More organizations are looking to move out of their data centers and private cloud environments and into the dynamic world of public and hybrid cloud architectures. There are many reasons for this, including cost savings with utility billing, shorter and easier provisioning time and the ability to spin up servers, when needed, to handle project-specific workloads and tasks.
Despite these benefits, access to these servers, and the applications being served from them, continues to challenge organizations. Do the servers and applications fall into the same bucket as enterprise server and application access policies? Are cloud servers “special snowflakes” that require specialized policies that pertain to servers outside of the data center? Do the complexities of cloud make these servers and applications impossible to audit effectively?
The cloud presents a host of new challenges and by definition opens up access to more people. With this in mind, when deploying new, or migrating existing, servers in public and hybrid cloud environments, consider the following access-related issues as a starting point.
What happens if the cloud server instance IP address changes?
Traditional data centers and private clouds are static or semi-static in nature. Little changes day-to-day with regards to IP address and compute resource allocation. Granted, private cloud environments can be somewhat dynamic in nature but often, organizations treat private cloud environments like they would an on-premises virtualized server infrastructure.
Public and hybrid cloud environments, on the other hand, are dynamic in nature, and there is no guarantee that the IP address you are allocated one day will follow your server through its entire lifecycle. This makes taking stock of assets, and facilitating access to those assets, a real challenge.
QUICK TIP - Organizations must ensure that access to servers and applications in cloud environments does not hinge on static IP address assignment.
Can your users access the cloud server regardless of location?
The term “road warrior” is rarely, if ever, used anymore. User connectivity to company resources, regardless of location, is an expectation that nearly every employee now has.
Your users must be able to access your cloud-hosted servers and applications from wherever they are located. Whether it’s a coffee shop, a home office, or in-flight Wi-Fi, users expect to be able to get to the tools required to perform their job.
QUICK TIP - Don’t fall into the trap of whitelisting corporate IP ranges, as that method of access control is no longer sufficient in our interconnected, mobile employee, and often out of the office, world.
Will cloud servers be diligently audited?
Everyone has heard this story before: an employee is fired, his or her access to the building and enterprise network is terminated, yet the ex-employee was still able download all of your customer information and bring it to your competitor.
Whether a true story or vendor folklore, this tale serves to educate organizations on the dangers of disparate authentication architectures and against insufficient auditing of terminated employees.
When an employee is terminated, for whatever reason, the organization must ensure that ALL of that employee’s access is removed or transferred over to a designated individual should any follow-up actions be required.
QUICK TIP – Treat your cloud servers and cloud-hosted applications as you would a server residing within your data center. Audit it regularly and apply the same level of scrutiny you would to a physical computer asset.
Three steps forward, no steps back!
The cloud has many benefits but also a host of unforeseen, or long forgotten, access challenges that require diligent research to understand. You should not anticipate that the cloud service provider has the answers to all access-related challenges but, it’s entirely possible, that the provider can shed some light on some of the blind spots.
Remember, just because you can put a particular application or server in a cloud environment, doesn’t mean that it is automatically secure, compliant or accessible for the individuals that need to use it.