One of the customer’s challenges in migrating all or part of its information system to one or more public clouds is to relieve its data centers while maintaining data security.
With this in mind, it is essential to secure access for all users to the various application resources in the datacenters or the chosen public clouds (Amazon Web Services, Microsoft Azure, Google Cloud Platform, or IBM, for example) and to prepare for the massive migration of applications to these clouds.
The success of such a project depends on a technical solution offering a wealth of functionalities to meet the various use cases that will have to be processed.
To be sustainable, the security architecture must protect the information system (IS) while remaining the most invisible and painless. This guarantees a better user experience and facilitates the daily life of administrators. It must also offer a wide range of security features that are essential to the IS. The latter must be built around a reduced number of technologies that fit perfectly together.
Finally, this architecture must be designed in a context of tiered deployment, allowing, if necessary, the addition of other technologies to meet very specific needs. It presents a core architecture that offers a very good compromise between the various challenges of such a project: rationalization, simplified administration, user experience, number of supported use cases, etc. Options can be activated or not, depending on priorities. This optimized architecture also offers the possibility of easier deployment and, therefore, a strong potential for efficient and rapid implementation.
To ease the transition of application migration to the cloud, we recommend a hybrid model, based on an architecture with three complementary tiers:
an “on-premises” part to connect the remote sites to the applications and to secure the legacy datacenters during the migration;
an architecture to secure the IaaS (Infrastructure as a Service) environment as well as applications migrated to the cloud;
a SaaS (Software as a Service) service to port a maximum of security functionalities to the cloud to benefit from its advantages in terms of scalability and operational control.
For example, to secure the outgoing flows of mobile users, users can connect to the cloud and then be redirected to a firewall instance in the IaaS to access resources hosted in the public cloud.
As another example, for securing incoming flows, the firewall instance in IaaS can be protected by SaaS security against targeted DDoS (Distributed Denial of Service) attacks on exposed sites. In the event of a volumetric DDoS attack, the intermediate security platform in SaaS will absorb the entire attack and only allow the legitimate flow to pass, thus protecting the Internet link and the application. This use case is impossible to handle with a simple VM (virtual machine) in the cloud and without an intermediate platform.
For the security of infrastructure hosted in the public cloud (Amazon Web Services, Microsoft Azure, Google Cloud Platform, IBM…), given that it remains difficult to predict in advance the rate and eligibility of all application services, we recommend three levels of security to address different use cases.
Implementation of a firewall instance in the IaaS allowing to address the following functionalities: IPS (Intrusion Prevention System) / AV (anti-virus) / URL Filtering / SSL decryption / Sandbox
implementation of a reverse proxy instance in the IaaS allowing to address the following functionalities: reverse proxy with simple URL rewriting / SSL decryption / filtering by reputation of malicious IP URL
Advanced security. It includes the essential security, to which we add:
SSO (Single Sign-On)
complex URL rewriting
Total security. It includes advanced security, to which we add:
The choice of the level of security to be implemented is at the discretion of the customer, according to its constraints, whether they are geographical, linked to the schedule, or the criticality of the applications in particular.
To secure web, non-web, and business applications, we recommend implementing a solution that offers a complete security platform to cover a large number of use cases (however, you should not multiply the technologies).
This solution should have a single inspection engine, in particular, to address, with a flow rule, all the security bricks.
An essential point of the solution is the efficient recognition of most of the applications on the market, which makes it possible to identify the users’ uses to better protect them.
Routing and flow partitioning are optimized with the support of virtual routers, firewall instances, and the implementation of security zone concepts. The support of the SAML protocol (Security Assertion Markup Language) allows simplifying the authentication of web applications.
To facilitate integration with the existing ecosystem, the opening of APIs offers the possibility of fluid exchanges between security solutions. Controlling the posture of the workstation must be transparent to the user, without the need to set up an IPSEC tunnel (Remote Access solution) or implement intrusive solutions such as NAC (Network Access Control).
The outsourcing of the IS naturally increases the exchanges towards the outside. The solution must meet a maximum of technical criteria and above all have very little impact on the architecture already in place. A consolidation of all the security policies coming from internal or external sources (network control, flow routing, URL filtering, conformity control, profiling…), but also the routing of flows within the same administration console, are strongly recommended to be more efficient in opening flows to the Internet.
The solution must be able to handle web flows other than HTTP/HTTPS and FTP (File Transfer Protocol). The user experience can thus be improved and controlled, regardless of the location (mobile or not) to allow the connection of user stations by applying a security policy adapted to their risk level.
It is also necessary to take into account the requirements of SaaS applications that do not recommend proxification, authentication, and flow analysis. To address the use cases for unmanaged or agentless workstations, the captive portal is necessary to secure the LAN/WAN or WIFI networks. The use and maintenance of the proxy. Pac file could, in the medium and long term, become optional.
The use of a public SaaS solution (cloud firewall) allows the same security features to be applied as those present on an “on-premises” firewall. This pure SaaS approach filters all user requests for access to the Internet and offers the possibility of setting up site-to-site tunnels (SaaS to private datacenters) to access applications hosted in the IS (which could not be migrated to the cloud).
Users in mobile situations are therefore protected by this SaaS solution without going through the IS. This avoids the use of split tunneling, which is often a vector for the propagation of malware, by creating a bridge from the Internet to the workstation to access the company’s internal network. The security features offered, known as “network filtering”, are richer than those offered by a SaaS proxy solution.
Simplifying security with consolidated security rules, while maintaining the level of security historically in place, allows the customer’s teams to be more efficient daily, reducing the time to investigate and process incidents. The user experience is improved with direct Internet access without going through the central site while respecting the constraints of users and applications.
The scalability and accelerated migration of the platform have been planned for this purpose, largely by adding user licenses or bandwidth. This allows us to be reactive to any new needs. The level of security has been respected by the rules of the art while remaining consistent with the requirements of business applications hosted in the cloud.
It should be noted that all these actions were carried out without any degradation of the service provided to users and without any reduction in the level of security.How to connect the dots