The use of cloud-based applications and architectures has rapidly become an everyday occurrence within most enterprises. Yet while they have become comfortable with the idea of cloud architectures, the move to embrace the cloud has also created security blind spots that may – without the right approach – inadvertently create new vulnerabilities in corporate security protections.
These vulnerabilities are an unavoidable risk that arises from a lack of visibility in cloud applications that may be carrying malware or other security issues – but reside well outside of the corporate network perimeter. This makes the cloud a security accident waiting to happen, says Ian Farquhar, security virtual field team lead with Gigamon ANZ.
“The cloud makes our perimeters disappear and reduces our visibility,” he explains. “Yet to understand the challenges in the cloud – and to make sure requirements for corporate security are actually being met – you need to have situational awareness. Without it, you may be in a great deal of danger.”
Getting that visibility, however, isn't always easy: most organisations' security environments are built around perimeter-based models focused on controlling what goes into or comes out of a well-defined corporate network. In the cloud, however, network boundaries are much blurrier – and existing protections can't easily be shunted into cloud environments that are running within an unknown and unseeable third-party environment.
“Threats can live within the cloud that don't come near our security tools,” Farquhar says. “It shouldn't matter where the network traffic is; you should be able to see it. This is why more and more organisations are saying that visibility is a key attribute of the networks that they're building.”
Delivering that visibility in a third-party environment, however, requires new thinking about enterprise security technology – and new tools capable of continually evaluating the threat landscape in those environments.
Gigamon's GigaVUE-CM Visibility Fabric, for one, is loaded into cloud environments as a virtual machine (VM) and, as such, is able to get packet-level visibility of the traffic and applications running in the cloud environment. This information is fed directly back to the GigaSECURE on-premises monitoring environment, plugging the holes in corporate security that the adoption of cloud solutions creates.
By running as a VMware vSphere guest VM, the Gigamon tool builds on widely-used vCenter APIs and can integrate with vMotion so that the visibility capabilities stay with corporate VMs as they are moved around the cloud environment. By providing in-place integration with security tools – like intrusion protection systems, inline malware scanning, intrusion detection systems, forensics tools and email threat detection – the platform has been designed to extend conventional security controls directly into the cloud.
Simply having a network tap in place isn't the only step, however: to attain full visibility of a hybrid cloud and on-premises environments, Farquhar points out, it's important to be able to securely view inside of SSL-encrypted traffic that can just as easily hide malicious traffic as protect legitimate data.
“What you have to worry about is the data that's leaving your organisation,” he explains. “SSL decryption allows you to get full access to the plain text of the traffic without disrupting the encryption – but it needs to be deployed properly and appropriately, with proper attention to privacy and compliance.”
Indeed, compliance is ultimately a key goal of cloud-security efforts, which by their very nature introduce potential new confounding factors that must be accounted for in the organisational risk profile.
PCI-DSS controls for financial transactions, for example, require clear visibility of the entire infrastructure dealing with customer information – which makes tools for better cloud visibility a critical addition to the environment. Integration with related tools can further tighten corporate security by offering seamless control over resource access and analytics, such as through Gigamon's recent partnership with RSA.
“By moving your services to a cloud service provider, you haven't lost responsibility for the workload,” Farquhar says. “If you leave it alone, you have lost the visibility you need to properly deal with that responsibility.”
Yet despite the many benefits offered by cloud-visibility tools, it's important to also remember the critical nature of inhouse skills and properly documented business procedures.
“You won't ever get to the point where you can say that your defence is perfect – that's not a rational thing to expect – but there are always new tools being developed,” he adds. “The organisation has the capability to be constantly evaluating new networks and protections.”
“Sensible cloud infrastructure would always have multiple perimeters, and attackers are always going to play around the margins – looking for the way in that you are not watching. But if you can get away from the concept of controls that just block traffic, constant vigilance will lead you to operational security.”