CXO Series III: Jumpbox – The Cloud Security Shortcut is a Ticking Timebomb

Note on CXO Series: The CXO series is our effort to bring awareness to decision makers in the geo-distributed organization of today. CipherGraph helps you navigate the frontier area of cloud-computing with a special emphasis on data security, contingency planning, and risk mitigation.

If you started your cloud deployment in-house, chances are that someone in your enterprise is using a jumpbox to access your intranet or IaaS cloud.

Jumpboxes are cheap basic alternatives to VPNs, essentially intermediate VMs (typically Linux or some terminal server) that are exposed directly to the internet. The process is very manual, perhaps even has some scripts for some functions. Users log in to these using SSH and then log into other private services from there. The advantages are obvious, your entire deployment is hiding behind a single public IP address hidden from the threats of the internet.

The Ticking Timebomb

There is a little problem though with this picture of simplicity and ingenuity. The problem was completely invisible when just a handful of people used the jumpbox. If your IT is very diligent, each user has only one key, manually duplicated over a few of his devices, it’s basically a simple text file. Can Bob, your IT guy answer a few simple questions; If 25, 50, 100 or more users were on the jumpbox, how many devices did Bob give access to? Can he know? Did he trust everyone with his entire network? Is the key safely stored in all of the devices? When Alice left, did Bob remove her key from her devices and the jumpbox? Did she ever share it with someone without telling Bob? Or did she put the key on a device she forgot about? Worst of all, did Bob ever give the same key to more than one person?

The questions do not just end at user facing issues, does that Jumpbox have a backup? If not, your users will be cut off in case of failure, if yes, can a deleted key come back to haunt you? Managing keys is hard, it’s highly error prone and worst of all distribution and safe storage is completely opaque to any monitoring or alarm system.

Insider Threat

Simple mistakes like keeping ad-hoc security solutions like Jumpboxes lack the manageability and enforcement your organization needs to ensure that Alice’s access into your organization’s intranet or cloud is completely cut off after she leaves. Deleting keys is not error prone, managing and controlling distribution of keys is often impossible.

Jumpbox is not really free!

On paper, setting up a jumpbox is free or almost free, but maintaining it requires diligence and careful maintenance, both of these are things that take time and resources. Spend time on your business, deploy a solution that is cost effective not “free with hidden costs”.

Build your IT to scale from the start

In the day and age of cloud computing, it is practical to have full scale solution, simplicity and quick deployment in one product. Gone are the days of using labor intensive SoHo/hacked together solutions till you could afford and consume a paid solution. Scalable security for your cloud is now available for the deployment size of your choice and you pay for only what you choose.

CipherGraph CAG and CAG-vx the elastic and scalable security you need

Forget dealing with complex key management. Deploy CipherGraph CAG for your AWS or other IaaS cloud or CAG-vx for your Datacenter or private cloud. Deploy secure perimeter for your cloud with your intranet completely invisible from Internet threats. Manage users based on their identities, centrally control their access rights across your network and keep unauthorized users out, completely.

Deploying CipherGraph security takes minutes and can be rolled out for just a few users or thousands without need for key distribution and any user specific management. Centrally control exactly which user or group has access to which parts of your intranet or services. Enjoy the benefits of flexible pricing and pay only for the capacity you need.

Read Jude Chow’s insightful article on SSH Key management to learn more about the dangers.

For free consultation on your IaaS cloud and Datacenter needs, email info@ciphergraph.com