Written by Ashwin Chaudhary, CEO, Accedere.
Metastructure refers to the protocols and mechanisms that provide the interface between the
infrastructure layer and the other layers. The glue that ties the technologies and enables
management and configuration as per Cloud Security Alliance’s Security Guidance v4.0.
The management plane is
- The single most significant security difference between traditional infrastructure and
cloud computing. - Refers to the interfaces for managing your cloud resources in the cloud and cloud
deployments. - Different from traditional infrastructure security and the most critical piece to protect.
- How you launch virtual machines and configure virtual networks.
- Admin tab for SaaS environment.
Key Functions
- Provisioning resources required in the cloud.
- Starting/stopping/terminating services required in the cloud.
- Configuring resources includes adding/modifying/removing resources in the cloud.
Securing Management Plane
- Secure root account.
- Manage non-root users.
- Enable monitoring/auditing.
Security Considerations
Five major factors for building and managing a secure management plane.
- Perimeter security: Protecting from attacks against the management plane’s
components including web and API servers. - Customer authentication: Providing secure mechanisms for customers to
authenticate to the management plane using existing standards (like OAuth or HTTP
request signing). Customer authentication should support MFA as an option or
requirement. - Internal authentication and credential passing: Cloud providers should always
mandate MFA for cloud management authentication from internal users. - Authorization and entitlements: The right or permission that is granted to a system
entity to access a system resource is authorization. The entitlements are available to
customers and internal administrators. Granular entitlements enable customers to
securely manage their users and administrators and internally reduce the impact of
administrator’s accounts being compromised. - Logging, monitoring, and alerting: Robust logging and monitoring of administrative
activities is essential for effective security and compliance. This applies to what the
customer does in their account, and what employees do in their day-to-day
management of the service. Alerting of unusual events is an important security control
to ensure that monitoring is actionable.
About the Author
Ashwin Chaudhary is the CEO of Accedere, a Data Security, Privacy Audit, and Training Firm.
He is a CPA from Colorado, MBA, CITP, CISA, CISM, CGEIT, CRISC, CISSP, CDPSE, CCSK, PMP,
ISO27001 LA, ITILv3 certified cybersecurity professional with about 20 years of
cybersecurity/privacy and 40 years of industry experience. He has managed many
cybersecurity projects covering SOC reporting, ISO audits, VAPT assessments, Privacy, IoT,
Governance Risk, and Compliance.
Source link
