How to Connect Securely to Cloud Providers

January 21st, 2017 - Get new posts sent straight to your inbox, click here. AussieBB

One of the best reasons for a business to move to a cloud infrastructure is to take advantage of advanced security measures without the increased cost of managing your own cybersecurity teams. However, it’s essential for business owners to remember that cloud services provided by companies like Amazon (AWS), Microsoft (Azure) and Google (Cloud Platform) are only as secure as the people and companies using them.

Creating a safe connection is essential for the protection your data, so here are some handy tips to ensure you remain securely connected to your cloud providers.

Using a VPN for secure connections

VPNs are one of the most common methods for establishing secure connections. However, there are different types of Virtual Private Networks, and using one isn’t a guaranteed safety net for securely connecting to your cloud provider.

Let’s have a look at the main types.

Network-to-network VPN

Network-to-network is the oldest type of VPN and comes with a number of security issues, partly due to the number of hosts involved. If your cloud provider uses this type of VPN, you may wish to question the confidence they have in their security.

Single-host-to-server VPN

Much like network-to-network, this is a Layer 3 VPN that is also open to security issues. The encrypted tunnel is from client to host for multiple services, and not recommended.

Service-to-host VPN

The best practice virtual private network for accessing cloud services is the SSH or SSL model. This is because under a SSH VPN the cloud provider can monitor each individual session and insert security controls as needed. Also, the access area is much smaller than the other two types of VPN, reducing the security footprint and associated risk.

Maintaining enterprise awareness

Companies that allow cloud access from approved devices distributed to their staff have greater control over their cloud security. Your company’s IT department can create a baseline set of standards and procedures, including:

  • Password requirement on boot and lock
  • Up to date anti-malware security software
  • Encryption (either on the disk or at file level)
  • Approved WiFi networks only
  • SSL or IPSec Virtual Private Network Support.

What is IPsec?

IPsec is an end-to-end security scheme at the internet layer. Other security systems like TLS (Transport Layer Security) and SSH (Secure Shell, Application Layer) reside at lower levels of the OSI 7 Layer scheme, making IPsec the only scheme to protect all application layer traffic over an IP network. For this reason, IPsec is important for secure cloud connections.

Connecting securely: Microsoft Azure Expressroute and SKUs

For network engineers and architects looking to implement secure cloud connections to MS Azure, you’ll need to understand VNG.

Virtual Network Gateway (VNG) is the method by which traffic is transported between virtual networks and on premise locations.

To deploy and configure the VNG you’ll first need a gateway subnet for the VNet called GatewaySubnet. There are 3 Azure SKUs that can be used via VNG, allowing for IPsec tunnels that maximise cloud security. They are:

  • Basic: 100 Mbps throughput (VPN) or 500 Mbps throughput (ExpressRoute). No coexistence means it is only suitable for non-IPSEC ExpressRoutes or internet connected VPN circuit to Azure; however, up to 10 IPSEC tunnels are supported.
  • Standard: 100 Mbps throughput (VPN) or 1000 Mbps throughput (ExpressRoute). allows coexistence of two connections, and up to 10 IPSEC tunnels.
  • High Performance: 200 Mbps throughput (VPN) or 2000 Mbps throughput (Expressroute). Allows coexistence and 30 IPSEC tunnels.

For information on pricing and setup, check the links below.

Azure VNG SKU Pricing Info | Setup details for CPE devices and IKE Phase 1 & 2

Connecting securely: Amazon Web Services (AWS) & Direct Connect

Rather than use an internet-based VPN connection, AS users can connect securely through Direct Connect and IPsec VPN tunnels.

There are differences between the Azure IPsec gateway and VPN tunnels created with an AWS VGW (Virtual Gateway) IPsec VPN.

For instance, the AWS VPN will only go live from the initiator’s side of the VPN connection via traffic generation. Network admins on AWS should consider creating parallel pairs of IPsec connections on AWS to accommodate routine maintenance which could disable a VPN tunnel.

Connecting securely: Google Cloud Platform & Google Carrier Interconnect

Google Cloud Platform also supports IPsec tunnels, though it differs from many of its competitors. Google provides Border Gateway Protocol (BGP) sessions, making private IP addressing not directly accessible.

Instead, the Google Cloud VPN service  can be used to terminate IPsec tunnels of GCP, with support for site-to-site VPN constructs on static routes. Network admins can also connect two GCP networks using GC VPN.

Policy and privacy

Connecting securely to your cloud service requires great policies on terminals and endpoints to direct user behaviour, strong education and understanding among staff on the best practice security measures for cloud architecture, and an understanding of the ways in which different cloud services allow secure IPsec VPN tunnelling to their platform. Companies that get these three things right can enjoy secure access to their cloud  architecture with low risk of intrusion or loss of data.