Four methods to access cloud computers securely
Networks in the cloud
It is easy to start a virtual computer these days in a cloud datacenter managed by Amazon AWS or Microsoft Azure. It is also easy to start a second and a third one and then plan to build a virtual network. This network can grow and shrink, get updated and upgraded following the needs of the organization even outgrowing old good on-premises datacenter.
On the other side of this development, the local datacenter is safe to access. Protected by firewall perfected during years of physical network evolution local servers stay relatively secure to the constant background level of Internet threats where port scanners, password checkers and denial of service attacks probe everything they can find. This article discusses options to access cloud computers at virtual datacenters balancing simplicity and security while using these options.
Risks involved
Local on-premises computers are protected by network firewalls. Firewall inspects all packets that come from the outside and decide whether it should enter the network or not. Firewalls filter out majority of the traffic so that local computers do not even need to protect themselves against majority of the threats. All communications that happen inside the network are easier to control.
At the cloud each individual server with public IP address is associated with its own security policy. There is no dedicated network device that enforces inbound and outbound rules. These security policies could be reused but the balance between simplicity to access computers and security should be planned and enforced by the virtual network administrator.
Every user of cloud computers has to access these computer remotely. There are no local users with physical devices in the cloud network. This situation improves the risk of inside threats. However, it also creates risks related to making virtual servers accessible from the outside exposing them to the Internet.
How can I access cloud computers?
1. Direct access
The simplest method to login to the cloud computer is to open necessary port in the server security policy. Amazon calls them AWS Security Groups (sg) and Microsoft calls then Network Security Groups (NSG). Windows computers require RDP or VNC ports open for remote desktop access or PowerShell (WS-Management) port for PowerShell scripting. Unix computers would need SSH port for the Shell or everything that goes through SSH (X-Windows, SQL, etc) or VNC for the desktop access.
Admin can configure security policy so that it opens access to the port only for connections made from certain IP addresses. IP range filtering limits port exposure significantly. However, the IP range limit list tends to grow when users realize that they need to access cloud computers from different locations.
It seems like a scary solution because it shifts port protection to the server itself exposing the computer to all kind of Internet attacks. However, protocols like RDP or SSH are considered sufficiently secure and IP range limits the exposure so this method might work as a quick or temporary solution. It also helps to ensure that the traffic flows through SSL connection (for example, securing WS-Management port would be recommended).
One of the drawbacks of this method is that it becomes hard to monitor security groups when there are many of them. For the large virtual networks it also hard to close certain ports or remove certain IP ranges from multiple security groups. It makes sense to plan ahead and design several reusable security groups to control the access from the central location. There are also third party tools that allow mass management of security groups for multiple regions or even cloud tenants.
Click here to read Amazon AWS best practices document about security groups. Click here for the discussion about Azure Network Security Groups configuration.
The table below summarizes pluses and minuses of direct access method to cloud computers.
| Pros | Cons |
|---|---|
| Simple to Setup | Hard to Manage for multiple servers |
| Simple to Access | Exposes ports of critical servers to Internet |
| Poor access audit and access lists |
2. VPN
Both Amazon (Amazon AWS VPC Gateway) and Microsoft (Microsoft Azure VPN Gateway) provide a service that allows to configure VPN connection between on-premises network and cloud networks (site-to-site) or from on-premises computer and a cloud network (point-to-site). VPN connection setup typically requires either hardware or third party software solution for establishing secure connection between cloud and on-premises networks.
VPN provides secure although slower connection between on-premises and cloud datacenters. It requires substantial configuration efforts but once setup it joins local and cloud networks into a single addressable space hiding all computers from outside threats but opening them all to the inside risks. In addition to that, cloud computers remain unaccessible from the outside location as much as servers at local datacenter.
Click here for the Amazon AWS options to setup VPN. Click here for the Microsoft guide how to setup site-to-site VPN connection.
The table below makes a summary of joining local and cloud networks using VPN
| Pros | Cons |
|---|---|
| Easy to use from the local network when setup | Hard to setup. Often requires hardware or third party software components |
| Secure | Hard to access from outside of the network |
| Cloud computers can join local domain | Exposes cloud computers to inside threats |
| Poor access audit |
3. Jump Server: A Gateway in the cloud DMZ
Introduction of Virtual Private Cloud (VPC – Amazon) and Virtual Network (Microsoft Azure) made possible to isolate multiple cloud computers in the private environment with its hidden IP space not exposed to Internet. System architects use virtual networks in scenarios when most of the computers in the network do not expose any services outside of the network. Users access the system through a single portal and computers inside the network connect to each other when needed. WEB server exposed to the Internet accessing hidden local database is a classic example of such architecture.
One way to login to hidden virtual computers is to dedicate a Virtual Network gateway: a computer located inside a cloud virtual network and yet exposing remote connection protocol to the internet. Users can RDP, SSH or VNC into the gateway and from there they can remote to other computers on the local virtual network. A part of the network that contain such gateways is called DMZ. DMZ is vulnerable for the outside threats but it does not contain any sensitive information or important software that is hard to rebuild. In the network world such gateways are called jump servers.
A remote access gateway located in DMZ is moderately simple to setup. It provides a good level of security and protection to the computers inside the virtual network. These computers are completely shielded from outside threats. Such gateways will most likely not perform well when too many users trying to access the virtual network. However, they serve a good entry point into the virtual network for an occasional use. Also, many gateways could be setup to perform this function for the heavier load scenarios.
Click here for the Amazon AWS general security best practices guide that includes discussion about how to configure DMZ using security groups (remember, there is no single point of entry into the virtual network). Click here for the discussion about Microsoft Azure DMZ configuration.
The table below summarizes the pros and cons of remote access gateways located in the virtual network DMZ
| Pros | Cons |
|---|---|
| Moderately simple to setup | Does not scale well |
| Good protection for the cloud computers | |
| Single point of entry provides good audit and access control |
4. Session manager
A session manager expands on the idea of remote access gateway discussed in the previous section. Session manager is a specialized software deployed at the jump server that is located at the cloud computer at DMZ. It accepts HTTPS traffic from the Internet and converts it to RDP, SSH or VNC protocols to establish connections to the computers in the virtual cloud network. The user of the system needs only regular browser to interact with remote computers without the need to install RDP, SSH or VNC client. Session manager can support multiple sessions simultaneously. It can also maintain the list of computers in the virtual cloud network to open connections to. In addition to that the session manager can keep identities (passwords and certificates) to these computers and connect to them without even exposing these identities to the end user which simplifies system maintenance and security.
Session managers used to be hard to maintain. They also tend to be on-premises based software. However, with the advancement of technology there appeared cloud aware simple to setup and simple to use session managers that can provide secure access to cloud computers located in cloud virtual networks.
The table below describes benefits and drawbacks of using session managers to secure access of cloud computers
| Pros | Cons |
|---|---|
| Moderately simple to setup | Requires third party software |
| Provides secure access to the cloud computers | |
| Provides secure access to the cloud computers | |
| Exposes only secure (https) connection to the outside | |
| Maintains the list of computers to connect to | |
| Optionally hides identities from the end users | |
| Does not require client side software to communicate with remote computers | |
| Scales well for large number of users | |
| Single point of entry provides good audit and access control |
Summary
This article describes several methods to access virtual computers at Amazon AWS and Microsoft Azure cloud datacenters. The goal is to maintain a balance in simple to setup, simple to use and secure network configuration whether it is two node WEB site, complex extension of a corporate datacenter or multi-thousand nodes research cluster.
What do you think about our assessment? How do you connect to your cloud computers today? Please comment on this article. Let’s make the world better connected and more secure – together.
References:
- Amazon AWS Security Guide: Security Groups for Your VPC
- Amazon AWS Virtual Private Cloud: VPN Connections
- AWS Security Best Practices
- Microsoft Azure: Filter network traffic with network security groups
- Microsoft Azure: Create a VNet with a Site-to-Site connection using the classic portal
- Microsoft Azure: DMZ between Azure and the Internet
- Microsoft Guide: AWS to Azure services comparison
See Imprivata Privileged Access Management in action
Imprivata Privileged Access Management provides comprehensive, easy-to-use privileged access management that helps you improve security by protecting privileged accounts from unauthorized access. Download a free 7-day trial today, or request a demo.