in the process of change management. This gap impacts the environment and the changelog. The architecture review will ensure that the documentation and processes are up-to-date.

 

 

Compliance Frameworks

Companies can aim to be compliant with the following cloud compliance frameworks:

 

  • FedRAMP: Designed specifically for businesses that use the federal government’s cloud environment.
  • Sarbanes- Oxley: Publicly traded companies rely on SOX guidelines to safeguard their customers against fraud and casualties.
  • NIST SP 500-291 (2011): Identifies gaps in your cloud security framework.
  • NIST SP 500-293 (2014)L Offers a secured cloud infrastructure framework for government agencies.
  • NIST SP 800-53 Rev. 5 (2020)L Implements security and privacy controls for information systems and organizations.
  • NIST SP-800-210 (2020): Provides cloud security and access controls for PaaS and IaaS infrastructure.
  • ISO/IEC 27001 (2013): Serves as a framework for developing IT security systems for a cloud environment. These standards are also applied in cloud security audits.
  • ISO/IEC 27002 (2013): Outlines best practices for implementing ISO 27001 security standards.
  • ISO/IEC Technical Report 22678 (2019): Provides cloud security policy guidelines.

 

Companies can also refer to and implement the following Well-Architected frameworks when building cloud architectures.

 

  • AWS Well-Architected Framework: Helps you to build applications and workloads for the cloud infrastructure. With the help of an AWS cloud security audit, you can assess the cloud architecture based on parameters like reliability, performance, cost optimization, operational excellence and security.
  • Google Cloud Well-Architected Framework: Helps you to construct cloud architecture with the help of Google Cloud offerings and the GCP cloud security assessment checklist.
  • Microsoft Azure Well-Architected Framework: The Azure architecture allows you to maximize workloads, safeguard data, and enable recovery during failures.

 

 

Conclusion

This blog aimed to show how to perform a cloud network security architecture and demonstrate the benefits that a company can see in their cloud infrastructure. Please reach out to us at Optiv for any questions about conducting a a cloud security architecture review.

Vandankumar Pathak
Senior Application Security Consultant | Optiv
Vandankumar Pathak is a Senior Application Security Consultant in Optiv’s Threat Management community. Pathak’s role is to deliver a variety of service offerings, including web application assessments, mobile application assessments, Static and Dynamic Code Analysis, and thick client assessments. Over the past few years, Pathak’s passion for information security and hacking has motivated his participation in penetration testing projects.
Subramanya S.
Principal Consultant | Optiv
Subramanya is a senior consultant on the Application Security Team in Optiv’s Management Practice. He specializes in application security.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.