The popularity, agility and cost benefits of the cloud have enticed many companies – even some large enterprises, like Time and Yamaha – to ditch their data centers and move their corporate networks entirely to cloud providers like AWS, Google (News - Alert) or Microsoft. It’s a trend that has strong momentum. IDC predicts that cloud IT infrastructure spending will grow to $32 billion by the end of this year, accounting for 33 percent of all IT infrastructure spending, and reach $52 billion in just four years, when it will be almost half of all spending.
But, as companies of all sizes migrate their infrastructures to the cloud, they face a significant challenge: How to maintain control over their applications when they no longer own the network or have complete visibility?
That lack of control and visibility can result in significant security repercussions when moving the entire corporate network to the cloud. The cloud presents a much greater challenge for ensuring that individuals get access to only the data and apps they need, and that your entire network isn’t left wide open for just anyone to wander the virtual halls.
The Cloud Security Alliance is a great resource, providing comprehensive guidance on how to establish a secure baseline for cloud operations, with details on the current recommended practices and potential pitfalls to avoid. Whether you’re planning to move to the cloud or already have, here are five important things to consider when company’s security posture in the cloud:
Your cloud provider may deliver some security, such as firewalls and encryption, through its PaaS or IaaS offering. But, having these features does not eliminate the need for your company to apply its own mature practices for identity and access management, application and data security, hardened configuration and other aspects of the IT environment to ensure an even higher level of security.
Ill-Equipped Legacy Solutions
Your traditional static security controls, such as signature-based firewalls and intrusion prevention systems, cannot keep pace with the dynamic nature of cloud services, so a one-for-one migration of physical controls into a virtual environment simply won’t work. The cloud is redrawing the network perimeter and blurring the trust models used in conventional on-premises networks, which necessitates a new cloud-centric approach to effectively maintain security and visibility.
You’ll need to have a clear understanding of how and where your cloud provider stores data. In a cloud-based, distributed model, the geographic location of where the data resides, and whether is it commingled with data of other companies, could potentially result in the violation international privacy laws.
Service Level Agreements (SLAs)
There are a number of facets of today’s security SLAs that could be impacted with limited or no visibility into your cloud environment. You’ll need to ensure that the services are available and that incident handling and reporting are managed on a close to real-time basis. You’ll also need to look closely at your contract regarding the limitations of liability and the operational and monetary risks you assume in the event of a breach. And, you’ll want to make sure you are able to maintain compliance relevant to your specific industry, whether through direct assertion or as part of an assertion of compliant cloud services, such as database- or storage-as-a-service.
A migration to the cloud introduces new operational requirements. IT staff that are familiar with on-premises operations may not have the expertise to manage and secure the cloud environment. As a result, you may have to invest in training current employees, consider hiring new employees with that expertise or engage consultants who specialize in the cloud.
Visibility is Cloudy
The key to effectively securing a cloud-based network is to ensure there is complete visibility and understanding of the operating environment in which your applications reside. To gain greater control of cloud resources, many companies are experimenting with overlay software defined networks (SDN), visibility tools and native provider solutions with varying degrees of success.
Companies testing the SDN waters have discovered a number of challenges in deploying these types of overlay networks. Perhaps the biggest roadblock is the complexity and additional time and effort to set them up and to keep them running efficiently. Virtual networks are being designed to be just as elastic as compute resources. But physical networks do not scale as rapidly and certainly not with the type of agility of virtual networks. Care must be taken to ensure the risk of the SDN operating within an oversubscribed physical underlay network does not result in failures and service outages.
Companies are also using tools, incorporating technologies such as netflow, virtual taps and agent-based solutions, to improve visibility into the cloud infrastructure. But, similar to SDNs, visibility tools often require you to maintain additional systems (and possibly infrastructure). Many are limited in scope, focusing typically on only a subset of data points for the required overall visibility. Additionally, these tools are not necessarily compatible with hosting and virtualization environments. As a result, you’ll need multiple tools to achieve the proper amount of visibility into a single cloud environment, and have to figure out how to correlate all the disparate information to achieve the full visibility you need. If your company operates a hybrid cloud or multicloud environment, correlating across all environments and with a variety of different tools becomes an even greater undertaking.
Companies also may rely on native tools offered by their cloud providers. But these tools are often not robust enough, missing key elements, such as detailed logging, granular access control and interoperability, to support the entire technology stack. Often, these tools are designed only for use in that particular cloud provider environment, so what works in AWS, may not work in Microsoft (News - Alert) Azure or Google Cloud Platform. These limitations can quickly lock you into a single vendor, making it difficult to operate ubiquitously across any cloud provider, should you want to do so in the future.
Simply put, these solutions don’t fully deliver. They can add cost, complexity and additional layers of management at a time when you’re trying to avoid that with a move to the cloud, and they rarely offer the robust functionality you need to maintain complete visibility and security.
Ubiquitous Visibility Across Clouds
An alternative to the solutions mentioned above is to take the security capabilities – such as authentication, access control, multifactor authentication, transport encryption, application security and more – that are traditionally used in the data center and cloud-enable them. By providing these capabilities as-a-service, you can easily open the window to see more clearly into your distributed deployments, whether in a single cloud, hybrid cloud or multicloud environment.
Referred to as secure application delivery-as-a-service, this approach goes far beyond the capabilities of a traditional application delivery controller or load balancer in the data center. Instead it absorbs the security capabilities – such as access control, multifactor authentication, transport encryption, application security and more – that are traditionally used within your data center and delivers them across cloud environments.
Running secure application delivery outside of your cloud environment allows you to create an effective “air gap” between your applications and infrastructure, and the resources of others hosted by your cloud provider. This approach prevents unauthorized users from gaining access to data and applications for which they do not have permission. Because it shifts the risk away from your critical resources onto an abstracted platform, you can now focus on utilizing real-time insight into application and threat metrics to ensure that the security posture of your applications remains consistent. No longer will you have to spend multiple cycles trying to uncover potential problems and address them quickly. What’s more, this type of service empowers Internet-scale visibility by delivering detailed audit, control, reporting and management of access successes and failures.
By taking this approach, you can have out-of-the-box protection for every new application you deploy in the cloud, regardless of the cloud provider, enabling you to reduce implementation timelines and support continuous delivery models for faster innovation and deployment. Secure application delivery also is more cost effective than deploying multiple solutions individually throughout your cloud infrastructure since it integrates a variety of security management and control into a single solution.
As companies see the increasing benefits of moving to the cloud, it makes sense they also employ the cloud to provide the security and visibility needed to manage their distributed environments in this new network paradigm. Secure application delivery-as-a-service provides a valuable, comprehensive and cost-effective approach when compared to SDNs and other proprietary and limited tools that require you to invest in more infrastructure and employees to manage them. It can ensure your network is secure, even when it is no longer under your control in your own physical data center.
About the Author
Mark Carrizosa is the vice president of Security at Soha Systems, a secure application delivery-as-a-service for enterprises and SaaS (News - Alert) providers. Carrizosa joined Soha Systems in 2015 from Walmart where, as principal security architect, he developed and implemented the company’s global e-commerce security architecture framework. Prior to Walmart, Carrizosa held security management roles at Wells Fargo (News - Alert) and PetSmart.
Edited by Stefania Viscusi