As enterprises transform their physical data centers to private and hybrid cloud models, how should they secure these new environments, keeping threats and attackers off their cloud?
A new era of virtualization, automation and Anything-as-a-Service (XaaS) is being ushered in at a blistering pace, driving greater efficiencies and cost savings while dramatically changing the way businesses roll out new applications and services. And as Mick Jagger was fond of saying: “But it’s all right now, in fact it’s a gas!” It really can be all right if you understand how this new model doesn’t inadvertently introduce new risks or expose your business to more threats.
The trends are telling. More and more enterprises are moving to private and hybrid cloud models – enjoying greater elasticity, flexibility, scalability and cost-savings. A recent RightScale survey found that 82% of surveyed businesses have a multi-cloud strategy in place. The survey also reported that hybrid cloud usage increased from 58% to 71% and public cloud usage increased from 63% to 77% in 2016 compared to 2015.
However, the cloud completely dissolves the notion of “traditional” network security. Now there is no longer only a ‘north-south’ traffic pathway to protect. Private and hybrid clouds feature multiple points of entry and exit, while increased server and network virtualization are driving more traffic to travel ‘east-west’ within cloud-based data centers. This means that any threat that makes it inside the cloud can freely move laterally between applications and virtual servers.
Compounding this challenge is the fact that traditional security approaches are manual, operationally complex and unable to keep pace with the dynamic changes of cloud environments. What’s more, sufficient knowledge about cloud security techniques is also in short supply – DevOps teams now define cloud infrastructure but don’t have security domain expertise, often viewing security as a road-block to efficient DevOps processes. This should be very alarming since DevOps is now being adopted by 74% of organizations, up 8% from 2015.
Successful migration to the cloud means businesses need to fully understand where the security gaps are and what techniques are available to help them keep their data and workloads protected. There are four main security challenges organizations face when moving workloads and data to the cloud:
Automated security provisioning and deployment: In physical environments, a static, manual approach to security works well because compute resources are primarily fixed and IT security teams dictate how apps and services move from testing and development to production environments. Not anymore.
The cloud is an agile, dynamic environment. Applications are rapidly deployed, the environment flexes and contracts and applications move from one part of the data center to another. Security services need to be similarly dynamic, keeping pace with these rapid changes. Elastic security demands automation; without it, security becomes the bottleneck, slowing down the provisioning of new applications or the scale up and down of existing applications, thus running the risk that they will be neglected altogether.
Internal traffic segmentation, visibility and control: Cloud environments drive growth in data traffic inside the virtualized data center. Since this traffic is encapsulated across virtual tunnels and endpoints, it no longer touches any physical network control, thus creating blind spots and potentially handy exploit routes. To get control, cloud technologies now provide the ability to segment virtual resources; aka micro-segmentation.
Micro-segmentation involves logically grouping resources within the virtualized datacenter and applying specific security policies to the communication between those resources. This divides the private cloud into smaller, more manageable segments while limiting the ability of traffic to communicate across logical boundaries.
However, applications still need to cross micro-segments in order to integrate with and function across the virtual infrastructure, so lateral movement across segments inherently exists. To ensure that cybercriminals are unable to exploit this vector, it is vital to augment micro-segmentation with advanced security, not just access control lists, to inspect all traffic crossing logical boundaries for threats attempting to move laterally from one segment or application to another.
Dynamic policy management: In the cloud, change is a constant. But security traditionally requires manual intervention to adjust policies to changes in network topology, resulting in increased operational overhead and reduced agility. This creates an insurmountable challenge for security admins.
A better approach incorporates a dynamic policy engine tuned to the changes of the cloud that can automate policy changes in real-time. Thus, any change to the virtual infrastructure – for example a new virtual server being added to an existing security group to handle heavier traffic loads – is automatically reflected in the security policy without requiring security admins to manually adjust policies.
Advanced threats: Today’s attackers can use a variety of sophisticated tools and techniques to infect the weakest system of your cloud network and then move laterally from virtual machine to virtual machine. What’s more, their tools and techniques keep getting better and more advanced, giving the bad guys an ever growing arsenal to target and ultimately steal your data.
Strong cloud security protections are therefore a must; without them, malicious hackers have the ability to disrupt business processes and steal sensitive information remarkably discreetly. And with the shared responsibility model cloud providers utilize, it is up to you as a cloud customer to deploy the proper security protections necessary to keep your data and workloads safe. Just like your premise network, you need comprehensive, multi-layered protections to safeguard your cloud assets from all threats and zero-day attacks.
A new security approach is essential to address these challenges, and effective bring threat prevention security that can adapt and scale appropriate security measures to dynamic cloud environments. The security solution should also integrate with the popular cloud management and orchestration tools to help with automating security management processes so that they don’t brake the agility enabled in cloud networks.
Migrating from a physical on-prem datacenter to a public and hybrid cloud environments can deliver dramatic business benefits and set your organization up for greater agility and responsiveness. But it’s also critical to be able to control what you allow onto – and what you keep off – your cloud.