Since cloud technology first appeared on the scene, companies have been battling with the concept of cloud security. The reality is that the cloud presents you with three unique challenges from a security perspective.
1. You need to think differently
It may sound obvious, but the cloud is different from a physical data centre. When IT departments were focused on managing physical servers and workstations connected via physical networks, securing those networks was relatively straightforward: protect the endpoint by installing antivirus (AV), firewalls, intrusion detection software, etc. The cloud has changed that. Now, instead of having 100 physical machines communicating with the outside world via defined network structures, you have maybe 10 physical machines each hosting 10 virtual machines (VMs) often communicating with each other inside physical servers. While this means less physical hardware, controlling how the individual virtual machines communicate is far more complex. With this type of architecture, traditional endpoint security is rendered ineffective. If you were to install AV on each VM and run scans simultaneously, you would produce a massive CPU load that would degrade the server performance to an unacceptable level. Meanwhile, malware can easily bypass firewalls if VMs are communicating within a physical server.
2. You need to find new ways track viruses
For both private and hybrid cloud networks, you can’t simply rely just on AV signature databases or attack signatures through systems like Snort. While many of the big AV companies will have well-maintained databases of virus signatures, they are very often updating these at least daily (sometimes more than once). In a cloud environment, this can have significant implications for performance if your resources are being taken up with frequent updates. The problem is, hackers aren’t resting on their laurels; they are continuously creating new ways to attack companies’ data, so spotting the signatures becomes more complex. You may even have intrusions that have no signature. The ability to prevent these “unknown” attacks and spot suspicious network activity is very important, particularly within a virtualized environment.
3. Public cloud means you have less control
Security in the public cloud is further complicated by the fact you don’t have full access to the VMs. While public cloud providers like Azure or AWS offer organizations a wide range of benefits – including reduced costs – the VMs a company is using could be on a server that sits inside the vendor’s data centres anywhere in the world. It’s also worth bearing in mind that you don’t have superadmin rights to your VMs in this environment.
So, how do you overcome these challenges?
These issues aren’t insurmountable, but they do require different technologies and a change in attitude and understanding on the part of those managing the networks. For example, with firewalls, you need to be able to isolate the VMs. One answer here is an agentless solution that sits inside the Virtual Switch – a low-level piece of software that controls traffic between VMs and between VMs and the outside network. Again, for AV, host-based solutions enable admins to maximise performance. Additional functionality, such as change-block tracking, increases the speed of scans, which increases the frequency that they can be done. In both situations, with nothing actually inside the VM, it means that you have the added benefit that hackers can’t disable the protection or hardware from the inside. When it comes to effectively tracking new types of attack, there are a number of other additional technologies coming onto the market that network managers can turn to for help:
- Behavior analytics and machine-learning techniques
These can enable organisations to continuously analyze data for earlier identification of exploits and breaches (both outside and inside threats). The technology enables organisations to rapidly respond to those attacks even in the absence of existing malware/attack signatures.
- Multiple advanced pattern analysis and machine learning-based malware prevention
Using mathematical models can be used as an addition or alternative to signatures for malware identification and blocking. Purely signature-based approaches for malware prevention are ineffective against advanced and targeted attacks.
- User and entity behavioral analytics (UEBA)
This can enable broad-scope security analytics, much like security information and event management (SIEM) enables broad-scope security monitoring. UEBA provides user-centric analytics around user behavior and event correlation. This type of correlation makes the results of security analytics more accurate and threat detection more effective. Finally, when it comes to maintaining and tracking activity in the public cloud, you need to ensure that at the very least you have the ability to control network traffic for those machines and have access to the logs. Analyzing these logs will allow system administrators to keep a wary eye on network activity – from packets sizes to the amounts data being transferred and when. This enables them to build activity trends and spot (and flag) any potentially suspicious deviation in this activity.
About the Author: Dr Konstantin Malkov is a recognized specialist in mathematical modelling applied to network security and machine learning. His current focus is on migration, management, and security/compliance within the Microsoft Virtualization Platform. Since 1992, Dr Malkov has managed and overseen dozens of software projects in cloud computing, virtualization, business analytics, and Messaging/Secure Document delivery across the United States, Europe and Russia. He is currently Chief Technology Officer and Director of 5nine Software. Previously he was a CTO of PWI Inc., privacyware.com and ITS that was acquired in 2007 by ORCC in a multi-million dollar transaction. He is also a co-founder of the Department of Non-linear Dynamic Analysis and the I&C Laboratory at Moscow State University, as well as a former Professor of Applied Mathematics and Computer Science at Moscow State University. Dr Malkov has authored more than 50 scientific articles and two books on differential equations, numerical analysis, control theory, seismological inverse problems, mathematical methods in economics, and artificial intelligence. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.
