Briefing CEO & Executives about migrating to the cloud safely (RTO-RPO)
Cyber Security is becoming a severe issue for individuals, enterprises, and governments alike. In a world where everything is connected on the internet, from cute kitten videos and our calendar to our credit card information, ensuring that our data remains safe is one of the biggest challenges of Cyber Security. Cyber Security challenges come in many forms, such as ransomware, phishing attacks, malware attacks, and even Denial of Service Attacks.
The more people and devices a network connects, the greater the value of the network, which makes it harder to raise the cost of an attack to the point where hackers will give up. Our company’s main business is based on public cloud which means all of our data are accessed from anywhere. For this reason we must implement new services and define policies that will secure our cloud infrastructure from the ground.
As attractive as cloud environments can be, they also come with new types of risks. The first type of risk we have to consider is the security of our internal data on cloud. Internal data are a great risk and a great target for hackers. With this in mind we came with a variety of solutions, with the first one being the all time classic Backup. Right now we are using a Spectra tape drive which replicates every day all of our data including Tape Drives. Althought the tape drives are safe , the time which takes to roll over to previous state will be days. Amazon Web Services which is our provider, offers backup solutions for data protection that we can take advantage. Also offline backup is the ultimate solutionfor ransomware protection. This is called offline tape backup and it is also included on AWS. A great risk for enterprise data is also human error, our company has to invest in educating users and alerting them for this kind of digital risks. One key Amazon feature that is going to be deployed is called:
- Cloud Virtual Tape Libraries and cloud VTLs, offsite backups can be achieved by presenting it to the backup software as if it was a physical, local tape drive. The backup software can then write all backups to those “tapes”, which are stored in the public cloud.
- Amazon Regions, is the safest option for an enterprise like ours. We are going to have a copy of our critical data in many locations around our continent to ensure the minimum disruption in case of a disaster.
- Encryption, use keys to transfer securely our data to cloud
If you think backup is not mandatory take as an example Travelex that was forces to shut down due to ransomware attack in 2019.
Production environment in our company is called the summary of the servers that are being fully operated and service all of internal and external clients’ requests. Although Internal Servers are located on premises, there are under a great risk in case of a disaster. Policies and new migrations has to be established to ensure out company’s business continuity. Production servers are going to be duplicated on cloud to ensure the smooth operation, and after that we are going to have a copy of them in multiple amazon regions (locations). With this simple feature we can achieve high availability and small recovery time. Our network team can also restrict network usage and prevent unauthorized access using AWS VPC. Vpc is like creating a box into another box (Image on the right) and letting a specific group of users have access only to the first box or the second one. With this network categorization we are going to restrict access to everyone or simple users.
Protecting our productive environment is also a great task by itself, amazon also has take into consideration and provide tools that will help security teams prevent intrusions. These tools are:
- Encryption, use keys instead of passwords when an admin tries to establish a connection. Keep those root keys safe in amazon Key Management
- Monitoring billing logs with LogView to find a system that is powered on too often, find malware that is storing excessive data and discover policy violations for machine creation
Finally the most important tool to monitor our cloud infrastructure will let us know what is going on and why, and prevent our servers from failure is called:
- AWS Inspector and it is installed on every server keeping track of vulnerabilities and patches that are not installed. Inspector also runs security scans on each machine.
External facing website is the main core of our business. Everyday our security team is facing huge delays due to denial of service attacks and standby engineers are getting worried that the day which our main product will go down is not too far. At this time, our systems (Website databases ) are not affected but we can not guarantee that the next time that a bigger event will occur this would last. Due to this unpleasant situation our team has been working on an Technical proposal. Prevention is cheaper than cure and for this reason we are going to establish
- 2 load balancers that will handle requests in the same time
- 2 WAF (Web App Firewalls) that will scan traffic between clients and our servers
These website servers are going to be secured by Advanced AWS Shield. Remember code Spaces, a company that went bankrupt due to devastating DDoS attacks in 2014.
Advanced shield helps against DDOS attacks and most common attacks. DDOS Attacks nowadays are affecting our company’s main product by targeting our main servers. This kind of attack has a goal to take offline out servers and affect the delivery of information to our clients.
Image 3 Shield
Active directory includes every user and computer in our company. To be more precise, Active Directory (AD) is a database and set of services that connect users with the network resources they need to get their work done. Our database (directory) contains critical information about our environment, including what users and computers there are and who’s allowed to do what. At this time there are no policies that define users who are living the company and policies that are determine the strength of a password for a user. Cloud Directory in Amazon has several key featureslike Directories, Schemas, Facets, Objects and Attributes that can create Hierarchies, Policies and Groups. Using cloud directory we are going to replicate all of our MS Active directory to cloud and separate users into groups. Separation of users into groups can help us have control over access.
Valuable content is equal to our data. As we mentioned on the first paragraph data is the most common target on a company especially if it is based on cloud. Although all of our data are sensitive we need to categorize these data and classifies them into confidential data , financial data, internal distributed only, general data. To achieve this we going to use a special tool provided by amazon that is called Amazon Macie.
- Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect all of our sensitive data.
Shamoon, was called the virus that made all Aramco’s servers unusable and took the company offline for at least 48 hours. Aramco dit not had a security team and a disaster recovery plan. Aramco also had to flew its private plane to buy new hard disks for their servers and PCs.
our companies main services are based on technology and productivity, things that our clients are admire a lot and this is the main reason why we are keep growing. At the very beginning of this company, we estimated a growth of 5% every year and that’s the reason why we invested on a modern on premises data center with new servers. But what if a catastrophic event hit our main premises ? There are tow variables that define what we are going to do next.
- recovery time objective (RTO) defines how mush time needs to go online and be productive again
- recovery point objective (RPO), defines the data that are lost due to disaster.
our IT team has came into a Disaster Recovery Scenario which will take effect immediately after a catastrophic event minimizing the recovery time objective (RTO) and keeping a small recovery point objective (RPO). All of these at a minimum price without the need to invest in CAPEX expenses and new infrastructures. Our new plan is also a great OPEX example which will give us immediately ROI return of investment. The plan is really simple, our main on premises infrastructure will be replicated on cloud using built in amazon tools, and all of our data will be copied to cloud on daily or hourly bases. Every server that is based to our on premises data center is going to be copied at cloud , be shut and waiting to go online if they don’t hear a response from our datacenter. With this action we are keeping our operations stable. In case of a disaster , cloud machines will be go online and start to service users with a small downtime between this transition.
Amazon has a variety of services that are going to be used with the main of them described bellow:
- Amazon EC2 VM Import Connector: With the import connector, VMs can be replicated directly into EC2 from our local VMware (or other hypervisors) based system.
- AWS Storage Gateways: The storage gateway is a service that is installed at your local datacenter location. With it, you can present cloud storage to an application. That application can then write to the cloud storage, without having any special hooks into the cloud. This allows users to use any native replication or disaster recovery tools against cloud storage without any special configuration changes.
Last but not least, the establishment of policies that should be take place immediately. Biggest mistakes that companies are made nowadays is the replication of old on premises policies to cloud. As you saw above we mentioned a few examples of enterprises that went off after hacking attacks. Those companies many times have in common weak password policies that are not establishes. Also there is no policy for the user training against phishing.
- We encourage the use of AWS Penetration testing to have a view of our company’s security score.
- Understand our responsibility and providers responsibility on cloud model. Patching and updating our servers is part of our responsibility.
- Deployment of IDM and access management (Cloud Directory)
- Staff training
- Security logs collection.
- Enable MFA for all users starting from admins.
All of the above have to be established as soon as possible and be clearly specified and revised often to meet future cloud expectations.