When it comes to security, keep your head in the clouds

Australian enterprises may be rushing to embrace cloud computing, but those making the transition must take a proactive approach to infrastructure security that lets them provide consistent information assurance across public, private and hybrid cloud models.

This consistency will not only improve overall security, but will make it easier for companies to shift between cloud models as their changing business requirements demand. For example, a company might opt to keep its core operational systems inhouse but burst its customer-facing applications onto public-cloud infrastructure when demand peaks and it needs additional Web infrastructure to ensure a consistent user experience.

With the right security model, this move can be handled seamlessly without compromising internal security, says Dave Asprey, vice president of cloud security with Trend Micro, who will discuss cloud-security risks and strategies at the Trend Micro EVOLVE.Cloud events across Australia in May. "Whether they're using public or private clouds, enterprises are saying they want on-demand provisioning," he explains. This involves automating server provisioning and deprovisioning – and if you do that, you’ve built a private cloud.”

“Even if companies build a private cloud,” he continues, “they want to leverage the public or high-variability cloud to take advantage of service elasticity. They should realise they might as well put in functional tools that work for both private and public cloud – and set themselves up to take the step to the public cloud when they are ready. By having that one set of tools with both capabilities, they are killing two birds with one stone."

Given the significant transition involved in moving an organisation to embrace virtual servers, the benefits of such foresight are significant: introducing a robust and flexible security environment now will prevent the need for further changes later on. This is particularly important given the tendency for virtualised environments to suffer ‘virtualisation sprawl’ – a blowout in the number of virtual machines caused by wanton commissioning of new virtual machines.

Virtualisation sprawl is understandable: tantalised by the flexibility that virtualised environments provide, many companies find both business and technical staff exploring the opportunities that flexibility provides. Virtual desktop infrastructure (VDI), for example, can be a major boon for companies that have struggled to enforce consistent desktop policies on their employees.

Yet while the infrastructure may be able to handle the extra growth – sometimes with the assistance of a public-cloud burst mechanism, sometimes inhouse – many of the same companies are failing to keep their security testing in time with their server growth ambitions. The result, says Asprey, is a discrepancy in the level of growth and the security protecting that growth – and this opens up new vulnerabilities that can easily open the gates for malicious hackers.

Even where companies do think about security, many use conventional security solutions that are designed for systems with full resource availability; these security tools don’t transfer smoothly into the virtualised environment.

“So many companies build these nice virtualised environments, particularly with VDI, then don’t test their security tools,” he says. “They put on traditional security tools, and find their performance drops by a factor of 10. Antivirus scans take up an enormous amount of disk, memory and CPU simultaneously – and if you have dozens of virtual machines running on the same server, and all fight for CPU and disk time at the same time, no one gets much CPU – and scanning time gets stretched out into working hours.”

One solution is to add more physical servers to spread the load – but this goes against the whole idea of virtualisation as a mechanism for consolidation of applications. A more logical and manageable approach, Asprey warns, is to adopt a security solution that’s virtualisation-aware.

This means that it works in concert to interface with the virtualisation hypervisor, which manages all virtual application servers, to prevent security-scanning demands from increasing linearly with the number of servers. A virtualisation-aware security environment will coordinate the scanning of each virtual machine according to user-defined rules – ensuring that competing demands on limited CPU, memory and disk resources are minimised, and performance maximised.

Limited computing resources aren’t the only constraint in virtualised environments: encryption, says Asprey, has become an essential capability in virtual environments – especially as corporate environments leak out into public-cloud infrastructure. To ensure data and applications remains safe in such situations, they should use highly secure methods of encryption key exchange in which the encryption key is stored separately from the data.

This is complicated in the cloud world, however, since keys stored in a cloud environment face the same security issues as the data they’re intended to protect.

“In the past, when you had a machine that was going to connect to an encrypted volume, you would pull out a USB stick with the volume’s encryption key on it, plug it in and the server would authenticate,” Asprey explains. “But if you do that on a public-cloud provider they’d block you, because you’re not allowed to touch your virtual server – or even to know where it is.”

Ironically, lodging private virtual servers in the public cloud also creates new risks from hackers, who can easily set up their own public-cloud servers to aggregate computing power – and then use an algorithm to break the encryption of other cloud-hosted servers. In such situations, the sheer power of the public cloud becomes a new form of attack vector – and a new security risk for users.

That’s why many security and cloud providers are working together to create usable standards for enforcing cloud security: with consistent security protections on both private and public clouds, delivering a transportable security environment becomes far easier.

Working under the auspices of banner groups like the Cloud Security Alliance, initiatives like CSA STAR – the Security Trust and Assurance Registry – aim to provide certainty and consistency for organisations exploring cloud-security best practice.

The key message for enterprises is to understand that the new security challenge isn’t the cloud’s fault; the cloud is simply a new application delivery mechanism with its own unique performance characteristics. And, just as any security infrastructure should rightly address the performance characteristics of its host environment, so too should the new infrastructure built around virtual servers.

“The cloud does not increase security risk,” says Asprey. “If your data was important to criminals before the cloud, it’s just as valuable after the cloud. But if you change your security posture to match the new threats, you can still meet the security levels that you target.”

Hear from John Sheridan, Dr Anthony Bendall, Rob Livingstone, Michael Barnes, Steve Quane and Dave Asprey amongst others on the Evolution. Trends, Solutions and the Future of Cloud Security, limited seats so register today through CSO.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

More about CSATrend Micro Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place