Secure network connection to the cloud - Security Best Practices for Manufacturing OT

Secure network connection to the cloud

The best practice to manage a secure cloud connection is to keep the network traffic private and encrypted. If the network traffic can’t be routed through either a VPN or a private network and one needs to access a cloud service directly over the internet, the traffic must be encrypted and routed through a TLS proxy and an on-premises firewall for added protection. Figure 6 highlights some of these best practices.

  • Establish secure connection with AWS via site-to-site VPN or Direct Connect — AWS offers multiple ways and design patterns to establish a secure connection to the AWS environment from the manufacturing edge. Establish a secure VPN connection to AWS over the public internet, or set up a dedicated private connection via Direct Connect. Use AWS VPN with Direct Connect to encrypt traffic over Direct Connect.

  • Prefer VPC endpoints or VPC Endpoint Services when possible — Once a secure connection to AWS has been established via VPN over public internet or Direct Connect, use VPC Endpoints whenever possible. VPC Endpoints enables customers to privately connect to supported regional services without requiring a public IP address. Endpoints also support endpoint policies, which further allow to control and limit access to only the required resources.

VPC Endpoint Services (AWS PrivateLink) enables you to create your own application in your VPC in the cloud and configure it as a VPC Endpoint.

  • Use TLS proxy and a firewall for services connecting to AWS over public internet — If the VPC Endpoint for the required service is not available, you would have to establish a secure connection over the public internet. The best practice in such scenarios is to route these connections via a TLS proxy and a firewall.

The following figure shows an example of an IoT AWS IoT Greengrass gateway connected to the cloud via a proxy. Using a proxy allows you to inspect and monitor cloud traffic, enabling threat and malware detection. It also allows the security policies to be applied at the network layer. Firewall rules need to be established for HTTPS and MQTT traffic. To sustain the intermittent loss of network connection, the gateway should utilize “store and forward” methods like AWS IoT Greengrass Stream Manager to locally buffer data until the connection is restored.

        A diagram showing secure network connection to the cloud.

Secure network connection to the cloud