It Takes a Cloud to Secure a Cloud

The drawback of cloud computing from a security standpoint is that, once you put applications and data in the cloud, you are flying blind. Your security is just as good as your weakest link. An easy-to-guess password, a lost smartphone, or an unhappy employee is all it takes to subvert the access control mechanisms to your cloud instances. Once one cloud instance is subverted, it could propagate to other instances and the damages can become extremely costly if the problem is not remediated quickly.

The principal reason why cloud computing bears this added risk is because you can’t easily see what is going on in the cloud by monitoring traffic the way you can in your actual network. It’s much harder to install devices that monitor cloud network traffic because you don’t own the network. A number of regulatory compliance standards require you to have all your assets secured through logging and monitoring for forensics purposes. Logging allows you to retrace events and find out what went on at some point in the past, and this is a minimum requirement for most compliance standards. Instrumenting the cloud instances with Intrusion Detection and Prevention Systems (IDPS) functionality makes this possible.

Unfortunately, companies seldom have much control over the underlying infrastructure in a cloud – they simply trust that the cloud provider is maintaining a safe and secure infrastructure, and they have no visibility into the logging or other security functions taking place with their applications and data. As a result, companies are often reluctant to place important financial data or applications in a cloud instance because there’s no way to verify that the data is secure.

Why Traditional Solutions Don’t Provide Adequate Cloud Security
The market offers a wide range of IDPS solutions today, but most of them are not suited for deployment in cloud instances. Most IDPS solutions are appliance-based, so to deploy them in the cloud, the customer would need the cooperation of the cloud vendor – something they are unlikely to get. Even if the cloud vendor approves of deploying IDPS boxes in its own cloud network, the user would have to spend $15-$50,000 per box to deploy these solutions. Clearly, the one-box-per-cloud instance methodology won’t scale even if cloud providers permit it.

In addition, a host-based intrusion detection system (HIDS) and syslog management of cloud instances is not enough. To get total security of cloud instances, one needs to also monitor the traffic coming in and out in order to:
1. Detect and prevent uses of unauthorized network services or data ex-filtration (how data gets in and out of the instance); and
2. Proactively catch and prevent (brute-force or exploit-based) attempts to subvert the access control mechanisms before they happen.

Neither of these can be done with HIDS. An asset placed in a third-party network needs to have its traffic monitored by you; if you don’t know for sure who is accessing your data, you will not be assured that your cloud instance is secured.

Traditional IDPS vendors advocate creating a virtual private network within the cloud instances so that all of the instances communicate packets back to a locally situated IDPS appliance. This is a very cumbersome setup that doesn’t really give a company the freedom to monitor its geographically dispersed cloud assets. What’s more, it could prove expensive because it necessitates replicating all production traffic. Using Cloud VPNs and installing an IDS process at the VPN gateway does not require packet duplication but kind of defeats the purpose of cloud computing because it funnels communications through a single point, thus potentially affecting performance and reliability.

Cloud-based Security for Cloud-based Assets
A better approach to instrumenting cloud instances is through software. It is now possible to obtain SaaS-based IDPS functionality that can be deployed on any cloud instance and paid for by the month. Users can take this software and include it in cloud instances so it can see everything that comes in and out of the instance. It’s equivalent to doing network monitoring, but instead of sitting on a device, the software sits within the cloud node itself.

SaaS-based IDPS software has three components:
1. A software probe that is downloaded from the security provider’s cloud and installed in the cloud instance;
2. A security provider cloud where network events are routed and correlated; and
3. A secure web browser where the network events can be monitored and analyzed. 

Figure: SaaS-based security system

The SaaS model maps very well to cloud security needs. Users can deploy agents anywhere – on a real network, on a local cloud instance, or on a cloud instance in another country. All of the software probes produce the same type of data, and all event information is routed back to the SaaS provider’s cloud for correlation. The real-time event information and alerts are then available to any secure web browser with the proper login credentials (See Figure).

Through the browser, the user can connect to the SaaS provider’s cloud and view, correlate, and analyze all the events from all the cloud instances the customer has. There is also support for sharing the information, so if there are several network security analysts around the world, they can all share the same data and collaborate online through the browser.

Once the event data from multiple institutions is stored in a common cloud, it can be more effectively correlated using intra-domain correlation. The security configuration management of the instances and the real assets can be performed from a central repository (the same cloud that stores the events) thus simplifying management and provisioning.

Another dimension to the SaaS-based approach is real-time monitoring. The system is designed to do real-time monitoring through a browser, whether it’s on a private network or a cloud. The browser can view the real-time information as a Security Information and Event Management (SIEM) tool. Traditional SIEM products rely on specific applications installed at a network operations center (NOC), so analysts must be in the NOC to see the real-time information. But with the browser turned into a SIEM application, analysts can get an instant real-time view of the network from wherever they are.

Finally, the SaaS-based approach does not preclude users from operating a high-performance IDPS solution. Appliance vendors tout the speed of their processing, but because the SaaS-based software can run on any server, users can run it on a multi-processor server to gain multi-gigabit performance on commodity hardware. This provides users with a way to get a high-performance IDPS solution in their own data centers while using the same software to deploy security in the cloud.

Simply put, a SaaS-based IDPS solution can instrument instances of cloud with lightweight software. Users can implant it in all the different nodes of a cloud implementation to gain comprehensive real time and forensic data about where the data is going and whether there are any anomalies present.