Requirements for Cloud VPNs

The CSA guide is a comprehensive effort to list the security risks brought by cloud computing. A good overview but there are security requirements that are spread among several domains. Two such examples are confidentiality and integrity. Moreover, these requirements need to be fulfilled in different situations. For example data integrity in transit and at rest.

Let’s start by focusing on confidentiality and integrity of communications. We have to deal with confidentiality and integrity of communications in several scenarios:

  • Communication from the internet to the cloud
  • Communication between the internal network and the cloud
  • Communication between applications within the cloud (an interesting example is between amazon EC2 and S3)
  • Communication between clouds

With PaaS and SaaS, we may use SSL. In IaaS the solution to provide you full access to your cloud network is a VPN.

The requirements for a cloud VPN in all scenarios are as follows:

Clientless: The need to deploy agents should be avoided when possible. The use of standards like IPSec which is supported by security gateways or existing operating systems solves this problem as well.

Centralized management: Modifications on the configuration of servers or clients should not imply a re-deployment.

Authentication and authorization features : The solution should support different authentication methods and it should allow to specify access control lists as well (role based or RBAC).

Integration with endpoint security: The VPN should integrate with endpoint security solutions.

Advanced logging and reporting: At a given moment it should be possible to know who is or was connected and what kind of operations are or were performed.

Support of different communication methods and devices: Legacy applications, some windows applications such as outlook, or applications that use multicast should be supported. On the top of that, several types of devices such as smart-phones need to be supported as well.

High availability: when a server is down, the clients must be able to connect to other available servers in a transparent way.

Static addressing: the number of static public IPs is limited, so it is practical to build a private IP infrastructure.

In a follow-up post we will focus on tools and the scenarios listed above.

6 thoughts on “Requirements for Cloud VPNs

  1. I work for CohesiveFT, who as you probably know offer a product called VPN-Cubed. It already supports many features on your list, such as static addressing, high availability, centralized management. It also supports IPsec connectivity, including IPsec between your datacenter and Amazon EC2 – http://www.cohesiveft.com/Cube/VPN/VPN-Cubed_IPsec_to_EC2/. In addition, it offers support for multicast UDP in an environment where such support is not provided by vendor.

    • Hi Dmitriy,

      Thanks for your comment. I know about vpn-cubed and openvpn, 2 nice products. There are 2 requirements not completely answered:

      Clientless : there is a need to install openvpn (client mode) in each machine. The same applies to IPSec but is available in windows at least. Moreover you have to deploy the certificates and configuration.
      Clientless is a great thing about SSL VPN (because the browser is SSL ready) but there are limitations as well.

      Integration with endpoint security : I would like to assess the security level of the client before establishing a secure communication with it.

      regards

    • I wouldn’t overestimate the impact of those kind of attacks. Twitter and Facebook are popular services for the wide public, but far from being critical – not being able to access them for some hours is not really relevant. As a consequence, why should Twitter/Facebook allocate costly resources to secure their service against those kind of attacks?

      Things are different with cloud providers like Amazon, Google Apps, Azure, Salesforce, etc. It’s a critical task for them to assure integrity and availability of the data of their customers –
      it’s their reputation at risk and also the reputation of cloud computing in the enterprise market. I am convinced that they are better prepared to respond to attacks than single enterprises are.

      On the other hand, if hackers don’t aim to target a specific enterprise, but to maximize the damage, cloud providers are naturally a more popular target (but also more difficult to gather) and hybrid setups may be a means to improve availability by redundancy.

  2. Pingback: Amazon VPC – Brief Analysis

  3. Pingback: Amazon VPC – Brief Analysis – MBA courses online

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s