As more organizations move their data centers to the cloud, CIOs and IT professionals need to plan out a strategy for secure cloud access. The goal should be to maintain a balance—selecting a method that is simple to set up and use and provides a secure network configuration
Fremont, CA: Cloud and hybrid IT infrastructures are on the rise and businesses are moving to this environment in huge numbers. However, despite the many benefits of moving to the cloud, IT professionals have their fears as cloud computing makes it difficult to control communications and filter out suspicious traffic compared to local or on-premises data centers.
There are four main options for accessing cloud computers when implementing cloud infrastructure: direct access, VPN, virtual private cloud, and a session manager. IT professionals need to examine these options and find the right balance between streamlining access to computers with a well-thought-out and planned security strategy that can be monitored and enforced by the virtual network administrator.
The simplest and easiest method to log in to a cloud computer is direct access, which opens the necessary port in the server security policy. An IT admin can set up and configure the security policy easily and open access to the port only for connections made from specific IP addresses.
Filtering IP range helps limit port exposure, but the list can increase once users realize that they need to access cloud computers from multiple locations.
Direct access shifts port protection to the server itself, exposing the computer to all kinds of internet attacks. Protocols like RDP or SSH are relatively secure, and IP range limits risk exposure for a quick or temporary solution. The difficulty in monitoring large numbers of security groups is one drawback of direct access. It is challenging to close specific ports or remove IP ranges from multiple security groups for large virtual networks, and it also limits access to auditing capabilities or access lists.
VPN connection typically requires additional hardware or third-party software for establishing a secure connection between cloud and on-premises networks. It provides a secure connection between on-premises and cloud data centers, but it requires substantial configuration efforts. Once it is configured and rolled out, it joins local and cloud networks into a single addressable space hiding all computers from outside threats. The downside of this is, it can open computers to inside risks and leave cloud computers inaccessible from external locations, which is similar to the local data center. It also lacks the audit capabilities required for many companies.
Jump Server: A Gateway in the Cloud DMZ
The Virtual Private Cloud (VPC – Amazon) and Virtual Network (Microsoft Azure) isolate multiple cloud computers in the private environment with a hidden IP space and not expose it to the internet. Users access the system through a single gateway, and computers inside the network connect to each other when needed.
One can log in to hidden virtual computers using a dedicated Virtual Network gateway, a computer located inside a virtual cloud network, and exposing a remote connection protocol to the internet. Users can RDP, SSH, or VNC into the portal, and from there, they can remote to other computers on the local virtual network. The network containing such gateways is called the DMZ, which is vulnerable to outside threats but does not contain any sensitive information or essential software that is difficult to rebuild. Such portals are called jump servers in the network world.
A remote-access gateway located in DMZ is reasonably simple to set up. It provides a decent level of security and protection to the computers inside the virtual network. These computers are completely protected from outside threats and provide a single point of entry for sufficient auditing and access controls. Such gateways do not perform well when multiple users are trying to access the virtual network. However, they serve as good entry points into the virtual network for occasional use. Also, many gateways could be set up to perform this function for the denser load scenarios.
A session manager is quickly becoming the preferred method by many companies. It is a specialized software deployed at the jump server that is located at the cloud computer at DMZ. It accepts HTTPS traffic from the internet and converts it to RDP, SSH, or VNC protocols to set up connections to the computers in the virtual cloud network. The user of the system needs a regular browser to interact with remote computers without having to install an RDP, SSH, or VNC client. The session manager can support multiple sessions at once and can maintain the list of computers in the virtual cloud network to which it can open connections. Also, the session manager keeps identities (passwords and certificates) to these computers and connects to them without exposing these identities to the end-user, simplifying system maintenance, and security. Session managers provide auditing and out-of-the-box support for many compliance and industry regulations, making it an ideal solution for companies in highly regulated industries.
Session managers were difficult to maintain in the past and were on-premises-based software. Today there are cloud-aware, simple to set up and simple to use session managers that can provide secure access to cloud computers located in cloud virtual networks. These solutions use a modern, agile architecture; they are agentless, cloud-ready, scalable, and affordable. While session managers are third-party solutions, there are free downloads that allow you to try the software first. This makes evaluating this option easy and painless.