Using VPN To Secure IaaS Access

By Zach DeMeyer Posted October 13, 2019

Using virtual private networks (VPN) to secure Infrastructure-as-a-Service (IaaS) access is a powerful method that IT organizations use to protect their cloud ‘data centers’. As IT security has become a point of focus for many, it’s important for IT admins to understand what tools are available and how they can help to secure the network. 

After all, with a hacked set of credentials, a bad actor can make their way into an organization’s cloud infrastructure. After that, well, just look at the news. But, by implementing the proper defenses, such as a VPN, SSH keys, and multi-factor authentication (MFA), organizations can protect themselves from ending up in the headlines.

Why Protect IaaS?

Infrastructure-as-a-Service solutions generally house critical company information in the cloud. Product code, critical applications, data storage, and more are all housed in IaaS; it’s essential that access to them is tightly controlled. Unlike in decades past when data centers were essentially an extension of an on-prem network, it’s now more difficult to manage access to cloud solutions that are not completely under IT’s control. 

What’s more, there’s been a sharp uptick in remote workers in recent years. Although cloud IaaS gives them the ability to work on their applications and data from anywhere, it’s considerably more difficult for IT admins to ensure their network connection to these resources is secure.

Using a VPN to Secure IaaS Access

A VPN allows IT organizations the ability to better control how their on-prem networks are accessed by remote workers, and provides users a more secure method for accessing cloud infrastructure. A VPN creates a secure tunnel for employees to privately connect from an on-prem network to their IaaS provider (i.e. AWS) using public network connections.

By using a VPN, IT organizations can ensure that any external traffic accessing their on-prem network and cloud data centers comes from company-sanctioned users. After all, using a public or otherwise unsecured network connection opens organizations up to the possibility of a man-in-the-middle (MITM) attack, where a bad actor can establish themselves in between a remote user and the resources they’re accessing. Once a MITM attacker is set up in the middle of these communications, they have virtually unrestricted access to the data being relayed.

Of course, a VPN only covers one half of the picture when it comes to securing IaaS access. While a VPN authorizes what can be accessed, IT organizations also need to make sure that the users who are accessing are authenticated and that the systems they are using are secure. This is where the RADIUS protocol comes in. VPNs can leverage RADIUS and a cloud directory service to ensure that access to the VPN is tightly controlled.

SSH Keys

Once user access is granted to the cloud infrastructure using a VPN, admins can further secure their IaaS authentications using SSH keys. With SSH, IT organizations utilize a public/private key pair to create tighter security for accessing IaaS tools. These are generally more secure than using a username/password combination because they use long strings of composite numbers and prime factors, making them more difficult to crack using brute force attacks and others. 

Organizations can leverage SSH keys to create secure, token-based connections to IaaS platforms. In fact, many IaaS solutions, such as Amazon® Web Services (AWS®), promote the use of SSH keys for accessing Linux® servers and other facets of their IaaS offerings.

RADIUS MFA

Armed with a VPN and SSH keys, IT organizations are close to having their IaaS access as secure as possible. Of course, while SSH keys should be used to secure IaaS access, accessing the VPN will also need to be secured. VPN access generally utilizes a username/password combination to authenticate, which can potentially be compromised.

By applying MFA to VPN access using the RADIUS protocol, IT organizations secure remote access to IaaS even further. MFA has proven to be essential for preventing account takeovers. As such, it should be essential for securing IaaS access via VPN.

Finding a Solution for Securing IaaS Access

With all of this in mind, IT organizations will need to find the proper toolset to implement SSH keys and RADIUS-backed MFA alongside their VPNs for IaaS access. Of course, this task can be a daunting one when trying to find the best possible solution on the market.

If you are looking to find a solution to further secure your IaaS access through VPNs, we can help point you in the right direction.

Zach DeMeyer

Zach is a writer and researcher for JumpCloud with a degree in Mechanical Engineering from the Colorado School of Mines. He loves being on the cutting edge of new technology, and when he's not working, he enjoys all things outdoors, making music, and soccer.

Recent Posts