Nordcloud proves leadership in information security compliance

CATEGORIES

InsightsNews

Recently, Nordcloud announced that it had been awarded the ISO/IEC 27001:2013 (ISO 27001) certification, in turn proving to be a business that takes information security compliance seriously.

The certification, in-line with the upcoming new GDPR regulations, is the international standard that describes best practice for an ISMS (information security management system). This results in a ‘systematic approach’ to managing sensitive company information in order for it to remain secure, says ISO, the International Organisation for Standardisation.

For Nordcloud it will become a typical requirement for us to show now and in the future, especially for our enterprise customers who require higher levels of compliance with continuously meticulous security standards. The well defined ISMS helps us, in this case, to manage Information Security related items and continuously develop our team and solutions further. To maintain ISO 27001:2013, Nordcloud will have to continue to go through annual external reviews and a three-year recertification, demonstrating in the process of continual improvement.

Companies that need to adopt GDPR should be able to prove that they are not negligent when it comes to security. Achieving the ISO/IEC 27001:2013 certification is an excellent way of proving that. What’s more, conducting business and handing over operation management to a company that has a certification is a sound business decision. We trust this certification will further boost the confidence of our customers when doing business with Nordcloud

If you’d like to learn more about Nordcloud’s achievement, and how it helps us work with customers on their Cloud journey, contact us here

Blog

Nordcloud celebrates top spot worldwide for cloud services in the Magic Quadrant

Gartner has awarded Nordcloud the top cloud-native Managed Service Provider (MSP) for the execution of cloud Professional and Managed Services...

Blog

What it’s like to be a new hire during Covid-19

We all have been there before, the thrill of getting that call when your future manager makes the offer. You...

Blog

A Recruiter’s Perspective on Remote Work

In the times of the Coronavirus you can read a lot about ways of switching to the remote ways of...

Get in Touch

Let’s discuss how we can help with your cloud journey. Our experts are standing by to talk about your migration, modernisation, development and skills challenges.








Is it safe to use AWS S3 after all the news about data breaches?

CATEGORIES

Insights

There has recently been a lot of news about data breaches on AWS S3 (Simple Storage System). Sensitive data, passwords and access credentials have been exposed to the whole world.

For many, this might have led to the assumption that S3 itself would be insecure and it would be better to avoid using it. The truth is quite the opposite. S3 is totally suitable for storing even sensitive data. As in most cases, the S3 data breaches happened because of human error and misconfiguration, not because of security issues in the service itself.

What is S3 and how do data leaks happen?

So, let’s rewind a bit to get to the bottom of this. What is S3? It’s a managed, highly available and highly scalable object storage which is used over an API. Typically, you access this API with secure credentials created for an AWS user. You create “Buckets” and store your objects (files) inside these buckets. You don’t provision any storage beforehand; you just use as much as you like and pay for what you use. S3 was one of the first services introduced by AWS over 10 years ago and has been truly battle-tested on performance, security and availability. It’s also one of the backbone services of AWS and is widely used by other AWS services too.

So how do data leaks happen? The simple reason is that you can make your buckets or single objects inside a bucket public. This means that anyone with the correct URL can access that object. This is a very useful feature for sharing files to your users and it is widely used to deliver the static content of web applications. But no data inside S3 is ever public by default. You need to separately enable this.

There are multiple ways to make objects public on bucket and object level including Bucket policies, Bucket ACLs and Object ACLs. This can be confusing but luckily AWS has recently introduced extremely good indication in the Management Console on what data is public and why. It takes some effort and lack of understanding to get this wrong if you make use of this information. In addition to this, there are AWS services like AWS Config and Trusted Advisor that can also give you reports on your publicly open buckets.

Why do data leaks happen then?

There are few typical explanations for this:

  1. The main reason is the lack of governance in the organisation. Governance and standards should be in place to ensure that best practices of the platform, as well as company cloud policies, are followed. This includes access management of S3 buckets.
  2. Without proper AWS knowledge, developers or operators don’t understand how S3 works. They might open the buckets for public access just to be able to access the data from an application that could use access credentials instead. They might not understand that “public” means “public”. It requires understanding of AWS Identity and Access Management together with IAM policies and Bucket policies to get this right.
  3. It might be that some “convenient” pre-created S3 Bucket is used for multiple different types of data including sensitive data and the bucket is exposed publicly for the original use case. Again, it comes down to understanding how S3 works.
  4. Some 3rd party tools that upload files to S3 might have default or optional settings to make the objects’ public with an object ACL during the upload. In some cases, it might be that these tools are used and that’s the reason for the public access. Again, understanding how S3 and AWS in general works would mitigate this.

Understand the AWS platform

To recap, it all comes down to basic training and understanding on the AWS platform. And this is not limited to S3. In some cases, there’s public access to services because AWS networking, firewall and access management concepts are not understood correctly. It might be that you don’t have proper authentication settings in place in the actual AWS accounts. Or it might be just that general security principles like proper patching plan are not followed.

There’s a lot to learn when starting a cloud journey and a proper cloud foundation must be built for networking and security together with educating people on how to use the services. Luckily, we are here to help you out with all of that!

Blog

What it’s like to be a new hire during Covid-19

We all have been there before, the thrill of getting that call when your future manager makes the offer. You...

Blog

A Recruiter’s Perspective on Remote Work

In the times of the Coronavirus you can read a lot about ways of switching to the remote ways of...

Blog

5 Workplace health tips from Nordcloud

As COVID-19 continues to effect our working environment, how can we all strive to improve the health of our teams...

Get in Touch

Let’s discuss how we can help with your cloud journey. Our experts are standing by to talk about your migration, modernisation, development and skills challenges.








Control your environment with Azure policy

CATEGORIES

Tech

Building a secure environment is one of the most important aspects of the Public Cloud. Azure policy is a service that you can use to create, assign and manage policy definition whilst also easily controlling your Azure environment.

These policy definitions can be used to enforce a desirable state of newly created services or to audit current infrastructure. You can use built-in policies or create using JSON syntax to create new policy appropriate to the requirements.

With Azure policies you can achieve results:

  • Audit
  • Deny
  • Append
  • AuditifNotExists
  • DeployifNotExists

Example policy –  enforces a specific NSG (Network Security Group) on every new network interface.

{   "policyRule": {     "if": {       "allOf": [         {           "field""type",           "equals""Microsoft.Network/networkInterfaces"         },         {           "not": {             "field""Microsoft.Network/networkInterfaces/networkSecurityGroup.id",             "equals""[parameters('nsgId')]"           }         }       ]     },     "then": {       "effect""deny"     }   },   "parameters": {     "nsgId": {       "type""String",       "metadata": {         "displayName""Network Security Group Id",         "description""Resource Id of the Network Security Group",         "strongType""networksecuritygroup"       }     }   },   "metadata": {     "category""LabCategorySecurity"   } }

The above example protects the environment before creating a network card without an assigned Network Security Group.

To create policy definition you can choose:

  • Azure portal
  • Powershell
  • Azure CLI
  • REST API

Sample Powershell assignment:

$rg = Get-AzureRmResourceGroup -Name <RG name>

$definition = Get-AzureRmPolicyDefinition -Id /providers/Microsoft.Authorization/policyDefinitions/<id definition>

New-AzureRMPolicyAssignment -Name <policy name> Assignment -Scope $rg.ResourceId -PolicyDefinition $definition

Azure policy gives the opportunity to deploy policies from a community like Github.

Github: https://github.com/Azure/azure-policy/tree/master/samples

You can assign the policy to a specific place, ranging from a management group to a resource group. Also, you can exclude some scope if you need to, which allows you to assign policy at a high level and then exclude scopes within it.

For a grouping of services, you can create the initiative where you can then collect polices.

Azure policy

Initiative Compliance

For using compliance evaluation standard price tiers are required.

The Azure Policy services are currently in the preview state. This is a service that will most likely be constantly developed, but it could be one of the important services ensuring security in the public cloud environment, making it definitely worth some attention.

Blog

How can you maximize the value from your data?

Your market is changing in faster and less predictable ways than ever before. Enterprises of all sizes suffer from data...

Blog

Introducing Google Coral Edge TPU – a New Machine Learning ASIC from Google

Introducing Google Coral Edge TPU - a new machine learning ASIC from Google.

Blog

Controlling lights with Ikea Trådfri, Raspberry Pi and AWS

One of our developers build a smart lights solution with Ikea Trådfri, Raspberry Pi and AWS for his home.

Get in Touch

Let’s discuss how we can help with your cloud journey. Our experts are standing by to talk about your migration, modernisation, development and skills challenges.








AWSome Day Oslo: We Had An Awesome day!

CATEGORIES

Events

We know what you’re thinking, but that’s not a typo.

AWSome Days (a play on words reflecting Amazon Web Services), are hosted around the world and will take you through a step-by-step deep-dive into AWS core services such as Compute, Storage, Database, and Networking.

Nordcloud has been a proud sponsor since the first Nordic AWSome Day in Helsinki back in 2014, where we showcased our AWS Authorized Training Partner, AWS Premier Consulting Partner, and our ongoing dedicated partnership. We have a strong collaboration with AWS that has been going on for several years, and this has helped us provide an accelerated cloud transformation among our customers, from migrating to multiple cloud technologies, or assisting with cloud-based innovation.

 

As an AWS APN Authorized Training Partner, we provide official AWS training, with the most up to date AWS services, and with certified training engineers like Olle Sundqvist, Michaela Vikman, and Juho Jantunen teaching the next wave of Cloud Architects. We currently host the following training sessions: Technical Essentials, Architecting on AWS, SysOps on AWS, Developing on AWS, Security Operations on AWS, and DevOps Engineering on AWS. We always have public and dedicated training going on, but keep an eye on our scheduled courses.

We’re still running an amazing discount (AWSOME) on the courses at a huge 25% off until March 16th. Be sure to have a look at what’s on offer and don’t forget to register to get the discount.

Nordcloud helps organizations use the cloud services from AWS, and other cloud providers to improve their productivity and efficiency.  We look forward to attending a lot more AWSome Days in the coming months, and continue to provide a growing partnership with AWS, providing the best advantages for our customers!

Hope to see you all at the next Nordic AWSome Days event in Helsinki this week!

Finally, a big shout out to our Nintendo Switch winner Mehrdad and the two Raspberry Pie winners: Sturla and Leszek.

Blog

Meet us at Microsoft Ignite 2019

Explore the latest tools and technology – join Nordcloud at Microsoft Ignite in Orlando on November 4-8!

Blog

SaaS Business Model and Public Cloud are a Winning Combination for ISVs

Our experts have helped many ISVs to leverage cloud technologies to transition their business from that of a traditional software...

Blog

Migrations to MS Azure – Best Practices shared in Poland

Microsoft & Nordcloud Poland on the road.

Get in Touch

Let’s discuss how we can help with your cloud journey. Our experts are standing by to talk about your migration, modernisation, development and skills challenges.








General availability of VNet service endpoints for Azure SQL database

CATEGORIES

Tech

This month, Microsoft announced the general availability of Virtual Network Service Endpoints for Azure SQL Database in all Azure regions.

What does this mean for our customers?

Previously, Azure customers were limited to accessing their PaaS SQL database instances via the public internet. Not only did this generate significant security concerns, but also meant that management overhead was tiresome, with each client needing to be added manually to the SQL server firewall for access.

These concerns have now been addressed with the general availability of VNet Service Endpoints for Azure SQL Database. Implementation of service endpoints allows for traffic from selected Virtual Networks and subnets to now traverse a secure traffic medium in the form of the Azure network backbone. By removing public Internet access to resources, and allowing only virtual network traffic, previous security and overhead concerns are now addressed. Further to this, using the Azure backbone also allows for more optimal routing of service traffic.

Although only a slight limitation, we did find that service endpoints cannot be used for traffic from on-premises to Azure services. This would have been particularly useful for customers who prefer to connect to the Azure SQL databases from their on-premises networks.

How much will this new feature cost me?

Nothing! There is no additional charge for using service endpoints.

How easy is this to implement? What happens to my existing firewall rules?

You can be up and running in a matter of minutes. Implementation is particularly straightforward with Microsoft providing detailed step-by-step instructions here and here.

Turning on the service endpoints will not override any existing firewall rules, and can be used concurrently. This is especially helpful in minimising disruption for customers moving away from manual firewall rules to service endpoints.

If you would like help implementing VNet Service Endpoints, please contact us here.

Blog

How can you maximize the value from your data?

Your market is changing in faster and less predictable ways than ever before. Enterprises of all sizes suffer from data...

Blog

Introducing Google Coral Edge TPU – a New Machine Learning ASIC from Google

Introducing Google Coral Edge TPU - a new machine learning ASIC from Google.

Blog

Controlling lights with Ikea Trådfri, Raspberry Pi and AWS

One of our developers build a smart lights solution with Ikea Trådfri, Raspberry Pi and AWS for his home.

Get in Touch

Let’s discuss how we can help with your cloud journey. Our experts are standing by to talk about your migration, modernisation, development and skills challenges.