Companies of all sizes are moving their infrastructure to the cloud, but what about their security systems?
If you maintain your own data center, then it's likely that you run several security appliances among your servers. You may also be doing gateway scanning, log gathering and monitoring, intrusion detection and prevention, and running some sort of firewall as well.
But how do you "do" security when your infrastructure in no longer under your direct control? How do you replicate the functionality of all your existing on-premise security systems in the cloud?
Cloud Security Options
You can approach the problem in two key ways. If your infrastructure is running in Amazon's AWS, for example, then you can access the AWS APIs and monitor it remotely - or get a managed security service provider (MSSP) to do that on your behalf. (It may well be that if you are offloading your infrastructure to the cloud, it makes sense to offload much of your security function to a managed service provider as well.)
On Microsoft's Azure the situation is similar. You (or an MSSP) can monitor your infrastructure remotely or from within Azure using Azure security solutions. The same goes for other clouds as well.
The alternative, and perhaps more obvious, approach is to replicate as far as possible the security setup you have in your data center. You can do this by instantiating equivalent virtual security appliances in software at the appropriate places in your cloud infrastructure. There are plenty of security vendors who offer these virtual appliances, including Fortinet, Dell SonicWALL and Cisco.
What you don't get, though, is access to the cloud provider's abstraction layers. You can't walk around their facilities checking the security for yourself in the way that you can in your own data center.
That means you have to trust and verify. You have to trust your cloud provider to protect your servers from outsiders (and other cloud customers). You can verify that they are doing the right things by looking for certifications such as ISO 27001, PCI-DSS and the results of annual SOC 1 audits.
So how well does cloud security work in practice? One company that recently moved its infrastructure to the cloud is Retirement Clearinghouse, a North Carolina-based specialist in retirement services for job changers.
Using a Managed Security Service
With more than $380 million of assets under management and aware of several high profile security breaches suffered by other companies, Mike Goode, the company's CIO, was keen to stay out of the news. His solution was to use a managed security service provided by Alert Logic to monitor his cloud infrastructure.
Goode's staff used to monitor the logs produced in its own data center for security purposes, but admits that this might not have been very effective. "We weren't as diligent as we should have been," he said.
With the move to the cloud, Retirement Clearinghouse's logs are still monitored by in-house staff, but also by Alert Logic. "We have a SOC 2-certified guy at Alert Logic monitoring our logs now as well," explained Goode.
An additional benefit of moving his infrastructure to the cloud is that he no longer needs to spend part of his security budget on outside consultants. "We used to hire these to carry out network intrusion exercises and they can be very expensive," he said.
Having Alert Logic monitor the logs, as well as providing its cloud-based Threat Manager network intrusion detection system, has been an effective way of spotting suspicious network activity and taking action before it turned into anything more serious, said Goode. For example, Alert Logic warned the company when it detected it was being pinged from a server in Florida. "We were made aware that there was a steady attempt to connect to us going on, so we blocked it at our firewall," Goode said.
Ed Ferrara, a security analyst at Forrester Research, said that far from being a challenge, security in the cloud is a good idea if it is provided by an MSSP. That's because much of security comes down to skills and bandwidth, and many companies - especially smaller ones - don't have enough of either. "It's actually typical of companies of all sizes that they don't do a good job of log monitoring," he said. "And many companies roll their logs over after 30 days, which is actually useless for forensic purposes."
Of course there's more to security than log monitoring, and MSSPs offer a range of security services. Companies like Solutionary and SilverSky,as well as Alert Logic, cater to smaller companies, but some MSSPs operate multiple network operations centers (NOCs) around the world to provide security for very large international enterprises.
Perhaps the most important question to ask is whether cloud security measures can ever be as good as ones located in your own data center. "The real issue with the cloud is that you don't own the abstraction layer - the hypervisors and so on," Ferrara pointed out. That means you have to trust the cloud provider, and take their reputation as well as their certifications into account.
"Of course if you choose a reputable well-funded cloud vendor like HP, IBM, Microsoft or Rackspace, then they have an interest in making sure you stay secure," he added.
Architected correctly, data centers that are designed and build for the cloud are not necessarily less secure than bricks and mortar ones, he said.
In fact he goes further. "You have a better chance of architecting (security) in the cloud as it is easier to reconfigure in the cloud," he said. "Don't forget, Target was not in the cloud. Sony was not in the cloud."
Paul Rubens has been covering enterprise technology for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.