15. Security Concerns and Best Practices

Best practices for configuring your N2WS server. Using and configuring AWS Identity and Access Management (IAM). Setting security policies.

Security is one of the main issues and barriers in decisions regarding moving business applications and data to the cloud. The basic question is whether the cloud is as secure as keeping your critical applications and data in your own data center. There is probably no one simple answer to this question, as it depends on many factors.

Prominent cloud service providers like Amazon Web Services, are investing a huge amount of resources so people and organizations can answer ‘yes’ to the question in the previous paragraph. AWS has introduced many features to enhance the security of its cloud. Examples are elaborate authentication and authorization schemes, secure APIs, security groups, IAM, Virtual Private Cloud (VPC), and more.

N2WS strives to be as secure as the cloud it is in. It has many features that provide you with a secure solution.

N2WS Server

N2WS Server’s security features are:

  • Since you are the one who launches the N2WS server instance, it belongs to your AWS account. It is protected by security groups you control and define. It can also run in a VPC.
  • All the metadata N2WS stores, is stored in an EBS volume belonging to your AWS account. It can only be created, deleted, attached, or detached from within your account.
  • You can only communicate with the N2WS server using HTTPS or SSH, both secure protocols, which means that all communication to and from N2WS is encrypted. Also, when connecting to AWS endpoints, N2WS will verify that the SSL server-side certificates are valid.
  • Every N2WS has a unique self-signed SSL certificate. It is also possible to use your own SSL certificate.
  • AWS account secret keys are saved in an encrypted format in N2WS’ database.
  • N2WS supports using different AWS credentials for backup and recovery.
  • N2WS Server supports IAM Roles. If the N2WS Server instance is assigned an adequate IAM role at launch time, you can use cross-account IAM roles to “assume” roles from the main IAM role of the N2WS instance account to all of the other AWS accounts you manage and not type AWS credentials at all.
  • To manage N2WS, you need to authenticate using a username and password.
  • N2WS allows creating multiple users to separately manage the backup of different AWS accounts, except in the Basic Edition.

Best Security Practices for N2WS

Implementing all or some of the following best practices depends on your company’s needs and regulations. Some of the practices may make the day-to-day work with N2WS a bit cumbersome, so it is your decision whether to implement them or not.

Avoid using AWS Credentials

By using the N2WS Server instance IAM role and cross-account IAM role, you can manage multiple AWS accounts without using AWS credentials (access and secret keys) at all. This is the most secure way to manage multiple AWS accounts and the one recommended by AWS.

Credentials Rotation

Assuming you have to use AWS credentials, you should follow AWS practices. It is recommended to rotate account credentials from time to time. See http://docs.amazonwebservices.com/AWSSecurityCredentials/1.0/AboutAWSCredentials.html#CredentialRotation

After changing credentials in AWS, you need to update them in N2WS. Click on the account name in the Accounts management screen and modify the access and secret keys.

Passwords

Create a strong password for the N2WS server and make sure no one can access it. Change passwords from time to time. N2WS does not enforce any password rules. It is the user’s responsibility to create strong passwords.

Security Groups

Since N2WS server is an instance in your account, you can define and configure its security groups. Even though N2WS is a secure product, you can block access from unauthorized addresses:

You need HTTPS access (original 443 port or your customized port) from:

Any machine which will need to open the management application

Machines that have N2WS Thin Backup Agent installed on them

You will also need to allow SSH access to create and maintain backup scripts.

Blocking anyone else will make N2WS server invisible to the world and therefore completely bullet-proof.

Note: The only problem with this approach is that any time you will try to add new backup agents or connect to the management console or SSH from a different IP, you will need to change the settings of the security groups.

Using IAM

N2WS keeps your AWS credentials safe. However, it is preferable to use IAM roles and not use credentials at all. Additionally, N2WS will not accept root user credentials. To minimize risk, try:

To provide credentials that are potentially less dangerous if they are compromised, or

To set IAM roles, which will save you the need of typing in credentials at all.

You can create IAM users/roles and use them in N2WS to:

  1. Create a user/role using IAM.

Attach a user policy to it.

Use the policy generator to give the user custom permissions.

Warning: Using IAM User credentials is not recommended as they are less secure than using IAM roles.

An IAM role can also be used in the N2WS Server (for the account the N2WS Server was launched in) and for instances running N2WS Agent to perform the configuration stage as well as normal operations by combining some of the policies. You can attach more than one IAM policy to any IAM user or role.

The permissions the IAM policy must have depend on what you want to policy to do. For more information about IAM, see IAM documentation: http://aws.amazon.com/documentation/iam/

N2WS Server Configuration Process

AWS credentials in the N2WS configuration process are only used for configuring the new server. However, if you want to use IAM credentials for the N2WS configuration process, or to use the IAM role associated with the N2WS Server instance, its IAM policy should enable N2WS to:

View volumes instances, tags and security groups

Create EBS volumes

Attach EBS volumes to instances

Create tags

Generally, if you want to use IAM role with the N2WS Server instance, you will need the following policy and the policies for N2WS Server’s normal operations, as described in the next section.

Minimal IAM Policy for N2WS Configuration

{

“Version”: “2012-10-17”,

“Statement”: [

{

“Action”: [

“ec2:AttachVolume”,

“ec2:AuthorizeSecurityGroupEgress”,

“ec2:AuthorizeSecurityGroupIngress”,

“ec2:CreateTags”,

“ec2:CreateVolume”,

“ec2:DescribeAvailabilityZones”,

“ec2:DescribeInstanceAttribute”,

“ec2:DescribeInstanceStatus”,

“ec2:DescribeInstances”,

“ec2:DescribeSecurityGroups”,

“ec2:DescribeTags”,

“ec2:DescribeVolumeAttribute”,

“ec2:DescribeVolumeStatus”,

“ec2:DescribeVolumes”

],

“Sid”: “Stmt1374233119000”,

“Resource”: [

“*”

],

“Effect”: “Allow”

}

]

}

N2WS Server IAM Settings

You can use the N2WS Server’s IAM role to manage backups of the same AWS account. If you manage multiple AWS accounts, you will still either need to create cross-account roles or enter the credentials for other accounts. If you want to use an IAM user for an account managed by N2WS Server (or the IAM role), you need to decide whether you want to support backup only or recovery as well. There is a substantial difference:

For backup you only need to manipulate snapshots.

For recovery you will need to create volumes, create instances and create RDS databases. Plus, you will need to attach and detach volumes and even delete volumes. If your credentials fall into the wrong hands, recovery credentials can be more harmful.

If you use a backup-only IAM user or role, then you will need to enter ad-hoc credentials when you perform a recovery operation.

Generally, if you want to use the IAM role with the N2WS Server instance, you will need a certain policy, or policies, for N2WS Server’s normal operations. For details, see the N2W Software Knowledge Base article on minimal IAM policies at https://support.n2ws.com/portal/kb/articles/what-are-the-required-minimal-aws-permissions-roles-for-cpm-operation

Warning: Using IAM User credentials is not recommended as they are less secure than using IAM roles.

You can check on the permissions required for AWS services and resources, such as backup, RDS, and DynamoDB, and compare them to the policies which cover the requirements. In the Accounts management screen, click the Check AWS Permissions button in the Actions column. Figure 15‑1 shows an example of the account permission check output.

Figure 15‑1

To download a summary report of an account’s current permissions, click Permission Summary in the Reports column.

Configure N2WS’ IAM Role with CloudFormation

CloudFormation is an AWS service that allows you to treat a collection of AWS resources as one logical unit. CloudFormation provides a common language for you to describe and provision all the infrastructure resources in your cloud environment, across all regions and accounts in an automated and secure manner.

The IAM role will automatically contain the required permissions for N2WS operations.

See section 19 Configuring N2WS with CloudFormation.

Thin Backup Agent

The N2WS Thin Backup Agent is used for Windows instances that need to perform application quiescence using VSS or backup scripts. The agent communicates with the N2WS Server using the HTTPS protocol.

No sensitive information passes between the backup agent and the N2WS Server.

Share this post →

Share on twitter
Share on linkedin
Share on facebook
Share on email