Eduard Lebedyuk, InterSystems Sales Engineer, provided an overview of cloud security, emphasizing the shared responsibility model and the need for central management, strong governance, and risk assessment. Key security foundations include managing everything as an API, separating workloads, and adhering to the principle of least privilege. The discussion covered threat management, identity and access management best practices, threat detection, cloud infrastructure and network security, compute and data protection strategies, incident response, and application security, with Lebedyuk answering questions on the Iris cloud adapter and network configuration in AWS.
Cloud Security Overview: Lebedyuk discussed the shift in security responsibilities when moving to the cloud, emphasizing the shared responsibility model where the cloud provider manages some layers while the user manages others. He highlighted the importance of understanding these different layers and maintaining responsibility for accessible components.
Security Foundations in the Cloud: Lebedyuk outlined three key security foundations: shared responsibility, governance, risk, and central management. He emphasized the importance of managing everything centrally, including accounts, controls, services, and resources, by leveraging the fact that everything is an API. Lebedyuk also advised separating workloads using accounts and resource groups where possible, and adhering to the principle of least privilege for user permissions.
Threat Management and Security Scope: Lebedyuk emphasized the importance of staying updated with security threats and utilizing threat models for prioritization. He explained how moving to cloud services like functional services can reduce management scope, though customization options may also decrease. Lebedyuk also advocated for automating security controls and using more secure authentication methods, such as public keys, over SMS.
Identity and Access Management: Lebedyuk recommended auditing and rotating credentials, avoiding direct permission assignment to users in favor of roles and attributes. He advised understanding each permission and removing unnecessary ones to adhere to the principle of least privilege. For cross-account access, he suggested creating identities in each account and granting the necessary permissions, utilizing permission boundaries for control. He also mentioned the “privilege routing application” of InterSystems products for limiting permission escalation.
Threat Detection and Infrastructure Security: Lebedyuk stated that threat detection in the cloud is similar to on-prem, emphasizing the importance of logging everything in a standardized location. He noted that InterSystems provides an API monitor service for metrics. Regarding infrastructure, Lebedyuk explained that networks become software-defined, allowing for dynamic topology changes via APIs. He advised using logical grouping for network controls instead of relying on specific IP addresses for better scalability and security. Further, he provided an example of routing traffic using network interfaces to address subnet limitations.
Compute and Data Protection: The presenter recommended provisioning compute from images and using immutable references to enhance security. He emphasized data classification as the starting point for data protection, aligning with relevant regulations. Lebedyuk discussed using database-level, row-level, and role-level security controls, as well as encryption for data at rest and in transit. He emphasized the importance of automating and enforcing encryption, as well as authenticating network communication.
Incident Response and Application Security: Lebedyuk noted the similarity of incident response between cloud and on-prem environments (detect, analyze, contain, eradicate, recover). He advocated for automating building and testing in application security, as well as securing build pipelines, particularly in managing secrets. Lebedyuk concluded by emphasizing that security is a multifaceted concept requiring strength at every level, adherence to industry regulations, regular security testing, and effective incident response. He highlighted that using the cloud securely can make attacks significantly harder.
Q&A: IRIS Cloud Adapter and Network Configuration: During the Q&A, a participant inquired about storing credentials for the IRIS cloud adapter, and Lebedyuk clarified that it supports associated profiles, eliminating the need for plain-text storage in certain configurations. Another question addressed network configuration and routing traffic in AWS, with Lebedyuk detailing the use of route tables and network interfaces to overcome subnet limitations, particularly relevant for Health Connect customers using virtual IPs.
