Cloud Security is a Shared Responsibility
When enterprises started leveraging Infrastructure as a Service (IaaS), or the public cloud, they began migrating development tools and other applications on-prem. Today, there is a strong desire to move mission-critical applications such as CRM’s Sugar and SalesForce, and enterprise resource planning (ERP) software like SAP, Oracle and Microsoft products, to the cloud. These applications deal with sensitive data and information that need to be safeguarded and protected from unauthorized access and potential security risks.
Public clouds such as Amazon, Microsoft, and Google, emphasize the shared responsibility in the cloud; the provider is responsible for the security of the infrastructure but the customer is responsible for the security of the data within the cloud.
Considerations for IT, Cloud and Security Architects
Based on the shared responsibility model, security of the data and applications along with organizational and regulatory compliance rests on IT, cloud and security architects within the enterprise. They must ensure that applications and workloads are being deployed securely in the organization. Enterprises who migrate to the cloud typically rely on techniques like workload security, perimeter security, prevention only solutions, such as access lists or security groups or identity and access management to mitigate risks.
Today’s evolving threat landscape has rendered prevention only security techniques insufficient. They need to be complemented with additional detection and response techniques to uncover early signs of security abnormalities and deviations from expected behavior. For this to happen, organizations need to implement a multi-tiered security model and have accurate visibility into virtual machine network traffic.
The following questions should be answered before successfully deploying mission-critical applications in public cloud:
- As part of the shared responsibility model, how do you assure that the IaaS is being used securely by everyone in your enterprise?
- How do you run more mission-critical applications in the public cloud while meeting the needs for applying compliance and security controls?
- If zero-day security vulnerabilities are exploited in software that has yet to be patched, what redundancy do you have to detect them?
- How do you detect and respond to security or network anomalies while deploying applications in the public cloud?
- How do you extend your security posture to workloads within the public cloud?
Failure to address these considerations could slow down the migration of applications to the cloud and leave organizations vulnerable to potential security breaches, with severe consequences to reputation and brand.
Challenges of Securing a Public Cloud
To deploy a well-defined cloud security strategy, security and performance monitoring tools need to be able to analyze network traffic flows from the IaaS for that application. There are three key challenges to ensuring proper visibility for security:
1) Lack of visibility into data-in-motion within the public cloud
Data-in-motion is data transferred between compute instances over the internal network in the cloud infrastructure. When it comes to data inspection, today it is difficult to gain access to the network traffic within the public cloud.
2) Need for the right architectural model
To ensure an effective security posture, organizations deploy multiple security tools that all need access to data in the cloud. Even if such access was available, these tools still need to see the right information instead of the firehose of data that can easily cause tools to become overwhelmed.
3) Lack of automation
Security architects are challenged in extending their security posture to the cloud because they are forced to disrupt applications when adding visibility and security tools to the mix.
Don’t Let Your Cloud Security Fall Short
Unlike on-premises infrastructure where a variety of methods including physical and virtual taps and SPAN sessions can be used to access network data, Cloud providers do not offer the ability to extract network traffic from their cloud infrastructure for reasons of multi-tenancy and privacy. Network security tools, however, require visibility to packet-level data in and out of the Cloud in order to identify malicious threats and detect anomalous behavior.
Flow log data offered by many Cloud providers only contain high-level metrics about conversation and application access points and does not include the packet or payload level details that security experts need for deep content inspection.
Agents, which can mirror traffic within a compute instance, are an alternative to data packet acquisition but enterprises are often forced to deploy multiple, disparate agents for each of their network security tools such as intrusion and malware detection, often bog down compute resources and increase overall cloud spend.
What does APCON do to address these issues?
- Capture packet level data and payload from the public cloud
- Replace multiple agents with a singular reducing production network strain
- Get the right data to the right tools, ensuring security and compliance
- Provide automated visibility that scales with your infrastructure ensuring no dark cloud or blind spots