- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
It has never been easier for your company to build new infrastructure. In just a few clicks, you can spin up shiny new servers and databases in the cloud and start using them in seconds.
However, in the rush to deploy new services so quickly, companies often let information security be an afterthought, and leave critical vulnerabilities and misconfigurations exposed to the internet. These issues can lead to costly breaches and damage your reputation as well.
In this article, we will look at common cloud infrastructure misconfigurations and how to address them using strongDM.
There are several misconfigurations companies make when setting up cloud infrastructure, here are 3 costly but avoidable ones:
Unprotected remote access
A report from ThreatStack assessed 200 companies using cloud infrastructure and found that nearly three-quarters of them had a service with at least one critical network security misconfiguration. For example, 73% of the companies ran infrastructure with a wide-open SSH connection, thus allowing attackers to try and guess valid credentials 24/7. Companies sometimes expose database servers to the Internet as well, and if those servers are missing application or operating system security patches, cybercriminals might be able to gain access to those servers without needing credentials at all. Services such as SSH and RDP should only be available behind a VPN connection which is ideally protected with two-factor authentication.
In general, companies tend to over-provision user accounts with access to network resources by giving entire groups (such as the IT/security staff) the ability to see all files and make changes across all systems. Worse yet, many administrator accounts are not configured to use strong passwords, so if just one of those many high-privilege accounts are compromised, the effects can be devastating to the organization. Instead, employees should have the minimal amount of rights necessary to do their jobs (the principle of least privilege), and that access should be subject to regular review to ensure it is always appropriate.
No logging/auditing in place
In the event of a security incident, arguably the most valuable asset to have - and that your incident response team will want to see - is logs. Unfortunately, many companies are either not logging all their critical assets, or the logs are missing the kind of verbose data needed to be valuable to an investigation. In the same vein, you need to be able to generate audit reports for your critical database servers and Web servers so you can answer some critical questions in real time: “Who was on this system, what were they doing, and when?”
Securing databases and servers with strongDM
Tackling the cloud security challenges mentioned above are easier said than done, and a solution like strongDM can greatly simplify the security, logging and auditing of your servers and databases. Here are the implementation steps at a high level:
Setup strongDM client
Once you have your strongDM account setup, login and download the client software to your management workstation:
Acquire necessary access
You will need administrator level access to the networks, databases and servers you want to secure. Typically, in a Microsoft Windows Active Directory environment, this is an account that has membership in the Domain Admins group. Your databases might be Active Directory integrated as well, but commonly use independent sets of administrative credentials. You might also wish to create a new administrative credential (called “strongDM” for example) to use with strongDM. This can help simplify installation and administration, and also easily identify this special administrative account when you’re looking through logs.
Provision a Linux server
To use strongDM, you will also need to install a Linux server to host the strongDM gateway. You need to select a virtual server instance with at least two CPUs and four GBs of memory. As an example, something in the AWS T2 should work, but any cloud host will suffice. If you’ve never built up a cloud Linux server before, our step-by-step tutorial on building a bastion host will help get you started with the necessary commands to deploy, update and start securing the server.
Create the strongDM gateway
- In the strongDM Admin UI, select the Relays tab and click Add Gateway.
- Provide the public IP of your Linux server. Also define the “bind IP,” which can be 0.0.0.0 to represent all interfaces.
- Click Create, and save the one-time use token that appears - you will need it later in the install.
- Log in to your Linux host and disable SELinux.
- Use the following commands to download, unzip and install the strongDM relay:
curl -J -O -L https://app.strongdm.com/releases/cli/linux
sudo ./sdm install --relay
- You will be prompted to supply the relay token you received in step 3.
- Once the install completes, enable SELinux (If you previously disabled it).
- Log in to the strongDM Admin UI again and refresh your browser. Under the Relay section you should see the new gateway you created with a status of Online.
Connect your datasources
Next, you will connect a database (called a “datasource”) following these steps:
- Ensure the datasource is accessible from your gateway server.
- Inside the strongDM portal, click the Datasources tab and click Add Data Source. You will then need to provide:
- Display name - the name that will appear for users who have access to this datasource
- Type of datasource - such as MySQL, SQL server, PostgreSQL, etc.
- Database port
- Database credentials
- Click Create and the new datasource should show up in the strongDM portal.
Query the datasource
Now you should be able to query your datasource in the strongDM portal:
- Click the Users tab.
- Select your username, then select your datasource from the Datasources tab.
- Open the strongDM client on your local machine, login with your credentials and the datasource you created should appear.
- Click the datasource and look for a green lightning bolt, which indicates a connection has been properly made between the strongDM client and datasource.
- Open your database client (such as Postico) and create a new connection with the host and port you assigned in your strongDM client. Leave the username and password blank, as authentication happens transparently through strongDM.
- Click Connect, and you are now ready to run your first query.
With so much of our critical infrastructure and sensitive data living in the cloud, it’s important to have a solid grasp of who is accessing this sensitive information, what changes are being made to systems, and when. To gain this deep level of visibility, you can go the DIY route and piece together the necessary software and services to get the job done. Or, consider strongDM for a turnkey solution aimed to get you up and running quickly and easily.
About the Author
Brian Johnson, Security Engineer / Podcaster, is the president of 7 Minute Security, an information security consultancy in the Minneapolis area. Brian spends most of his days helping companies defend their networks.
Since 2004, Brian has also run the blog/podcast called 7 Minute Security, where he shares what he has learned about information security into short, 7-minute chunks.