Category: Hosting

FAQ: Achieving compliance with newly released Azure disk encryption for Windows and Linux

by John Grange
faqs

Early this year, we wrote about encryption-at-rest as part of our security series. Traditionally, encryption-at-rest, or disk encryption as we’ll refer to it going forward, has been costly and more difficult to implement in a public cloud environment. As cloud offerings have matured they’ve become much more appealing to the enterprise: security is improved, competition has driven costs down, and new features allow for unprecedented speed and efficiency when compared to the traditional data center. Azure is at the forefront of enterprise cloud functionality, API’s, and integration with core enterprise applications like Active Directory, but until very recently, there wasn’t a native way to implement disk encryption.

Up until now you could use Microsoft’s Bitlocker inside your Windows VM, or for Linux you could use any number of filesystem or disk encryption options, but none of these are integrated in any way into the broader Azure environment. This means management and security of your keys/secrets is an issue and it drastically complicates deployments. Even if you’re using configuration management platforms like Ansible, Chef, or DSC , you now have to add a new complicated layer to each deployment.

Now, as part of Azure’s preview portal – Azure’s platform for the future built on Azure Resource Manager (ARM) – you can deploy native disk encryption for existing VM disks as well as disks for new VM builds. This new functionality adds much-need flexibility for those organizations that require disk encryption to meet data security and compliance commitments.

In an effort to provide more definition around this new functionality while remarking on common questions we’ve been asked in the field, I will use an FAQ format to address the details of Azure disk encryption for Windows and Linux.

Isn’t Azure disk encryption for Windows just Bitlocker?

For Windows, Azure disk encryption is based on Bitlocker technology, but it’s been built into Azure as a native feature that is configured outside of the VM via ARM. Key management is integrated into Azure Key Vault providing an end-to-end disk encryption solution for your Windows IaaS VM’s. Disk encryption for Linux VM disks works the exact same way but the underlying technology is dm-crypt and not Bitlocker.

Can I implement Azure Disk encryption from the service management portal?

No, Azure disk encryption is only available in Azure preview which is based on ARM. Currently, disk encryption can be implemented via Azure CLI or ARM json templates. New VM’s can be created from the Azure gallery with encrypted disks or you can encrypt existing disks but both tasks need to be done via templates of CLI.

How do I manage my keys?

Azure Key Vault is used to manage keys and policies leaving no application with access to keys and a central place to audit.

How do I audit the keys and policies?

Yes, you can add key vault logs to your log pipeline for auditing.

Can I encrypt the disks on existing VM’s or just newly created one’s?

You can encrypt disk on newly created VM’s as well as existing VM’s. To create a VM with encrypted disks it needs to be created from the Azure Gallery. To encrypt disks on a VM built from a custom image, you would need to provision that VM with your custom image and then go through the process of encrypting the disks of an existing VM.

Does disk encryption work the same on Linux as it does with Windows?

Yes, the Azure disk encryption process is the same whether you’re using a Linux or Windows OS. You use the same CLI or ARM template configuration to implement disk encryption on Linux as you do on Windows while keys are also managed in the same way. The only difference is the underlying technology used for encryption but that technology has been abstracted out of the process.

What are the current limitations?

Currently, there are some limitations to the this initial implementation of Azure disk encryption. The main limitations today are that all of your disks and keys must be in located the same region, there is currently no integration with on-premise key management systems, and you cannot disable encryption once it has been setup.

Highly secure, highly available virtual machines on Azure

by John Grange

Microsoft’s Azure public cloud offers hyper-scale infrastructure and availability around the globe; a feat that’s difficult for even large enterprises to achieve.  One of the key paradigm shifts of the past half-decade or so, is the move to apps that scale horizontally and are “built for failure”. Being built for failure sounds dubious, however as a concept it’s been influenced by the fault-tolerance and high availability that are required by tech-driven businesses today. With that being said, traditional enterprise applications can absolutely leverage hyper-scale infrastructure to achieve continuous operation while maintaining data security and compliance certification.

One of our goals is to be the on-ramp to hyper-scale infrastructure and cloud computing for security conscious organizations by making the initial transition and the day-to-day management painless. Our team configures each customer environment to meet their unique performance and scalability needs while adhering to best-practice security standards to help our clients maintain compliance with regulatory standards like HIPAA and PCI.

The most critical component to a Layeredi managed and protected environment is the composition of the individual virtual machine’s themselves. These VM’s are serving up key applications so data integrity, security, availability and performance are all address through our platform and services on Microsoft’s Azure.

Let’s profile Layeredi virtual machine’s on Azure to get more acquainted the specific components we use and our overall approach although we’ll focus more on security in this post.

Identity and Access Management

If it hasn’t already been done we start by integrating a client’s Active Directory into their Azure services via Active Directory sync and configure two-factor authentication. Many departments bypass IT and setup subscriptions without this in place and it puts the company at risk. Next, we configure any co-administrators that are necessary and proceed to use Role Based Access Control, or RBAC, to control what cloud services employees can access and what they can do with those services through a least-privilege model.

Network Security

Network security is one of the most important pieces of your overall security design. For each client, we build out custom virtual networks, or VNet’s, that properly segregate the different tiers of the application’s architecture i.e. web tier, application tier, database tier, or even different availability zones.  Other network security configurations include VPN and firewall configuration and policy management.

Operating System Hardening

We support most standard operating systems such as the Windows Server family, Red Hat and CentOS, and Ubuntu. Every VM is provisioned via our automated tools with a hardened configuration that ensures every system meets specific standards. Without going into too much detail, this would entail things like disabling ssh for root, renaming the administrator account, custom IP tables and Windows firewall rules, along with a whole lot more. In addition to the setup, we also install some tools we use to do things like gather and inspect logs, monitor configuration changes in real-time, and performs non-intrusive anti-malware activities. It’s a comprehensive process and we ensure each and every VM we deploy into your Azure environment includes these enhancements.

IPS/IDS

We use host based IPS/IDS that is deployed on every server. They report back to a central interface that is tracked in real time by our support engineers. We also configure alerts that automatically open up support tickets for specific scenarios.

Performance Monitoring

There should never be a trade-off between performance and security. We implement New Relic on every server and alerts come right into our support ticket system.

On-Ramp to Azure and the Public Cloud

Most companies either have some public cloud presence or the desire to dip their toe in, but many don’t know where to start.  Hassle-free migrations, high security, compliance, patching and management, and just having real people providing support make the first jump so much easier for mid to large sized organizations.

Why we support the public cloud too

by John Grange
publiccloud

This summer has absolutely flown by. The highlight for us has been finally rolling out our managed public cloud service. It was a long time in the making and we received great early customer input to help us shape the offering. Now that we’ve been providing our services on AWS and Azure for a couple of months, I’ve noticed some reoccurring questions and misunderstandings that I thought I would address.

Given the positive reception to our nascent public cloud services and in the interests of providing better definition, I thought I’d provide a quick rundown of what our public cloud services are and why companies need managed public cloud.

Why is there a need?

As companies rebuild and replatform their line-of-business apps to leverage new technologies the public cloud is a natural choice because of the scale, flexibility and ever-evolving tool sets. There’s definitely reasons to run certain things like your ERP or another core production workloads in your on-premise datacenter or a private cloud, but for less critical systems or cloud-native applications the public cloud provides many benefits.

Despite all the fancy interfaces and capabilities, businesses still need to ensure data security, privacy, and governance. In the pervading shared responsibility model, the burden still falls on the customer to enforce security above the infrastructure layer. With tools, concepts and capabilities that are vastly different from in-house environments, companies now require new processes and that their staff have a different set of skills.

A managed public cloud provider alleviates many of these issues by providing the setup and day-to-day maintenance so that internal staff can focus on the application itself.

We enable public cloud adoption in an supported, secure, and enterprise-ready way

Since we provide hands-on support, advanced monitoring, and secure and compliant configurations on our own infrastructure it wasn’t much of a stretch for us to extend that service onto Azure or AWS. The biggest challenge was in building processes around the PaaS elements and ancillary services such as Azure Backup and Azure Site Recovery.

In the end, we provide our clients with an instant ops team to setup, configure and secure, along with a support capability to monitor and respond to incidents. We take away a ton of the risk while maximizing the value of the public cloud inherent scale and tooling.

Key service attributes:

-Best-practice environment configuration

-24 x 7 support

-Health and Performance Monitoring

-Hardened OS configurations, user access controls

Doesn’t this negate the cost advantages of public cloud?

I hear this a lot but typically not from actual clients. Most organizations who are exploring public cloud are doing so because of the operational efficiency associated with the scale and tool sets available on those platforms. The cost of the actually server resources are really only a small part of the equation. If a company can focus their internal resources on directly supporting their users and not on servers and maintenance, the benefits of the public cloud become substantial.

Adding management services to cover the day-to-day responsibility of the customer in a public cloud environment allows companies to move faster because the key “boxes” are checked. Public cloud allows you to move faster and can be secure, our goal is to make it easier for companies to get there.

Are you encrypting your data-in-flight? If not, you should be.

by admin
encrypting

We spend a lot of time working with our customers to align their technology platform choices with best-practices security and compliance standards.

Over the past couple of years there has been a rash of high-profile data breaches and hack’s that have rocked the business world. At the same time there’s also been a veritable cambrian explosion of application frameworks, libraries, languages and database engines that are part of a new era of cloud-native applications – a direct response to mobile solidifying itself as the platform of the internet.  With existential security risks for technology at an all-time high, and powerful cloud-native services popping up at a torrid pace, data security has never been more critical than it is today.

Having a fundamental knowledge of basic application environment security should be required for all of the members of your team. Whether dev or ops, everyone should understand the what it takes to keep your data protected. We thought it would be valuable to do a blog series of quick tips for securing your server environments and processes. Let’s start with a security fundamental that it is a requirement for nearly all of the main compliance standards: in-flight encryption.
All data that goes over your internal network or the internet is potentially vulnerable. Encrypting data in-flight means that you encrypt data when it’s being transmitted over a network.

Here are some tips to ensuring all of your data transmissions are encrypted in-flight:

  1. Don't use ftp for file transfer, it's unencrypted and insecure. Instead, use scp or sftp. Additionally, you can use rsync over ssh for secure transfer using rsync's robust feature-set. On Windows you can transfer files over Remote Desktop which is also encrypted.
  2. On your web servers, whether you're running on Windows or Linux, be sure to use TLS (transport layer security) for https on all of your connections.
  3. From time to time, a VPN is necessary to provide private, encrypted access to your network. We use OpenVPN as well as a hardware-based solution through our firewall. OpenVPN is software based, easy-to-use and is a great tool in your ops toolbox.
  4. 4. When implementing encryption, try to avoid self-signed certificates wherever possible. It's better to use a certificate that's signed by a Certificate Authority and so your public key is always verified by a trusted third party.

These 4 tips are just the basics to encrypting your data in-flight. One challenge to implementing encryption is to ensure that it's consistently implemented correctly across your entire environment as you grow. In our own infrastructure we've built encryption in-flight into our entire environment through our automation tools and we do quarterly audits of internal and customer environments. Security is a process that has to be taken seriously.

Next time we'll touch on encryption at-rest and how to secure the data you're actually storing.

Are You Production Ready? Layeredi’s Cloud Hosting Solution is the Answer.

by admin
photo-1424746219973-8fe3bd07d8e3

To us, managed hosting is a craft and not a commodity.

Layeredi cloud-enabled managed hosting is a fresh take on hosting and application management that’s fit for today’s technology environment.

Where companies used to provide hardware with ping monitoring and a nightly backup, we provide compliant data centers, enterprise-cloud hardware, managed backups, deep system and performance monitoring, DevOps tools and automation, full-stack managed security, 24x7x365 support and much more.

Layeredi is not a just some servers and a control panel you interact with, we’re a partner you can rely on. Backed by an outstanding team of experienced engineers, we’ll take care of your infrastructure, installations, configuration management, maintenance, security, and backups so you can focus on your business

image description

Image Description

Bringing startup culture to small town life

The centerpiece of Comstock’s vision is the Rural Innovation Catalyst Program.

In partnership with Peru State College (about 10 minutes from Auburn), the program will include a high school accelerator program that provides coaching so high school students can start their own business inside a “soft failure” environment.

The Catalyst will also include college support and a post-secondary fellowship for rural community development. In all, the program will offer resources for rural enterpreneurs from their junior year of high school to post-college.

“It’s a heck of a lot easier to keep young people in rural communities than to try to convince them to come back,” said Comstock. Comstock plans to build a resource network that brings the dynamism of startup communities like Lincoln to rural towns across the region.

“There’s a lot of talk and less action in rural communities,” said Comstock. “I’d like to see more small business owners get involved.”

Hey Everyone, Meet LayeredFeed! Layeredi’s new blog.

by admin
image description

To us, managed hosting is a craft and not a commodity.

Layeredi cloud-enabled managed hosting is a fresh take on hosting and application management that’s fit for today’s technology environment.

Where companies used to provide hardware with ping monitoring and a nightly backup, we provide compliant data centers, enterprise-cloud hardware, managed backups, deep system and performance monitoring, DevOps tools and automation, full-stack managed security, 24x7x365 support and much more.

  • Pellentesque sagittis magna a dapibus laoreet.
  • Pellentesque sagittis magna a dapibus laoreet.
  • Pellentesque sagittis magna a dapibus laoreet.
  • Pellentesque sagittis magna a dapibus laoreet.

Layeredi is not a just some servers and a control panel you interact with, we’re a partner you can rely on. Backed by an outstanding team of experienced engineers, we’ll take care of your infrastructure, installations, configuration management, maintenance, security, and backups so you can focus on your business

Where companies used to provide hardware with ping monitoring and a nightly backup, we provide compliant data centers, enterprise-cloud hardware, managed backups, deep system and performance monitoring, DevOps tools and automation, full-stack managed security, 24x7x365 support and much more.

Are You Production Ready? Layeredi’s Cloud Hosting Solution is the Answer.

by admin
photo-1424746219973-8fe3bd07d8e3

To us, managed hosting is a craft and not a commodity.

Layeredi cloud-enabled managed hosting is a fresh take on hosting and application management that’s fit for today’s technology environment.

Where companies used to provide hardware with ping monitoring and a nightly backup, we provide compliant data centers, enterprise-cloud hardware, managed backups, deep system and performance monitoring, DevOps tools and automation, full-stack managed security, 24x7x365 support and much more.

Layeredi is not a just some servers and a control panel you interact with, we’re a partner you can rely on. Backed by an outstanding team of experienced engineers, we’ll take care of your infrastructure, installations, configuration management, maintenance, security, and backups so you can focus on your business