Introduction #
In a Customer DRP space, security is a top priority for protecting IT resources. This article presents the native security solutions available in the OTC cloud, offering robust functionality for resource protection.
We’ll explore in detail security groups, access control lists (ACLs), identity and access management (IAM), monitoring systems like CloudEye, CloudTraceService (CTS) logs, virtual private network (VPC) isolation, and secure connection options like IPSec VPN.
OTC Cloud security solutions #
Security groups #
Security groups act as virtual firewalls, controlling network traffic to and from instances. These groups can be used to define traffic rules based on specific criteria:
- Inbound and outbound rules: Inbound rules specify the traffic allowed to enter an instance, while outbound rules control outbound traffic. For example, an inbound rule may allow only HTTP (port 80) and HTTPS (port 443) traffic from certain IP addresses.
- Filtering by IP and port: Administrators can restrict access to specific IP address ranges or ports, thus limiting potential entry points to only those addresses or services required.
- Stateless vs. Stateful: Security groups are generally stateful, meaning that responses to authorized traffic are automatically authorized, simplifying rule management.
Access Control Lists (ACLs) #
Access Control Lists (ACLs) provide network traffic control at subnet level, offering additional granularity in security management:
- Traffic control rules: ACLs let you define rules that accept or reject traffic based on criteria such as source IP address, destination IP address, ports and protocols.
- Advanced filtering: Unlike security groups, ACLs can be applied at more specific network levels, such as controlling traffic between subnets or even individual network interfaces.
- Rule order: ACLs are generally evaluated in a specific order, meaning that the first corresponding rule is applied. Careful management of rule order is therefore crucial to effective security.
Identity and Access Management (IAM) #
Identity and Access Management (IAM) is essential for managing users and permissions:
- Users, groups and roles: IAM enables the creation of user and group entities, and the assignment of roles with specific permissions. For example, a role may allow read access to certain resources, but prohibit modifications.
- Role-based policies: IAM policies define the actions that users or roles can perform, such as resource management or access to specific services.
- Multi-factor Authentication (MFA): Implementing multi-factor authentication strengthens account security by requiring a second form of identification, such as an SMS code or an authentication application.
CloudEye monitoring solution #
CloudEye is a monitoring solution that provides complete visibility of cloud resources:
- Resource monitoring: CloudEye enables monitoring of key metrics such as CPU usage, memory and disk I/O, as well as network indicators.
- Customized alerts: Administrators can configure alerts based on specific thresholds.
- Integration with other services: CloudEye can be integrated with incident management systems to automate responses to alerts, improving operational resilience.
CloudTraceService (CTS) #
CloudTraceService is a logging service that records actions and events in the cloud:
- Audit user actions: Records user activities, such as resource creation, configuration modifications, or failed access attempts.
- Change traceability: Track changes made to resources and configurations, crucial for incident diagnosis and compliance.
- Incident analysis: Detailed logs enable analysis of past events to identify the root causes of security problems.
VPC isolation #
Virtual Private Cloud (VPC) isolation ensures that the resources of one VPC cannot be accessed directly from another VPC:
- Isolated network segments: Each VPC is an isolated network environment, enabling companies to separate production, development and test environments.
- Routing controls: Routing rules and routing tables control traffic between different VPCs or subnetworks, reinforcing isolation.
- VPC peering: enables private connection between two VPCs, while maintaining isolation from other resources, ideal for multi-environment scenarios.
Conclusion #
Cloud-native security solutions provide a solid foundation for protecting data and applications. By combining tools such as security groups, ACLs, IAM, CloudEye, CloudTraceService, VPC isolation, and IPSec VPN, we have the ability to build a resilient and compliant DRP space.
These tools enable us to prevent threats, ensure regulatory compliance, and respond rapidly to security incidents, guaranteeing business continuity and the protection of digital assets.