Preventive security measures for workloads deployed into the Amazon Web Services (AWS), the Google Cloud Platform (GCP) or Microsoft Azure clouds, commonly known as guardrails, are the foundation for keeping NCSU’s data safe in the cloud. These guardrails are designed to be a flexible set of security measures to enforce a basic level of security for applications and infrastructure deployed into the cloud.
The foundation of the NCSU cloud guardrails are the Center for Internet Security (CIS) benchmarks published for each of the clouds that OIT supports. These baselines are designed around industry standards and best practices and designed to not hinder the ability to deploy and manage cloud workloads.
Additional controls will be configured to prevent the circumvention of the security configurations for logging, access and network management.
Identity and Access Management (IAM) refers to the management of the credentials used to perform administration tasks in an OIT provisioned cloud environment. These credentials can be used to configure/manage and delete resources through a cloud management portal or through infrastructure as code (IaC) tools such as Terraform or a vendor managed interface such as the aws cli.
Multi-factor authentication is required on all Unity accounts that will be used to perform administrative duties in the cloud. Additionally, cloud resources must be maintained by NCSU users with a valid Unity account.
IaC users that are provisioned manually must be configured with a password expiration. Furthermore, it is a best practice to restrict these accounts via a network access list to further secure them if that is an option.
Server and infrastructure resources deployed in cloud datacenters require a network to work correctly, this network needs to be properly configured to adequately protect the servers and applications deployed in the cloud.
Specific controls recommended as part of the CIS guidelines include restricting server management ports from the internet and ensuring that the theory of least privilege includes resources that may be inadvertently exposed to the internet, or back to the NCSU campus.
Cloud storage accounts/buckets or other storage should be encrypted at rest and in transit. Furthermore, they should not be exposed to the internet without an access control list or other measure to restrict access.
Cloud environment alerts are configured for updating/changing or removing specific resources that are deployed for network security, tracking administrative changes or for budget notifications that may be early indications of a compromise in the configured cloud environment.
Cloud security resources are primarily deployed in the regions supported by NCSU, the support includes network infrastructure to manage the network resources used to provide network connectivity back to NCSU, network security logging and alerting for resource consumption.
Other networks can be used if needed, but there will be additional overhead to ensure that the region specific tools are deployed in a consistent and secure manner. Regions outside of the United States may also be subject to data sovereignty restrictions.
Exceptions can be created for these configurations on an as-needed basis either during the initial cloud request/deployment or through a request to the OIT Cloud Services and Support Group. The process will include documentation for the exception and if possible an expiration date for specific control that needs to be reconfigured.