Document not found! Please try again

Security Best Practice

13 downloads 296 Views 5MB Size Report
Telefonica Open Cloud gives full consideration to security that tenants (or ... Create security groups: Virtual Private
TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Security Best Practice Open Cloud_ Versión 1.4 2017/04/03

Page 2

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Page 3

Contents_ 1.

Overview ................................................................................................................................................. 6

2.

Security Responsibility........................................................................................................................... 8

3.

Network Security .................................................................................................................................. 10

3.1.

Use VPC to provide secure and isolated networks ........................................................................ 10

3.2.

ECS Network Configuration ............................................................................................................. 14

3.3.

Set strict access limits for your security groups ........................................................................... 16

4.

Identity Access Management (IAM) ..................................................................................................... 19

4.1.

How to Create User Groups and Assign Rights? ............................................................................. 19

4.1.1.

Prerequisites ................................................................................................................................. 19

4.1.2.

Procedure ...................................................................................................................................... 20

4.2.

How to Create Users ........................................................................................................................ 22

4.2.1.

Prerequisites ................................................................................................................................. 22

4.2.2.

Procedure ...................................................................................................................................... 22

4.3.

How to Set Account Policies ........................................................................................................... 23

4.3.1.

Prerequisites ................................................................................................................................. 23

4.3.2.

Procedure ...................................................................................................................................... 24

4.4.

Use Latch to establish a Second Factor Authentication with One Time Password .................... 26

4.4.1.

Introduction to Latch ................................................................................................................. 26

4.4.2.

Prior requirements ..................................................................................................................... 26

4.4.3.

How to use it ............................................................................................................................... 27

4.5.

Use Mobile Connect to access Open Cloud .................................................................................... 37

4.5.1.

What is Mobile Connect .............................................................................. 37

4.5.2.

How it works ............................................................................................ 38

4.5.3.

How to use it ........................................................................................... 38

5.

ECS & BMS Security .......................................................................................... 45

5.1.

Securing Operating Systems ............................................................................. 45

5.2.

Recommendations ......................................................................................... 45

6.

Data Protection ............................................................................................... 47

6.1.

User Requirements ........................................................................................ 47

6.2.

Scenarios .................................................................................................... 47

6.2.1.

Scenario 1 ............................................................................................... 48

6.2.2.

Scenario 2 ............................................................................................... 49

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

6.2.3. 7.

Page 4

Scenario 3 ............................................................................................... 50

Cloud Security Status Monitoring .......................................................................... 55

7.1.

Use Cloud Eye to Monitor cloud services .............................................................. 55

7.1.1.

Prerequisites ............................................................................................ 55

7.1.2.

View Monitored Metric Statistics ..................................................................... 57

8.

Mitigating Compromise and abuse ......................................................................... 59

9.

Abbreviations ................................................................................................. 61

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

1 Overview_

Page 5

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Page 6

1. Overview

This whitepaper is intended for customers who are designing the security infrastructure and configuration for applications running in Telefonica Open Cloud. It provides security best practices and build a set of security policies and processes for your organization so you can protect your data and assets in Telefonica Open Cloud.

Telefonica Open Cloud gives full consideration to security that tenants (or Telefonica Open Cloud users) need in the cloud environment. Tenants purchase virtual machines (ECSs) from Open Telefonica Cloud, deploy applications and systems in ECSs, and take related security responsibilities. Open Telefonica Cloud can provide necessary security technologies and services to help tenants achieve security compliance. Service is the core of cloud offerings. We provide security features that can tenants can be aware of and help tenants to increase asset security. Tenants can conveniently complete security configurations and defense reports on the UI. We are committed to provide most simple, flexible, and core security function operations and minimize complicated security operations.

We recommend also to follow directives of Cloud Security Alliance for Cloud Security https://downloads.cloudsecurityalliance.org/initiatives/guidance/csaguide.v3.0.pdf

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

2 Security Responsibility_

Page 7

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Page 8

2. Security Responsibility Under the shared responsibility model, Telefonica Open Cloud (short for Open Cloud) provides a global secure infrastructure and foundation compute, storage, networking and database services, as well as higher-level services. Open Cloud provides a range of security services and features that Open Cloud customers can use to secure their assets. Open Cloud customers are responsible for protecting the confidentiality, integrity, and availability of their data in the cloud, and for meeting specific business requirements for information protection. Open Cloud provides secure infrastructure and services, while you, the customer, are responsible for secure operating systems, platforms, and data. To ensure a secure global infrastructure, Open Cloud configures infrastructure components and provides services and features you can use to enhance security, such as the Identity and Access Management (IAM) service, which you can use to manage users and user permissions in a subset of Open Cloud services. Open Cloud Service shares security responsibilities with you and ensures security of the underlying infrastructure, and you shall ensure security of applications and operating systems deployed in clouds that are purchased from Open Cloud, as in the following picture:

Figure 2-1

Responsibility Sharing Model

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

3

Network Security

Page 9

_

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Page 10

3. Network Security

Similar to the Internet Data Center (IDC), the cloud data center also requires layered network architecture. Security defense is implemented at different regions and layers to simplify cloud data center network security protection. Telefonica Open Cloud provides layered, in-depth security protection for borders and intranet, enabling all-round protection for the cloud data center network and centralized security management.

To achieve network security, you should address the following points:



Configure Network Access: Creating a secure cloud starts with ensuring your network only allows legitimate traffic into your environment.



Create security groups: Virtual Private Cloud (VPC) allows you to create your customized virtual networks in your logically isolated zone on the public cloud. Such networks are dedicated zones that are logically isolated for your ECSs. You can define security groups, virtual private networks (VPNs), IP address segments, and bandwidth for a VPC, facilitating internal network configuration and management as well as secure and convenient network change. You can also customize the ECS access rules within a security group and between security groups to strengthen ECS security protection.

Each ECS is automatically added to a security group after being created to ensure its security. The security group denies access traffic from the Internet by default. To allow external access to ECSs in the security group, add an inbound rule to the security group. 3.1. Use VPC to provide secure and isolated networks

Virtual Private Cloud (VPC) allows you to create your customized virtual networks in your logically isolated zone on the public cloud. Such networks are dedicated zones that are logically isolated for your ECSs. You can define security groups, virtual private networks (VPNs), IP address segments, and bandwidth for a VPC, facilitating internal network configuration and management as well as secure and convenient network change. You can also customize the ECS access rules within a security group and between security groups to strengthen ECS security protection. For more information, see the Virtual Private Cloud User Guide.

Each ECS is automatically added to a security group after being created to ensure its security. The security group denies access traffic from the Internet by default. To allow external access to ECSs in the security group, add an inbound rule to the security group.

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Page 11

An inbound security group rule enables external access to ECSs in a security group, and an outbound security group rule enables ECSs in a security group to access external networks. If no access rule is configured for a security group after an ECS is added to the security group, communication between the ECS and the external network is blocked.

The default inbound rule enables an ECS to be accessed by other ECSs in the same security group, and the default outbound rule enables ECSs in the security group to access the external network. The security group function cannot resolve the problems caused by network faults or incorrect network configuration. For example, when two ECSs cannot communicate with each other due to a network problem, a security group rule will also not allow them to communicate.

Security group rules consist of inbound and outbound rules.



When adding an inbound rule, you can set the source address to a security group or CIDR network segment. If you want to set the source address to a security group, you can only select security groups from the same VPC as the destination security group.



When adding an outbound rule, you can set the destination address to a security group or CIDR network segment. If you want to set the destination address to a security group, you can only select security groups from the same VPC as the source security group.

ECSs in security groups in different VPCs cannot communicate with one another. To allow them to communicate, bind EIPs to them and configure security group rules.

Step 1 Create a VPC

1. Log in to the management console. 2. On the homepage, choose Network > Virtual Private Cloud. 3. On the VPC page, click Create VPC. On the page shown in Figure 2-1, set the parameters as prompted.

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Page 12

Figure 3-1 Create VPC

Parameter

Description

Example Value

Name

Specifies the VPC name.

VPN-001

Specifies the VPC network segment range. The subnets in a VPC must belong to the VPC network segment range. VPC CIDR

The following network segments are supported:

192.168.0.0/16

10.0.0.0/8 to 10.0.0.0/24 172.16.0.0/12 to 172.16.0.0/24 192.168.0.0/16 to 192.168.0.0/24 AZ

Specifies the availability zone (AZ).

na-mexico-1a

Name

Specifies the subnet name.

Subnet

CIDR

Specifies the subnet address range. This value must be within the VPC CIDR range.

192.168.0.0/24

Gateway

Specifies the gateway address of the subnet.

192.168.0.1

DHCP

Specifies whether the subnet DHCP function is enabled.

Enabled

Table 3-1 Parameters

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Page 13

1. Select I have read and agreed to the agreement and click Create Now. Step 2

Apply for an Elastic IP Address

You can apply for an elastic IP address to connect your ECS to the Internet.

2. Log in to the management console. 3. On the homepage, choose Network > Virtual Private Cloud. 4. On the Elastic IPs page, click Assign EIP. 5. On the Assign EIP page shown in ¡Error! No se encuentra el origen de la referencia., set parameters as prompted.

Figure 3-2 Create EIP

Parameter

Description

Example Value

Name

Specifies the name of the bandwidth.

Subnet

Bandwidth

Specifies the size of the bandwidth.

100

Quantity

Specifies the number of elastic IP addresses.

1

Table 3-2 Parameters

Only outbound bandwidth is limited

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Page 14

6. Click Assign Now. 7. Then click Submit.

For more information, see the Virtual Private Cloud User Guide.

3.2. ECS Network Configuration Creating a secure cloud starts with ensuring your network only allows legitimate traffic into your environment. When configuring security group rules, you can set Protocol to TCP, UDP, ICMP, or ANY as required.

Step 1 Login

If you want to log in to an ECS using SSH or Microsoft Terminal Services Client (MSTSC), bind an elastic IP address to this ECS.



Login using SSH This applies only to ECSs running Linux. You can use a remote login tool, such as PuTTY, to log in to an ECS.



Login using MSTSC This applies only to ECSs running Windows. You can run the mstsc command on your local device to log in to an ECS.

Step 2 Access an ECS Using an Elastic IP Address

To access an ECS using an elastic IP address, configure the network functions provided by VPC. The following figure shows the process for configuring the network functions.

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Page 15

Figure 3-3 Configuring network functions • •

The new subnet is used to assign IP addresses to ECSs. A security group only allows intra-group communication. It denies access to other security groups. To remotely access an ECS in a security group, configure the inbound access rule for the security group as follows: - To remotely access a Windows ECS, enable port 3389. - To remotely access a Linux ECS, enable port 22. - Set Source IP Address to the IP address segment containing the IP address of the server accommodating the target ECS.

- If the ECS needs to be accessible over the Internet and the IP address used to access the ECS over the Internet has been configured on the ECS, or the ECS does not need to be accessible over the Internet, set Source IP Address to the IP address segment containing the IP address that is allowed to access the ECS over the Internet. - If the ECS needs to be accessible over the Internet and the IP address used to access the ECS over the Internet has not been configured on the ECS, it is recommended that you retain the default setting 0.0.0.0/0 for Source IP Address, and then set Port Range to improve network security. - Allocate ECSs that have different Internet access policies to different security groups.

The default source IP address 0.0.0.0/0 indicates that all IP addresses can access VMs in the security group.

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Page 16

Figure 3-4 Add Rule

3.3. Set strict access limits for your security groups

If your ECSs belong to an insecure security group, they are vulnerable to attacks because they are not protected by access limits provided by a secure security group. You are advised to set strict access limits for your security groups. Do not use insecure security groups.

Step 1

In the Security Group area, click Details to go to the VPC page.

Step 2

Click Security Group in the navigation tree to check for insecure security group rules.

Figure 3-5 Checking security group rules

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Step 3

Page 17

If insecure rules exist, handle then in either of the following methods:

1. Modify the rules as instructed in Step 4. 2. Move hosts to secure security groups as instructed in Step 5.

Step 4

Delete the insecure rules and add secure rules. For example, add a trusted IP address range for inbound access traffic.

Figure 3-6 Adding a rule Step 5

Go to the ECS service page and click -> in the row containing the ECS which you want to move to another security group. Then click Change Security Group and select a secure security group.

Figure 3-7 Changing a Security Group

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

4 Identity Management_

Page 18

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Page 19

4. Identity Access Management (IAM) The IAM service is one component of Open Cloud secure global infrastructure. With IAM, you can centrally manage users, security credentials such as passwords, access keys, and permissions policies that control which Open Cloud services and resources users can access.

IAM features:

o o o

Centralized user control and security credentials You can create, rotate, and cancel Open Cloud security credentials (such as access keys) of each user. Centralized user access control. You can determine the Open Cloud data that can be accessed by users, and the data access mode. User-group based rights. You can restrict Open Cloud access rights for users by their roles (such as administrators and developers). When users are added to user groups, you can update their rights to access Open Cloud, which reflect their role changes.

More information about IAM, please refer to IAM user guide: https://support.telefonicaopencloud.com/en-us/usermanual/iam/en-us_topic_0027233038.html



Advanced Identity Management:

o o

Using ElevenPaths Latch, user can control the Access to Open Cloud Console and also establish a Second Factor Authentication with One Time Password Mobile Connect. With Mobile Connect, user can access Open Cloud console using their mobile device without using passwords.

4.1. How to Create User Groups and Assign Rights?

When the default user groups cannot meet user authorization requirements, you can create user groups to assign rights to users.

4.1.1. Prerequisites

The logged-in user has the Security Administrator permission.

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Page 20

4.1.2. Procedure

1. Log in to Open Cloud management console and choose Management and Deployment > Identity and Access Management. 2. In the navigation tree, choose User Group. 3. On the user group page, click Create, and set User group and Description.

Figure 4-1 Create User Group 4. Click OK. The new user group is displayed in the user group list. 5. Select the new user group and click Edit to open the user group-editing page.

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Page 21

Figure 4-2 Modify User Group

6. In the User Group Rights area, click Edit. 7. In the Edit dialog box, select the permission corresponding to a service in the Rights group box based on the management domain.

The detailed information about this permission is displayed in the area on the right side. For details, see Permission Information

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Service

Global

Page 22

Permission Name

Description

Tenant Administrator

Includes any permissions on cloud service resources owned by enterprises.

Security Administrator

Includes enterprise account management rights, such as creating, changing, and deleting accounts.

te_user

Common user. Includes the management rights on cloud service resources owned by common users.

Table 4-1 Default permissions

8. In the User name drop-down list box, select a user for the user group. 9. Click OK. 10. Optional: In the user group list, click “-->” to view user group details.

4.2. How to Create Users

After creating users and adding them to a user group, you can grant operation rights to the users in a centralized manner.

4.2.1. Prerequisites

The login user has the Security Administrator permission 4.2.2. Procedure 1. Log in to the Telefonica Open Cloud management console and choose Management and Deployment>Identity and Access Management. 2. In the navigation pane, choose User. 3. On the user page, click Create. 4. On the user creation page, enter common attributes, such as the user name. 5. In the user groups text box, enter a user group name.

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Page 23

Figure 4-3 Create User

6. Click OK. The new user is displayed in the user list. By default, the new user is in the Enable state. You can set the user state to Disable on the user change page. 7. Optional: In the user list, click “-->” to view user details. 8. Optional: In the user list, click Edit to change user basic information. For example, on the user editing page, select a user group from the User Group drop-down list box. Alternatively, in the User groups area, select a user and click Delete to delete the user from the selected user group.

4.3. How to Set Account Policies The IAM provides the account policy setting function, Account policies are login verification policies, password policies, and access control list (ACL). 4.3.1. Prerequisites

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Page 24

The login user has the Security Administrator permission. 4.3.2. Procedure Set account policies. Table 5-2 describes the tasks for setting account policies. Task Setting the login authentication policies

Description To ensure user account security during login, Open Cloud supports setting of login authentication policies. If the number of login attempts reaches the specified upper limit within the specified duration, the login user account is locked for a period of time.

Procedure 1. Log in to Open Cloud management console and choose Management and Deployment > Identity and Access Management from the main menu. 2. In the navigation pane, choose Account Settings. 3. Choose Login Authentication policies. 4. In the Account Locking Policy area on the Login Authentication policies page, enter Duration (minutes), Maximum number of attempts, and Locking duration (minutes). 5. Optional: In the Account Disabling Policy area, select Enable account disabling policy, and enter Account expiration (days). NOTE: a.

This policy takes effect only for users created by tenants. b. The default value of Account expiration (days) is 120 days. You can enter a value ranging from 1 to 240. 6. Click Apply. Setting password policies

To ensure password security, Open Cloud supports setting of a password setting policy and password validity period policy.

1. Log in to Open Cloud management console and choose Management and Deployment > Identity and Access Management from the main menu. 2. In the navigation pane, choose Account Settings. 3. Choose Password Policies. 4. On the Password Policies page, set parameters as follows: a. In the Setting Policy area, enter the minimum number of characters for passwords. b. Optional: Select Forbid password reuse and enter Number of previous consecutive passwords that cannot be reused. c. Optional: Select Limit maximum number of same consecutive

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Page 25

d.

characters, and enter Maximum number of same consecutive characters. Optional: Select Force password change upon password expiration and set Password validity period and Min. password validity period (minutes).

NOTE: The default value of Password validity period is 90 days. To improve system security, you are advised to periodically change the password. o To prevent users from forgetting passwords due to frequent password changes, after users with the Security Administrator permission set Min. password validity period (minutes), users are allowed to change a password only after the time specified by Min. password validity period (minutes). 5. Click Apply. o

Setting an ACL

By setting an ACL, you can restrict the IP address range in which IP addresses can be used to access Open Cloud.

1. Log in to Open Cloud management console and choose Management and Deployment > Identity and Access Management from the main menu. 2. In the navigation tree, click Account Settings. 3. Click ACL and enter the allowed range of IP addresses and related description. NOTE: You can specify an IP address range or enter an IP address and a subnet mask to add the allowed range of IP addresses and related description. For example: o Allowed IP Address Ranges: 0.0.0.0-

255.255.255.255 o Allowed IP Addresses or Network

Segments: 10.10.10.10-32 4. Click Apply. Setting warning policies

Setting a login warning message notifies users of rules that should be obeyed. The warning message provides legal declaration.

1. Log in to Open Cloud management console and choose Management and Deployment > Identity and Access Management from the main menu.

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Page 26

Administrators can define the warning message based on management regulations.

2. In the left navigation pane, choose Account Settings. 3. Choose Warning Policies. On the Warning Policies page, specify whether to display the warning message upon a login and set the message content. NOTE: You can use the default or user-defined warning message and preview the message display effect. 4. Click Apply.

Table 4-2 Setting account policies 4.4. Use Latch to establish a Second Factor Authentication with One Time Password 4.4.1. Introduction to Latch

Latch is a service designed to protect your users' digital accounts from unauthorized access. LATCH DOES NOT SAVE ANY INFORMATION AT ALL FROM THESE ACCOUNTS, ITS ONLY JOB IS TO GIVE THEM AN EXTRA LEVEL OF SECURITY. The idea is to limit the time that these digital accounts are exposed to potential unauthorized access. The user will decide whether their accounts are LOCKED or UNLOCKED when they access them. LATCH DOES NOT AFFECT THE ACCOUNT'S OPERATION IN ANY WAY, IT CAN ONLY ALLOW OR DENY ACTIONS PERFORMED ON IT.

More information, please refer to the official website: https://www.elevenpaths.com/technology/latch/index.html

4.4.2. Prior requirements

To use Latch, the user should have at least: 1. A smartphone with the Latch application installed on it. 2. A user account with a provider that is already linked to Latch.

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Page 27

4.4.3. How to use it

Step 1

Installing the Latch app from your smartphone To use Latch first, you need to install it on your smartphone, the app is free, and can be downloaded from the store that your device uses. To install it on an Android device, follow these steps: 1. From the smartphone, access the “Play Store” icon and click on it. 2. Write “Latch” into the search bar at the top of the screen. 3. Once you do these various applications related to the word “Latch” will appear, install the app from “Telefónica Digital España S.L.U.”. To do this simply click the "INSTALL" button.

Figure 4-4 Access the Play Store

Figure 4-5 Search for Latch.

Figure 4-6 Install Latch.

4. After clicking the “INSTALL” button a screen will appear that shows the permissions for the Latch app on your mobile device, by clicking the “ACCEPT” button you will start the actual installation. 5. After a few seconds, the installation will be completed, and the user can open the app with the “OPEN” button. 6. After completing the installation, the Latch icon will appear on the first page of the device, so that the user can access it at any time.

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Figure 4-7 Accept permissions.

Page 28

Figure 4-8 Open Latch following installation.

Figure 4-9 Latch icon.

More information, please log in the following link:

https://latch.elevenpaths.com/www/download.html

Step 2

Creating a Latch user account Once the application is installed, the first thing the user should do is open it from their smartphone. On the first screen the logo and some instructions will appear. Basically, the user can do two things: • Slide the screen to access a short tutorial on Latch, after which they can click the text "No, register” to register on Latch. • Start the session directly if you have an account. To do so, click on the text “Sign in” in lower left-hand portion of the screen, as shown in Figure “Latch start Screen”. This text will take the user to a new screen where they can start the session.

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Figure 4-10 Latch start screen.

Page 29

Figure 4-11 Latch Tutorial.

Figure 4-12 Access registration.

Clicking on the text “No, register” opens a form on the application, so that the user can create a Latch account. To do so you must enter a valid email address and a password. You should also check the box indicating that you agree to the application's terms of use, (these terms can be read by clicking the button “Read agreement”). Then click the “Register” button, located on the lower part of the screen.

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Page 30

Figure 4-13 Enter email address and the password for your Latch account. After entering this information, the user received an email to the address that they entered, with a link for activating Latch.

Figure 4-14 Email sent to the user with the link for activating their Latch account.

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Page 31

After doing this the user will have a Latch account, through which they can access the application and protect their digital accounts.

Step 3

Accessing Latch Once the user has an account, they should access the application with the “sign in” button. After clicking this button, a new screen will be shown, where the user will need to enter the email address and the password they used to create the Latch account, during the previous step.

Figure 4-15 Screen where the user should enter their email and password after creating their Latch account.

Figure 4-16 Latch start screen without any digital account paired.

This window will also display the text “Forgot your password?” through which you can recover your password if you do not remember it, and a "Register" link, through which you can access the previously mentioned form. This process is performed when Latch sends you an email to the address that you indicated. Once the user has entered the application, the Latch logo will in the upper left corner and to the right a “Menu” button for accessing different settings and information regarding Latch. This button appears on various Latch screens. In the center the digital accounts that user has paired with Latch will appear. The first time that the user accesses the application no accounts will be listed, Latch will display this message: “Pair a new service with Latch or protect it with Cloud TOTP: a temporary onetime PIN.". The next step is pairing your Open Cloud account with Latch.

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Page 32

In this example a digital account will be created Open Cloud to subsequently include it on Latch. If the user already had a digital account with Open Cloud then this step wouldn't be necessary.

Step 4

Pairing Latch with Open Cloud

Now you have an account with the Latch application on their mobile device, and a digital Open Cloud account that you can pair therefore the last step is pairing these two accounts.

2.

Accessing the pairing page

You should access your new digital account at Open Cloud using the form on the home page.

Figure 4-17 Accessing the digital account at Open Cloud. After entering the username and password for the digital account at Open Cloud a page will appear with the operations that the user can perform at Open Cloud. To access the Latch service the user should click on the name that appears in the upper right portion, corresponding to the name that was used when creating the digital account at Open Cloud. In this example the name is “JoseLuis”, and then click on “My Credential”

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Page 33

Figure 4-18 Appearance of the digital account when the user accesses it. Once you have clicked on “My Credential” a page for accessing the Latch service for Open Cloud will appear, which is the same page shown in Figure “Accessing the Latch service, from Open Cloud” From this image the user should click in “Edit” in the section “Latch Verification for Login” link.

Figure 4-19 Accessing the Latch service, from Open Cloud

After tapping on the “Edit” link, a pop-up window is displayed requesting to enter the user Password and the “Latch Verification Code” (the“Pairing token”). This token is the pairing code generated by Latch.

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Page 34

Figure 4-20 Accessing the page for entering the token generated by Latch.

Step 5

Generating the pairing code on the smartphone

A "pairing code" is simply a set of characters created at random. For Latch the pairing code is composed of 6 characters that can be numbers or letters, both uppercase and lowercase. The next step is generating the Latch token that the webpage is requesting, as can be seen in the previous image. To do this you will tap on the “Pair with Latch” button in the central part of the screen of the mobile device. After tapping on this button, you will see a new screen (see Figure Screen where the pairing code is generated) from which you will be able to access the window in which the pairing code is generated by tapping on the “Generate new code” button. At the bottom of that window you will find the “How do I register with Latch?” button, through which you can access a brief tutorial that explains the pairing process. After tapping the “Generate new code” button, a series of characters will be shown on a new screen (Figure Generated pairing code). After clicking this button some characters will appear, as well as a 1 minute countdown bar. The characters correspond to the token that the user should enter into the textbox on the previously shown web page. The characters should be exactly the same way that they appear on the smartphone, including upper and lowercase letters.

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Figure 4-21 Start screen, from which a Latch account can be added

Page 35

Figure 4-22 Screen where the pairing code is generated.

Figure 4-23 Generated pairing code.

The user may incorrectly enter the pairing code. In the following image, you can see the error on the Open Cloud page. The error was that the user entered the last letter, the “h”, in lowercase instead of uppercase.

Figure 4-24 Open Cloud Page that shows the error message, if the user has entered an incorrect pairing code. If the pairing code is correctly entered, the webpage will indicate it through the message, and on the smartphone, a screen will immediately appear indicating that the digital account has been paired.

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Figure 4-25 Message displaying the digital account that was paired.

Page 36

Figure 4-26 The Open Cloud webpage showing that the Latch Verification for Login has been ENABLED.

From the previous smartphone screen, the user can access a list of paired digital accounts by clicking on the button “Set up later”, located in the lower part of the screen. That way you will access a new window containing all the paired accounts, among which you will find the Open Cloud account. This window is the main Latch window which is divided into 4 parts: • The upper part includes the previously mentioned Latch logo and the “Menu”. • Below these a slider control with the Latch logo will appear, along with the text “Slide to lock all". By tapping on this slider and sliding it to the right all of the accounts under it will be locked, and will remain disabled until the control is moved in the opposite direction. • Then the user's list of paired accounts will appear. Each paired account includes an icon, the name of such account, and a toggle switch, through which the user can lock or unlock such account. Optionally a message can appear under the name of each account indicating that there are operations locked for that account. • Lastly, at the bottom we see the previously mentioned button that gives access to the screen where the pairing code is generated.

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Figure 4-27 Open Cloud as a paired service.

Page 37

Figure 4-28 Operations available on the digital account.

By clicking on the account name (Open Cloud), you can access the operations under this account, and manage them, as is shown in the following examples.

In Figure Operations available on the digital account you can see the Open Cloud account that includes 3 operations, which are “Autoblock by Time”, "Schedule lock" and “One-time password” (the last one always on as a second security factor). Now you are able to use Latch to access Open Cloud.

4.5. Use Mobile Connect to access Open Cloud 4.5.1. What is Mobile Connect

Passwords are complex, hard to remember and unsafe. A thing of the past. Mobile Connect is the solution to log into any website with your mobile phone number. Just look for the Mobile Connect icon in your apps and online services and forever forget about remembering complex passwords. So much easier and more secure. Mobile Connect is a cross-operator proposition promoted by GSMA where users can authenticate with third party applications via a user account linked with their mobile phone account. The authentication

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Page 38

provider for Mobile Connect is the user’s mobile network operator, and authentication is more secure than typical username/password schemes as access to the account is secured via the user’s mobile device. 4.5.2. How it works



Users: authenticate via mobile phone when accessing online services through any device, across any channel



Service Providers: access Mobile Connect services through a common and standard API (OpenID Connect)



Mobile Operator: provide authentication/identity services with different levels of assurance and enable a secure and private channel to share personal user information with 3rd parties



Authentication. Enabling users to authenticate to and authorize transactions within 3rd party services



Identity and attributes. Provision of identity services and enhancement of digital transactions through the provision of attributes



Centralizing and controlling of personal data

The Mobile Connect authenticator for Open Cloud described in this flow is labelled as LoA2 Click OK and relies on the SMS technology to carry out the user authentication. It consists in sending a text SMS to the user that includes an URL plus a 4 digits code. To complete the authentication process, the user either may click on the URL embedded in the SMS or type the code in the web directly.

Figure 4-29 Mobile Connect authenticator

4.5.3. How to use it There are 3 major steps to use Mobile Connect to access Open Cloud: 1. Binding 2. Login

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Page 39

3. Unbind Step 1 Binding Process Login for the first time: 1) Select Mobile Connect as an alternative login mechanism:

Figure 4-30 Select Mobile Connect to log in

2) The user is prompted to enter the enterprise account to be logged in with:

Figure 4-31 Enter the enterprise account

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Page 40

3) Step into a page where you will be able to bind your mobile phone to the Mobile Connect account. Upon which the user receives a short message to confirm the mobile phone number.

Figure 4-32 Bind your mobile phone

4) You are requested a username and password (only on the first login).

Figure 4-33 Set the username and password Note that under my account, My credentials, Mobile connect will read as enabled:

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Page 41

Figure 4-34 Mobile Connect function is enabled Step 2

Login

1) You will be asked for the enterprise account

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Page 42

2) You will be requested for his/her Mobile Phone Number

3) You will receive a short message whereupon you can log in by clicking on a link or alternatively by entering a pin code.

4) Now you are able to log in successfully.

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Step 3

Page 43

Unbind In Open Cloud under My Credentials you would be able to unbind the mobile phone number. And you will be requested to enter your password. Then you will asble to repeat the whole process to bind a new number over again.

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

5 ECS & BMS Security_

Page 44

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Page 45

5. ECS & BMS Security

Harden Your Servers: Cyber-attacks come in many shapes and sizes, however we can help you fortify your environment by utilizing techniques such as patching OS and applications, locking down open ports, removing unnecessary plugins, and helping you enable cryptographic controls like SSL, SSH, SFTP, and VPNs

We recommend that you harden your ECS/BMS following the recommendations for some recognized Security institute:

• • • •

Center for Internet Security (CIS) International Organization for Standardization (ISO) SysAdmin Audit Network Security (SANS) Institute National Institute of Standards Technology (NIST)

5.1. Securing Operating Systems

CIS Guidelines: https://benchmarks.cisecurity.org/downloads/latest/

5.2. Recommendations • • • • • • •

Disable direct root access to your ECS/BMS Restrict access to instances from limited IP ranges using your firewall policies. Password protect the .pem file on user machines Delete keys from the authorized keys file on your instances when someone leaves your organization or no longer requires access Rotate credentials Use bastion hosts to enforce control and visibility Update your system with the latest security patches

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

6

Data Protection_

Page 46

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Page 47

6. Data Protection

This section discusses how to back up and recover your data on the Open Cloud. This configuration instance describes how to use Volume Backup Service (VBS) to ensure data security from four aspects, namely, user requirements, scenarios, usage, and procedures.

6.1. User Requirements Elastic Volume Service (EVS) disks can be attached to an Elastic Cloud Server (ECS) as system or data disks. Data security must be ensured to avoid data loss caused by data mis-deletion, hacker attacks, ECS shutdown, and upgrade failures.

6.2. Scenarios VBS applies to the following scenarios: Backing up EVS disk data To create a VBS backup for EVS disks attached to an ECS, you only need to click Back Up on the Elastic Volume Service page of the management console. Restoring EVS disk data to the specified point in time If you want to restore EVS disk data to the specified point in time, detach the EVS disk from the ECS first and then click Restore Disk to restore data. Creating an EVS disk using the backup data To create an EVS disk using the backup data, you only need to click Create Disk on the Volume Backup Service page of the management console.

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Page 48

6.2.1. Scenario 1 VBS backs up data of an EVS disk to ensure data security of the EVS disk.

Step 1 Log in to the management console

Step 2 Under Storage, click Elastic Volume Service. Step 3 On the Elastic Volume Service page, if the Status column of the row that contains the EVS disk is In-use, choose More > Back Up in the Operation column.

Step 4 Set Name and Description of the VBS backup. Table 1-1 describes the parameters

Parameter

Description

Example

Name

Contains a string of 1 to 64 characters that include only letters, digits, hyphens (-), and underscores (_), and cannot start with auto.

disk01_backup

Description

Contains a string of 0 to 64 characters excluding less-than signs ().

-

Table 6-1 Parameter description Step 5 Click Create Now.

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Page 49

Step 6 Confirm the VBS backup information and click Submit.

Step 7 Go to the page of the VBS backup list as prompted. You can refresh the VBS page in 10 seconds to 5 minutes to check the VBS backup status. When Status/Progress of the VBS backup is In-use, the VBS backup is created successfully.

6.2.2. Scenario 2 You can use VBS to restore disk data to the specified point in time. Before restoring data, stop the ECS and detach the EVS disk from the ECS. After the restoration, attach the EVS disk to the ECS and start the ECS. Step 1 Log in to the management console. Step 2 Under Storage, click Volume Backup Service. Step 3 On the Volume Backup Service page, if the Status/Progress column of the row that contains the VBS backup is In-use, click Restore Disk in the Operation column.

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Page 50

Step 4 Click OK to confirm data restoration as prompted.

6.2.3. Scenario 3 Create an EVS disk using the backup data. The original data of the new EVS disk is the same as the data at the specified point in time when the VBS backup was created. After you create an EVS disk using the backup data of a bootable disk, if you need to back up data of the new EVS disk, ensure that this EVS disk has been attached to an ECS. Otherwise, No is displayed in the Bootable Disk column in the backup records. Step 1 Log in to the management console. Step 2 Under Storage, click Volume Backup Service. Step 3 On the Volume Backup Service page, if the Status/Progress column of the row that contains the VBS backup is In-use, click Create Disk in the Operation column.

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Step 4 Configure relevant parameters of the EVS disk. Table 2-1 lists the parameters.

Page 51

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Parameter AZ

Page 52

Example Value

Description Specifies an availability zone (AZ) used for creating an EVS disk.

-

If the specified AZ does not exist or the specified AZ is different from the AZ to which the VBS backup belongs, the disk fails to be created, and the disk is in the error state. Capacity (GB)

Specifies the disk size (GB). The following lists its value range:

40

System disk: 40 GB to 32,768 GB Data disk: 100 GB to 32,768 GB This parameter is mandatory when you create an empty EVS disk or use an image to create an EVS disk. If you use an image to create an EVS disk, the disk size must be greater than or equal to the image size. This parameter is optional when you use a VBS backup to create an EVS disk. If this parameter is not specified, the disk size is equal to the backup data size. Disk Name

If you create EVS disks in a batch, the actual disk names use this parameter value as the prefix, and each disk name has a unique four-digit number starting with a hyphen (-). For example, a disk name is shan-0001.

-

If you create one EVS disk at a time, this parameter is the disk name. The disk name contains only letters, digits, hyphens (-), and underscores (_), and cannot exceed 64 characters. Disk Type

Supports common I/Os, high I/Os, and ultra-high I/Os.

-

Quantity

Indicates the quantity of EVS disks created in a batch. If this parameter is not displayed, it implies that only one EVS disk is created. Currently, you can create a maximum of 100 EVS disks in a batch.

90

Table 6-2 Parameter description

By default, Create from Backup is selected. The capacity of the newly created EVS disk must be greater than or equal to that of the VBS backup. If the capacity of the newly created EVS disk is greater than that of the VBS backup, initialize the incremental capacity of the EVS disk. Step 5 Click Create Now. Step 6 Confirm the VBS backup information and click Submit.

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Page 53

Step 7 Go to the Elastic Volume Service page and check whether the EVS disk is created successfully. Usually, it takes 10 minutes to 20 minutes to create an EVS disk using a VBS backup. Creating and Restoring are two intermediate states for the disk status. When the state changes to In-use, an EVS disk is created successfully.

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

7 Cloud Security Status Monitoring_

Page 54

TELEFÓNICA CLOUD Open Cloud - Security Best Practices

Page 55

7. Cloud Security Status Monitoring 7.1. Use Cloud Eye to Monitor cloud services Cloud Eye (CES) service is an open monitoring platform that provides monitoring, alarm reporting, and alarm notification for your resources in real time. CES monitors metrics of Elastic Cloud Server (ECS), Elastic Volume Service (EVS), Virtual Private Cloud (VPC), Elastic Load Balance (ELB), and Auto Scaling (AS). You can configure alarm rules and alarm notification policies based on the metrics to learn the running status and performance of the monitored objects in a timely manner. 7.1.1. Prerequisites Step 1

Add an Alarm Rule 1.

Log in to the management console.

2.

Under Management and Deployment, click Cloud Eye.

3.

Choose Alarm > Alarm Rule and click Add Alarm Rule.

4.

On the Add Alarm Rule page shown in 0, set parameters as prompted.

Figure 7-1 Add an Alarm Rule

Description about alarm rule configuration items: •

Monitored Object: specifies the instance for the alarm rule. You can specify one or more monitored objects.



Threshold: specifies the condition for generating the alarm. The threshold consists of merge mode (maximum value, minimum value, average value, and deviation value), identification condition (>, >=,