One of the biggest challenges security teams face when evaluating cloud projects is how to achieve parity with current security controls. Is it possible to have the same controls in the cloud environment as they have in their own datacenters? Too often, the answer has been no. However, the situation is slowly improving with the virtual private cloud (VPC) offerings from many leading Infrastructure as a Service (IaaS) providers.
Can they have the same controls in the cloud environment as they have in their own datacenters?
In this article, we'll explore several of the emerging and existing cloud security controls that enterprises can implement and manage (or co-manage) themselves in private and hybrid environments.
The first area of controls that many organizations immediately look to replicate in cloud environments is network security, ranging from firewalls to intrusion detection/prevention systems and even Web application filtering.
Currently, a number of cloud providers have private cloud offerings that permit the use of a customer-managed network security platform. Amazon Web Services offers a VPC model that customers can download and install virtual network security appliances into. Examples of independent virtual appliance options available through the Amazon Marketplace include the Citrix NetScaler VPX Web application firewalls, Check Point's R75 Software Blade firewall, Vyatta's router, firewall and VPN appliance, and a variety of Riverbed Stingray traffic management platforms. Alert Logic offers its Threat Manager for EC2, a dedicated virtual appliance that can perform event analysis and intrusion detection/prevention. Other providers to look at in this area include Metaflow, Neusoft, Sophos, Bluelock, Verizon Terremark and GoGrid.
Many of these systems offer similar or equivalent functionality to most on-premises network security devices today. Consumers should look for security features specific to the platform, such as filtering for firewalls and event alerts and rules for intrusion detection, but should also focus on management capabilities and ease of installation and maintenance.
At the moment, most of these offerings come in the form of a standalone virtual appliance or managed network security instance, with few providers offering a standalone physical firewall. This has gradually shifted over the last several years, however, with a rapidly increasing number of vendors making network security platforms available in the Amazon marketplace.
Another area receiving a lot of attention from enterprises is encryption platforms in the cloud. Amazon is a leader here with the recent release of its CloudHSM platform, which is a dedicated hardware security module appliance that allows completely controlled access to and dissemination of cryptographic keys for data protection in systems and applications in the Amazon cloud. With CloudHSM, Amazon has no access to the platform once deployed, and the system meets strict regulatory requirements for compliance and U.S. government Common Criteria needs.
In addition to CloudHSM, numerous encryption appliances are available in the Amazon marketplace. Porticor's VPD appliances offer cryptographic key management, and Boole Server is an encryption platform that also offers DRM and data policy enforcement capabilities. Both are fully manageable by consumers once implemented. CipherCloud, a provider of cloud encryption gateways, can be implemented in an on-premises appliance or a virtual appliance format for managing encryption and tokenization in the cloud, with specialized options for major cloud providers such as Amazon, Salesforce, Box, Office365 and more.
From the editors: More on encryption in the cloud
What encryption options should you look for in cloud environments?
Discover more potential encryption issues that may surface in the cloud.
Given the inherent distrust of cloud provider security controls, a user-managed encryption platform may offer one of the most tenable security control areas for cloud deployments in the future. It's highly likely that more cloud providers will deploy these controls as they become available, or follow Amazon's lead and build/brand their own offerings. That said, there are still risks that cloud customers should assess with cloud encryption. First, who actually owns the platform? If the provider owns the platform, do they have access to it? Can they ensure that key data is wiped upon termination of service? Another risk is availability and troubleshooting; can consumers adequately recover the device and its keys if it experiences a failure? If backups are made, where are they kept, and who makes them? These are the types of questions that consumers should voice when choosing a cloud-based encryption offering.
For security controls in IaaS private/hybrid deployment scenarios, host-based security tools also deserve to be mentioned. There are a lot of options in this space, but many are still premises-based management consoles for deployed agents. Bluelock offers managed antivirus and host patching/configuration services, but the consumer has little to no day-to-day control over this offering. There are many Security as a Service (SaaS) offerings for Amazon, including McAfee Endpoint Protection Suite and Trend Micro Deep Security. Other SaaS offerings such as CloudPassage allow agents to be managed in the cloud as well. However, few providers offer dedicated client security management services at the moment, though some vendors are adapting and optimizing products for the cloud. For example, McAfee's ePolicy Orchestrator comes in a virtual appliance model that runs on VMware, Citrix and Microsoft hypervisors, which could then be hosted within Bluelock or another cloud provider that facilitates more traditional hypervisor compatibility. Symantec also has a virtual Linux appliance for its Endpoint Protection product, although this only runs on VMware hypervisors currently. Endpoint security is definitely an area that has some way to go before it's on par with traditional services, although it's apparent that vendors and providers are moving in this direction.
Within hosted private and hybrid cloud environments, many more options are becoming available that enable organizations to configure and manage their own security controls. Although the majority of options currently fall into the managed or co-managed categories, it's clear that providers are being more open about the types of hypervisors and compatibility features available to customers, and with this shift comes greater flexibility for installing security products. Several larger providers are leading this charge by providing ready-made systems and applications, while other cloud providers may simply allow compatible platforms or applications to be installed independently. To get enterprises on board with cloud computing, it's clear that self-managed cloud security controls are an attractive choice and will likely continue to grow.
About the author
Dave Shackleford is senior vice president of research and chief technology officer (CTO) at IANS, and a SANS analyst, instructor and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance and network architecture and engineering. He is a VMware vExpert and has extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as chief security officer for Configuresoft; CTO for the Center for Internet Security; and as a security architect, analyst and manager for several Fortune 500 companies. Dave is the author of the Sybex book Virtualization Security: Protecting Virtualized Environments, and he recently co-authored the first published course on virtualization security for the SANS Institute. He currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.
This was first published in May 2013