Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

1/19/2016
11:30 AM
Amrit Williams
Amrit Williams
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Cloud Security: To Scale Safely, Think Small

Why today's enterprises need an adaptable cloud infrastructure centered around flexibility, portability, and speed.

“Intelligence is the ability to adapt to change.” —Stephen Hawking

Enterprises would be wise to follow Hawking’s definition of intelligence. The modern data center, in all its incarnations, is becoming increasingly more dynamic and elastic. Chances are, your network was designed according to last century’s perimeter-based security principals and is likely composed of a hodgepodge of legacy infrastructure. From a security perspective, this is untenable. While throwing everything out and starting from scratch is both financially unfeasible and operationally unproductive, enterprises cannot continue to use last-century’s techniques to deal with today’s threats. 

Many enterprises are moving to adopt cloud infrastructure to both reduce their hardware footprint and the resulting costs and effort it takes to house and maintain the servers, and take advantage of on-demand compute and storage resources. Whether you are an enterprise evolving your data center to adopt private, public and/or hybrid cloud computing solutions, or an infrastructure-as-a-service provider offering compute and storage services to organizations, your security strategy must evolve, too. Securing data beyond that now-mythical perimeter is imperative. To accomplish this, security professionals have to let go of any residual antipathy toward automation and sever any attachments to the infrastructure-centric security mindset. In a word: adapt.

So where to begin? If you want to scale safely, you have to start by thinking small…very small.

In the DevOps world where agile development is all the rage, we’re seeing the emergence of containers and microservices -- systems and applications that are broken down into smaller, modular, self-contained components. As with computing in general, the microservices movement similarly breaks applications down into smaller, independent processes focused on specific tasks that communicate with each other.

The security use case

In this article, I’m going to focus on the security use case for network infrastructure. You still need firewalls and intrusion detection for traffic coming in and out of the network (north-south traffic). But due to the very real potential for an attack to take advantage of lateral movement between applications and compute resources (for example, an attacker compromising a fairly insecure resource and then using that access to pivot to a more critical application or internal resource), an adaptable security strategy must now also focus on what’s going on inside the datacenter (east-west traffic) and in cloud environments at the workload level itself.

To reduce the attack surface, micro-segmentation can be used to partition the workloads and their interactions with each other into logical application groupings. Those groupings form smaller protectable units, each accompanied by its own lightweight layer of security. You still have the firewall monitoring the source of traffic with coarse-grained controls, but it’s no longer the primary sentry; it’s just one of a number of safeguards in a multilayer, multidirectional defense structure. And now, micro-segmentation at the workload level itself, and not just at the network, offers an additional layer of fine-grained controls.

This is important because some of the more nefarious attacks have been able to bypass the network level controls and easily move between workloads, compromising machine-to-machine communication. It’s an important construct to understand, especially when moving to cloud computing, since the workloads lose some of the natural perimeter provided by traditional data centers.

Automated traffic discovery

Management is actually easier at this level with micro-segmentation. Partitioning is too complex to manage manually, but automated traffic discovery and firewall orchestration tools enable the micro-segmentation itself, and the management. The tools allow network security admins to collect, aggregate, and visualize all the intricate traffic behavior. The tools also define and orchestrate all security policies and parameters, which can then be applied and enforced automatically throughout the system. Automation provides both visibility and a means by which to manage its complexity, enabling the data to be better protected.

The migration from traditional servers to IaaS can be tricky for organizations that need strong access controls, continuous monitoring, logging, and sensitive data inventory for compliance purposes. Micro-segmentation takes the burden of protecting dynamic computing environments and configuring the underlying network infrastructure (such as firewalls and VLANs) away from the lower level stack in network security admin teams. It also allows server owners themselves to set a finer grained control for their organization’s compliance and security needs. So enterprises can get on-demand and fully automated workloads at any scale, along with system integrity and security, but with the oversight and control they need. 

We’ve moved from a world of manual control and hardware to one of automation, virtualization, and the cloud. The new model offers flexibility, portability, and speed that the old paradigm just couldn’t offer. New technologies such as micro-segmentation add security by keeping things small and contained, while allowing the environment to expand to cloud scale. And most importantly, they provide the ability to adapt to meet the needs of the modern enterprise. 

Related content:

 

Amrit Williams has over 20 years of experience in information security and is currently the chief technology officer of CloudPassage. Amrit has held a variety of engineering, management and consulting positions prior to joining CloudPassage. Previously, Williams was the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
stearn
50%
50%
stearn,
User Rank: Apprentice
2/1/2016 | 7:05:32 PM
Cyber Security Solved
In consideration of cloud security this stuff should be of interest.

Most cyber security solutions fail because they rely on outdated, post-attack listing strategies that simply cannot identify or stop  unknown threats. Patented Vir2us technologies end the game with hackers by creating built-in secure processes and disposable computing environments where malicious software simply cannot propagate or persist. Only Vir2us secures your business from the inside out to deliver what you need to take control today.

 Vir2us empowers you to achieve genuine cyber security now, with managed solutions delivered from the cloud, configured in minutes and deployed globally.   With powerful cloud-based controls that preempt both known and unknown cyber threats, and provide real-time actionable information and response tools. 

Seems like a end game to hacking and  meets the new and recommended compliance standards of regulatory authorities inculding SEC, FINRA, NIST, NSA, DHS, HIPAA. Any thoughts?

 

Stearn

 

 

 

RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
1/19/2016 | 12:44:53 PM
Agile
Agile methodology provides a huge benefit not only to cloud security but security as a whole. Even if your hardware is on premise breaking larger security initiatives into smaller more manageable ones is beneficial will help to transition older antiquated security protocols into ones that will combat a more current threat.
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.