Resource sharing and virtualization create direct channels between cloud-based applications. Unfortunately, the benefits offered by this practice are outweighed by the risk of accidentally interfering with the operations of another application or exposing it to deliberate attacks.
It is possible to isolate these applications by using dedicated cloud servers rather than virtual machines or cloud-based containers. However, since scalability depends on pooling resources, the dedicated cloud approach is unlikely to reduce performance.
One way to secure these applications is to implement specific isolation policies, especially between hosts and the network. While internal governance and security practices will define exactly what should be separated and how things should be separated, these isolation strategies will help ensure that these guidelines are followed.
Let’s take a look at some best practices involved in setting up a good isolation strategy in cloud computing scenarios. The first step will be to select a cloud hosting approach that provides the necessary isolation for particular types of applications and components. From there, teams will need to add protections that revolve around network connectivity, API access, and database sharing.
Choose a cloud hosting strategy
Let’s start with accommodation. Sharing resources in a cloud carries the risk that the performance of an application may suffer if another application sharing the server monopolizes the resources. This particular situation is often difficult to detect because a team may assume that the problem is due to a workload bottleneck or some other common cause.
You can limit these issues by selecting the right hosting model, which consists of three broad categories:
- VM or IaaS services
- container services
- functional and serverless computing
Short of dedicated servers, IaaS offers the strongest inherent isolation. For applications with critical security and performance needs, you should select the IaaS option. The insulation capabilities of containers are improving steadily and are more than sufficient for typical commercial applications. The risks of functional and serverless computing are more difficult to assess due to the emergence of implementation options.
For container services, isolation issues often stem from poor management of the cloud-based container environment. For organizations with limited staff or container management skills, third-party managed container services are a popular – and very secure – option. Even organizations with good staffing skills should consider using a single, integrated container platform rather than relying on incompatible collections of custom tools. Keep in mind, however, that container performance is often more sensitive to resource usage than your typical VM option.
Isolate applications at the network level
Incorrect network configuration often leaves applications vulnerable and open to software attacks. To avoid this, it is essential to isolate the applications at the network level and use only one address space per application group.
For added security, public cloud services typically operate in a private IP address space that protects them from outside access. However, even then, it is still a good idea to deploy the associated applications as a group and keep them in a common address space.
Examine the API exposure
Public APIs are a must if you want external systems to access an internal application. However, be careful not to accidentally expose APIs that are not intended for outdoor use. If possible, it’s best to expose APIs through a dedicated corporate VPN rather than the general web. For even more detailed control of your network, consider implementing a virtual network or SD-WAN. These are available from network providers, such as Juniper and Cisco, or from cloud software companies like VMware.
You should also consider segmenting part of the corporate VPN address space into a subnet containing the addresses and APIs shared on a cloud network. Next, designate a specific collection of protected APIs that will form a sort of “boundary” that secures the rest of the VPN.
Protect access to the shared database
A database is a perfect example of an application resource that needs protection with isolation in cloud computing. A typical database management system (DBMS) supports concurrent use, but it can limit the speed at which multiple applications can access the database.
This is more likely to happen if the software components that access a DBMS dynamically scale in response to workloads. Typically, the only components that need to scale dynamically are those that do not share a database.