The cloud continues to gain more and more share of the enterprise and SMB IT market, with the estimates pointing to the fact that over 75 percent of workloads were virtualised by this past summer. While this is a cost-effective way to deliver compute power to businesses and help level the IT playing field, enabling SMBs access to systems that would previously have been out of their reach, there can be a hidden challenge. Managing cloud-based systems requires a change in mindset for security.
When businesses' IT departments were focused on managing physical servers and workstations connected via physical networks, the concept of security was relatively straightforward: protect the endpoint by installing antivirus (AV), firewalls and intrusion detection software etc.
Cloud has changed that situation: instead of having 100 physical machines communicating with the outside world via physical network structures, you now have 10 physical machines each hosting 10 virtual machines (VM) all communicating with each other within the physical server and potentially across different physical machines and virtual networks. This means less hardware for the business, of course, but controlling how the individual VMs communicate is more complex.
Even within a private cloud, multiple physical servers can be hosting individual virtual workloads across a data centre. When we look at public clouds, such as Azure or AWS, those servers could be anywhere in the world.
With this type of architecture, traditional endpoint security becomes completely ineffective. If you were to install AV on each VM and run scans simultaneously you would produce a huge CPU load on the host servers – what amounts to a scanning storm. Even if the host servers have more capacity this is still going to cause huge problems for performance.
The security industry has tried a number of different things to combat this, such as using traditional endpoint solutions and scheduling tools to more intelligently allocate and control resources. However they still create a significant load on the hosting servers that produce a degradation of performance that is unacceptable.
Firewalls also present their own specific challenge. Traditional physical systems and network protection relied on perimeter firewalls around a server or group of servers. In the cloud, this approach no longer works, as VMs can communicate across physical servers without ever accessing an external network system. This means an infection can spread quickly, bypassing any perimeter server firewall.
These issues aren't insurmountable, but they do require different technologies and a change in attitude and understanding on the part of those managing the networks. For example, with firewalls, you need to be able to isolate the VMs and place those into different security groups. One answer here is an agentless solution that sits inside the Virtual Switch – a network filtering software that controls traffic between VMs and between VMs and the outside network. Again for AV, a host-based solution enables admins to maximise performance. Additional functionality such as change block tracking increases the speed of scans, which increases the frequency that they can be done. In both situations, with nothing actually inside the VM it means that you have the added benefit that hackers can't disable the protection or hardware from the inside.
There are also other additional technologies network managers can turn to help them:
• Behaviour analytics and machine-learning techniques
These can enable organisations to continuously analyse data for earlier identification of exploits and breaches (both outside and inside threats). The technology enables organisations to rapidly respond to those attacks even in the absence of existing malware/attacks signatures.
• Multiple advanced pattern analysis and machine learning-based malware prevention
Using mathematical models can be used as an addition or alternative to signatures for malware identification and blocking. Purely signature-based approaches for malware prevention are ineffective against new advanced and
• User and entity behavioural analytics (UEBA)
This can enable broad-scope security analytics, much like security information and event management (SIEM) enables broad-scope security monitoring. UEBA provides user-centric analytics around user behaviour and event correlation. This type of correlation makes the results of security analytics more accurate and threat detection more effective.
This ultimately boils down to three key messages the security industry needs to get across to those managing cloud based networks:
1. The cloud is different from physical data centre. Because of the architecture – less hardware but more VMs on that hardware –you can't just install software onto each VM and run it.
2. For both private and hybrid cloud networks, you can't simply rely just on AV signature databases or attack signatures through systems like snort, you need to have some sort of pattern analysis to prevent unknown attacks.
3. Public cloud is further complicated by the fact you don't have full access to VMs. You also don't have super admin rights to your VMs. You need to ensure that you at least have the ability to control network traffic for those machines and have access to logs to analyse them and look for potentially suspicious activities, and archive those for compliance audit purposes.
Contributed by Dr Konstantin Malkov, CTO, 5nine Software