Rhand Leal In a previous article, I wrote about network segregation considering a physical network structure (see: Requirements to implement network segregation according to ISO 27001 control A.13.1.3), and while the concepts presented there are still valid when you consider network segregation in cloud computing environments, some new considerations must be made.
Cloud environments add a new set of network segregation aspects that can endanger both cloud service users and cloud service providers, and these should be properly evaluated and treated. In this article, I will give an overview about these new aspects and how ISO 27017, a code of practice for information security for cloud services, can help to properly address and define security controls.
How do networks work in cloud environments?
All communication in cloud environments goes through the so-called hypervisor, a piece of software that manages all virtual machines in a host server. For each virtual machine created, the hypervisor designates at least one virtual network interface that works similarly to a physical one.
Besides that, the hypervisor can create “virtual switches” that, like physical switches, manage groups of machines that can communicate directly with each other and limit broadcast traffic. The hypervisor can create as many virtual switches as the host machine resources allow, and each one can be configured for a particular set of machines.
When it is necessary for a virtual machine to communicate with something outside the host server, the hypervisor also manages the communication of that machine with the physical server’s network interface.
But, the main functionality of the hypervisor, the one that allowed the proliferation of cloud computing, was the capability of hypervisors to communicate with each other, which means that a whole virtual machine can be moved from one physical host to another (like a big file), providing dynamic resource allocation (e.g., if you have a virtual machine that requires more resources and the actual host server cannot meet such demand, you can simply move that virtual machine to a more robust physical server without compromising it).
Impacts related to improper segregation
The main impacts related to failure to implement proper cloud network segregation are:
- Users being able to access each other’s information. This is particularly bad when competitors co-exist within the same cloud environment.
- Penalties for not fulfilling legal and regulatory requirements (e.g., compliance with legal requirements such as PCI-DSS, HIPAA, and UE GDPR requires great help from segregating personal information from less sensitive or general network traffic data).
So, what are the new segregation risks?
Considering the previous scenario, we can identify the following risks related to cloud network segregation:
- Hypervisor compromise: its capacity to create and modify network interfaces and virtual switches adds a critical situation regarding both access control and segregation.
- Virtual machine data compromise during migration: besides the natural risk of VM compromise through a compromised hypervisor, a virtual machine can be exposed during transfer between two physical hosts.
- Lack of alignment between virtual and physical configurations: outside the host server environment, the communication relies on network physical devices (e.g., switches).
How can ISO 27017 help manage cloud network segregation risks?
As stated before, basically all recommendations included in ISO 27001 control A.13.1.3 (segregation in networks), and detailed in ISO 27002, are applicable to cloud network segregation, but some of them can be more detailed by ISO 27017 in terms of traffic segregation.
Normally, traffic segregation considers production traffic (users’ access to cloud services), management traffic (administrators’ access to hypervisor and network management functionalities), and operational traffic (e.g., storage area traffic). In the case of a cloud network, an additional type of traffic should be considered: the hypervisor traffic (the information about virtual machines and switches). Additionally, production traffic should be segregated at a client level (different clients, different network paths).
Specific to ISO 27017, there are three controls recommendations:
- The hypervisor should be included as one of the services to be under the access control policy, so there are proper rules to access and use its functionalities, as well as implement controlled changes.
- Cloud service customers should request information from cloud service providers regarding how networks are segregated, so they can better evaluate and ensure the cloud service provider controls fulfill their security requirements.
- Cloud service providers should implement policies to ensure that virtual and physical configurations support each other, and operational documentation to ensure proper configuration of the cloud network.
Share resources, segregate environments and information
The resource optimization provided by cloud infrastructure has allowed great price reduction in providing cloud services as a business, attracting many organizations to this solution. But, providing a shared environment requires a lot of planning and control to minimize the risk of accidental or intentional unauthorized access to customers’ information.
By adopting the ISO 27001 controls and ISO 27017 recommendations, a cloud service provider can improve its control over the cloud resources, segregating them at levels that will allow the right allocation of resources without letting information go unprotected.
To learn more about network segregation, please see our free online training: ISO 27001:2013 Foundations Course.
