« Previous 1 2 3 4
Arm yourself against cloud attacks
Stormy Weather
The Tiresome Subject of Billing
A final threat scenario in the cloud is less a concrete technical threat and more a commercial one: How does a cloud customer avoid being overcharged? After all, all providers promise "by-the-minute billing" and billing exclusively for resources used.
At least in the standard situation, you are dependent on trusting the figures shown in the invoice because the systems in the cloud, which collect all user data, are usually inaccessible to the customer. How can you protect yourself effectively and efficiently against abuse of accounting sovereignty?
The answer is as simple as it is frustrating: you can only protect yourself effectively if you take your own measurements and regularly compare them with the provider's figures. Slight differences are unavoidable, but major differences will quickly be noticed and allow you to ask the provider for further information.
Unfortunately, only those who use software like Prometheus or InfluxDB, which can process the time series data and store it for a long time, can perform these measurements. Additionally, software is needed to collect metric data on the target systems – and both together can cause some administrative overhead.
At the end of the day, images and containers with Prometheus and like monitoring tools exist and can be put into operation quickly in all environments. Rolling out the Prometheus Node Exporter or TICK Stack Telegraf is also easy. The reward for all this effort is a reliable database that allows you to detect inconsistencies quickly (Figure 5).
Figure 5: With Prometheus, metric data (e.g., from Kubernetes clusters) can be recorded – making invoice data verifiable.
Infos
- Microsoft Corp. v. United States: https://en.wikipedia.org/wiki/Microsoft_Corp._v._United_States#Supreme_Court
- ISO 27001: https://www.iso.org/standard/54534.html
- SOC2 C5: https://www.bsi.bund.de/EN/Topics/CloudComputing/Compliance_Controls_Catalogue/Compliance_Controls_Catalogue.html
- PCI DSS: https://www.pcisecuritystandards.org
- C5 Compliance Controls Catalogue: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/CloudComputing/ComplianceControlsCatalogue-Cloud_Computing-C5.pdf?__blob=publicationFile&v=3
- Security groups in AWS: https://docs.aws.amazon.com/de_en/AWSEC2/latest/UserGuide/using-network-security.html
- Security groups in OpenStack: https://docs.openstack.org/nova/stein/admin/security-groups.html
The Author
Martin Gerhard Loschwitz is Senior Cloud Architect at Mirantis, where he focuses on topics such as OpenStack, Ceph, and Kubernetes.
« Previous 1 2 3 4
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Fathoming the cloud
Much spoken of but little understood, "the cloud" poses new security problems that need to be defined and debated and their solutions facilitated.
-
Public key infrastructure in the cloud
A public key infrastructure in the cloud for secure digital communication maintains the security of an on-premises solution and reduces complexity. -
News for Admins
In the news: Canonical now offers an Ubuntu Pro image for AWS; Vulnerable Docker instance sought out by Monero malware; Cumulus Networks enhances their network-specific Linux; and SUSE adds SUSE Linux Enterprise to the Oracle Cloud Infrastructure.
-
Exploring Apache CloudStack
Apache's CloudStack offers flexibility and some powerful networking features. -
Harden your OpenStack configuration
Any OpenStack installation that hosts services and VMs for several customers poses a challenge for the security-conscious admin. Hardening the overall system can turn the porous walls into a fortress – but you'll need more than a little mortar.