The Big Crack in Cloud Security

Deployment of cloud applications is daunting when you consider the risks of having applications, infrastructure, IP and private information in the cloud. While we’re still learning how to harness the powers of the cloud, there are several things we know right off the bat: we must secure cloud servers, including our applications and data; and we must have cloud security that is simple, manageable and scalable – ensuring that our cloud security is as elastic as the infrastructure it protects.

You Can’t Secure What Can’t Be Managed
Traditional, on-premise security fails to cover the cloud, and there’s a huge gap between what the big security vendors market and what they actually deliver. Nearly every facet of modern security was designed to manage security from inside the perimeter, yet when you consider security in the cloud there is no perimeter to defend. Our modern security is designed to protect a legacy infrastructure – one where we have a physical corporate border, with all of our infrastructure and applications safely secured therein. Conversely, however, the cloud is inherently outside that secure border, and the perimeter thus shrinks to the individual cloud server. What’s more, once enterprises place applications and data in the perimeter-less cloud, the security game changes. Today the cloud is eroding the mega-perimeter and that’s left the enterprise with a real predicament: how the business can benefit from the cloud without putting it at risk.

When it comes to cloud security, elasticity and efficiency of management are as important as security. The cloud is infinitely and immediately scalable, and when the perimeter shrinks down to the individual cloud server, it multiplies. Now enterprises aren’t just managing one perimeter, they’re managing potentially thousands of perimeters. In the blink of an eye an enterprise can scale from one server to one hundred and one. In today’s world of automated infrastructure, if security is manual it won’t be sustainable. Generally speaking, security that’s cumbersome and complex is security that goes unused. Thus, if cloud security management is not automated, controls are discarded, mistakes are made, and servers and infrastructure are left vulnerable.

Access Is Needed in the Cloud…But Not Without Risk
With cloud computing, IT administrators can’t just walk down the hall to the servers – they’re remote, after all. Organizations need to have a means of connecting to their remote servers, one that is both easy and secure. That’s easier said than done. Many cloud server administrators today leave server firewall ports open (e.g., SSH or RDP) so they can connect to and manage their cloud servers. They’ve done so for years in their own premise data centers, where every server is behind the corporate perimeter and firewall. When an administrator leaves SSH ports open on an on-premise server, there is no great risk. It’s like leaving your car unlocked in your locked garage – you have a perimeter around the car, maybe even an alarm system on the house, and – barring teenagers – you trust the people in your house not to steal your car. When that same server is moved to the cloud, however, it’s now outside that corporate perimeter / firewall, and keeping those ports open introduces an abundance of risk. That’s because open ports on a cloud server leave it exposed to anyone – including hackers – who can gain control simply by guessing (or brute forcing) the administrator credentials. This is akin to leaving your car unlocked in a public parking lot.

According to a recent report by the Ponemon Institute titled Managing Firewall Risks in the Cloud, 54% of IT personnel say they have no knowledge of the risk of open firewall ports on cloud servers. Enterprises admit they just don’t yet fully understand the dynamics of cloud infrastructure and its risks, due in part because they’re merely applying known security methodologies used in the traditional enterprise, but also because there really isn’t a robust security toolset available from today’s cloud providers. In fact, the cloud has grown so quickly that what’s available from service providers is often limited, complex and manually operated, and is isolated to each provider’s cloud.

Who Takes Responsibility for Cloud Security?
According to the Ponemon Institute study on cloud security, 39% of IT security personnel said their cloud provider would inform them if their cloud servers were hacked. These folks are likened to "wishful thinkers." Perhaps even more concerning, 42% said they would NOT know if their cloud server was hacked, and of those who know, 19% said they already have been attacked. Clearly there’s a big gap in cloud security, a misconception of who is responsible for cloud security, and this issue is the top inhibitor to customer adoption. It all adds up to one thing: service providers need to offer more security to their customers.

By offering security services (i.e., those that the customer can opt-in, deploy, and self-manage), providers will address the security issue head-on without eating into their margin or taking responsibility themselves. In fact, by making services such as encryption, firewalling, and identity management available as a premium add-on, providers will increase their margins, differentiate their services, and accelerate cloud adoption.

The Firewall Remains the First Line of Defense
Many understand that one of the most important security requirements, and the first line of defense, is the firewall. In fact, according to the Ponemon report referenced earlier, 73% of IT personnel believe the cloud server firewall is the first place to start when securing the cloud server. Every cloud server has a firewall built-in, but it’s often unusable because of the complexity required to manage it. Administrators lack experience managing IP tables, or don’t want to have to deploy and manage redundant firewalls. Instead, another option is to deploy dedicated gateway firewalls in the cloud, which is entirely antithetical to the cloud.

As it turns out, however, the cloud server firewall is – bar none – the best place to stop attacks and prevent exploits of OS and application vulnerabilities. Every cloud server has one. The challenge is: How do you manage the cloud server firewall efficiently?

The answer: automated cloud server firewall management. This type of service enables cloud users to manage firewalls across all servers and clouds – from Windows to Linux, and from the private to the public cloud. In doing so, customers get security and manageability, while hosting providers address customer’s security issues directly. Firewall management services allow you to set policies simultaneously for multiple servers, enable on-demand secure access, and close ports otherwise left open and vulnerable to hackers.

An automated cloud server firewall service makes security as flexible, or elastic, as the cloud. This architecture gives service providers an easy way to deliver the security their customers need while also increasing the network security of the hosting provider and the cloud services delivered.

An Example in the Real World
Best Growth Stock, LLC, is a premier financial analysis and content provider servicing thousands of customers and partners (including Reuters) with the most current stock market information, news, and investment analysis. The company, which has more than 20,000 daily site visitors, wanted to migrate their service to the cloud, but had been skeptical and unsure because their service was under constant attack by hackers trying to get access to its root server.

As a result, the IT team spent hundreds of dollars each month in managed firewall services and root services access, and up to six hours each day monitoring the site and manually tracking the attacking IP addresses. The company averaged more than 50 daily attacks and spent time trying to block these attacks manually with a dedicated fulltime individual to monitor activity and stop the attacks.

What Best Growth Stock needed was a flexible, elastic cloud firewall management service that offered a proven approach to automating port access security. After careful research and evaluation of several technologies, Best Growth Stock was introduced to a new cloud firewall management service from Dome9, whose technology closes a critical gap in today’s cloud security – ports such as SSH, RDP, and MYSQL left open so administrators can connect to and manage their cloud servers. This common practice leaves servers vulnerable to hackers who need only guess the correct username and password, or exploit any protocol vulnerability to gain unauthorized control of a server. What Best Growth Stock found was security of all administrative ports – for all servers and clouds – enabling secure access, on-demand.

According to Best Growth Stock, once implementing this new approach the company saw its attacks drop to zero. This has saved the company time and money securing their cloud servers, and ensured availability, which is especially critical during trading hours when the site is most active. Best Growth Stock remains free of compromise while providing its leading real-time financial market information to users, ultimately saving time and money by moving away from manual security processes and ineffective hosting firewall security.

A Sunny Approach to Cloud Security
IT administrators require a solution that automates and centrally manages cloud firewall security across all servers and clouds. A unique approach – combining automation, on-demand access and centralization – makes cloud security both more effective and elastic for enterprises and hosting providers alike.

In addition, IT administrators need their cloud firewall security management service to do the following:

• Keep ALL administrative ports on the server firewall closed without losing access and control
• Dynamically open any port on-demand, anytime, for anyone, and from anywhere
• Send time- and location-based secure access invitations to third parties
• Close ports automatically, so administrators don’t have to remember what ports are open, and take the time to manually close them
• Enable secure access for cloud servers without fear of getting locked out
• Centralize management across platforms and cloud providers with a single view and a single (group-based) policy

Enterprises need their providers to deliver the ability to centralize automated firewall management across all their servers. Automation makes security as elastic as the cloud infrastructure, and centralization eliminates gaps in security and processes, and makes security administrators’ lives much easier. This holds true for anyone who has a hosted, dedicated, or virtual private server.

Cloud server security management that dynamically manages firewalls is quickly growing in popularity among enterprise customers, as well as cloud hosting providers who are offering it as a value-added security service for subscribers. As enterprises migrate to the cloud, new solutions are needed, and Dome9 Security offers one approach that gives cloud providers the tools to protect their customers. As a result of putting security concerns to rest, 2012 can truly be the year cloud computing for organizations looking to deploy to the cloud and capture all the benefits the cloud has to offer.