Interactive administration in the cloud: managing the risks

In the NCSC’s cloud platforms guidance (and most recently in our lift and shift sections), we recommend that you protect the use of legacy management protocols – such as RDP and SSH. This practise is arguably more important in the cloud than it’s ever been on-premises, due to the inherent connectivity that cloud environments offer.

Despite traditional approaches to secure remote access now being relatively well understood, we know that it can be difficult to understand the alternative protections available in the cloud, and (crucially) the benefits that adopting these more modern solutions can bring.

In this blog, I’ll discuss approaches to ‘secure infrastructure administration in the cloud’, and will explore our thinking on several additional best practises that can help you to improve the broader security posture of your cloud environment.

Protecting your management interfaces

Legacy management protocols like RDP and SSH can be used to remotely access and administer infrastructure (such as virtual machines) over a network.

In a traditional, on-premises environment, it’s common for management interfaces to be exposed locally to an internal management network. In the cloud, however, these same interfaces are often exposed directly to (and accessed via) the public internet instead. This often default configuration provides customers with a familiar access route to administer their infrastructure, but it also changes the attack surface, as it’s now easier for third parties to discover and target these cloud resources too.

Through the NCSC’s Active Cyber Defence (ACD) function (alongside data from NCSC Incident Management and in open source), we’ve seen that attackers routinely target exposed management interfaces. They attempt to exploit weaknesses such as insecure interface configurations and management protocol vulnerabilities to gain initial access. If successful, this compromised infrastructure is often used as the foundation for lateral movement or for achieving more impactful outcomes such as data theft, denial of service, or the deployment of ransomware. Unfortunately, due to the prevalence of exposed infrastructure and the potential gains from successful attacks, exposed management interfaces remain an enticing target for many attackers.

To help mitigate this risk, we’ve long recommend that management interfaces are protected from untrusted networks. These protections can take many forms. A traditional solution, often seen on-premises, is to use an administration proxy (also known as a bastion host or jump box). This is typically a virtual machine (VM) that’s configured to provide secure and strongly authenticated remote access to infrastructure on a local network. As a core security-enforcing resource, an administration proxy must be well-secured, patched, and hardened against attack. However, this process can be resource intensive and error prone, particularly at scale.

Using an administration proxy service in the cloud

Looking to the cloud, many providers now offer modern alternatives to the traditional administration proxy. These ‘administration proxy services’ provide customers with an administrative access route to their cloud infrastructure, and typically integrate with native features of the cloud platform such as networking, identity management, and log storage.

To support a range of different cloud architectures, it’s common to see multiple administration proxy services (or other modern remote access mechanisms) available within a single platform. Each solution may look quite different. For example, one solution might be agentless and another agent-based. Common examples include AWS Systems Manager Session Manager, Google Cloud Identity-Aware Proxy, and Azure Bastion.

You should look to use an administration proxy service that meets the following conditions:

Original Source: ncsc[.]gov[.]uk