Security Forecast 'Cloudy' at Interop LV 2010
Faster network infrastructure pushes more virtualized services into the cloud, reshaping security risks and strategies.
Speed made headlines again at Interop LV 2010, the 23-year-old conference devoted to infrastructure that makes the Internet tick. This year, attendees couldn't move without bumping into a 10GigE switch or some other furiously fast data center device. With a multitude of virtualized services migrating into "the cloud," Sun's prescient vision has finally come to pass: The network really is the computer.
This year's show focused on core network innovations that make clouds possible. But, for security folk, clouds pose new threats and opportunities. Dedicated, on-prem devices may be tough to secure but they're all yours. On the other hand, cloud services must be logically configured, often from afar, powered by (possibly shared) platforms you've never seen. Interop attendees explored this increasingly cloudy forecast and glimpsed the latest gear designed to support it.
What you can't see...
According to Network Instruments, 41 percent of surveyed attendees already ran some kind of Software-as-a-Service (SaaS) most often Salesforce.com or Google Apps. Another 19 percent reported using Infrastructure-as-a-Service (IaaS), like Amazon's Elastic Compute Cloud. Why adopt these cloud services? One third said to cut costs; another 30 percent sought more flexibility to react to business changes.
But even bullish-about-clouds Interop attendees had serious reservations about loss of visibility and control. Twenty-two percent worried about tools to monitor and manage cloud activities; 27 percent feared that bandwidth costs might exceed forecasted budget.
While Interop attendees may be more inclined than your average IT guy to use network-based virtual services, cloud providers and platform vendors clearly need to reach out and comfort those who will be responsible for administering and securing cloud initiatives. Several did just that during Interop conference sessions.
Look before you leap
This year's sessions ran the gamut from cloud computing, virtualization, and app delivery 2.0 to networking, storage, and unified communication. Security issues were sprinkled throughout, but served as the focal point for two tracks: one on governance and compliance, another on IT security and risk management.
In the latter, Brian Contos, Chief Security Strategist at Imperva, discussed "Data Security in the Cloud." Technologies that have long secured our networks -- ACLs, firewalls, IDS, VPN, anti-virus -- are not defending us from attacks like cross-site scripting and SQL injection, he said. Cloud services exacerbate these existing threats.
"When you move data into the cloud, it becomes easier to attack multiple targets at once," said Contos. "A successful attack can bring down an entire service. It can impact many more [companies and users], so the risks around financially-motivated attacks are amplified."
But Contos argued that clouds can also reduce risk through more effective network-based defenses. "You can do reputation-based security really well in the cloud. You can do virtual patching there more efficiently. You can unify data and network-centric controls [inside the cloud]," he said. A good cloud service provider can also deliver faster incident response, using a deeper talent pool.
Chris Richter, VP of Security Services at Savvis, said clouds raise security concerns in part because services are so varied. "You've got multiple models, multiple vendors, and multiple policies. Some providers dont reveal their policies or architectures or even allow vulnerability scans," said Richter. "Security auditors are understandably worried."
Security standards are being drafted by organizations like the PCI Security Standards Council and the Federal Cloud Computing Advisory Council. But enterprises also need to adopt more methodical approaches to secure cloud deployment. Specifically, Richter recommends the following steps:
- Evaluate your applications suitability for cloud deployment
- Classify the value and sensitivity of data to be stored in the cloud
- Determine cloud type (SaaS, PaaS, IaaS) based on app needs
- Select an appropriate delivery model (private, public, hybrid)
- Specify platform requirements (e.g., CPU, storage, bandwidth)
- Specify security controls, including firewall/IDS rules, log management, application and database protection, identity/access management, and encryption
- Determine if your policies can be satisfied by your providers policies
- Establish provider selection criteria (e.g., geographic reach, stability)
Like Contos, Richter said a well-designed cloud should incorporate security. "Data is the ultimate prize, so Web app [and database] firewalls in the cloud are very important to stop ports 80 and 443 from becoming gaping holes," he said. But buyers must become informed, ask questions, and walk away from services that don't meet their needs. For example, when deploying a service subject to compliance audits, "If you cant scan your [cloud hosted] environment, you have to look elsewhere," said Richter.
Building secure clouds
Not surprisingly, many big Interop announcements dealt with plumbing, such as Arista Networks' 7500 (a 384-port 10GigE cloud computing switch) and Mellanox Technologies' BridgeX InfiniBand gateway (for high I/O virtualized services). But you can't build self-defending networks that push tens of gigabits without more efficient security products too.
SonicWALL announced Project SuperMassive (above), a data center firewall that combines reassembly-free deep packet inspection with threat intelligence gathered from 1.5 million deployed devices, running in a 4U chassis equipped with up to 20 Cavium 12-core CPUs. The result: a furiously fast box that performs full unified threat management (UTM) at throughputs up to 13 Gbps with just 400 milliseconds of latency. With SuperMassive, 10GigE network operators don't have to choose between performance and reputation-based, application-layer threat prevention.
McAfee used Interop to announce Firewall Enterprise 8, a feature update to the SideWinder acquired from SecureComputing. This proxy firewall has always been application-aware, but FE8 adds "any port" protection, meaning that it can now block SSH tunnels on port 53, etc. FE8 also leverages TrustedSource, McAfee's geo-location and reputation-based filtering service that uses cloud-sourced data from 100 million sensors to block emerging threats. For customers moving to virtual data centers, FE8 is now available as hardware, software, or a virtualized appliance.
German company gateProtect introduced its latest firewall at Interop: the GPZ-2500. This large enterprise UTM firewall combines 6 fiber ports, 18 GigE ports, VPN acceleration, redundant disks, and redundant power supplies to achieve 99.97% availability. The GPZ-2500 delivers up to 9 Gbps of firewall throughput, dropping to 1.1 Gbps with full UTM. GateProtect's "secret sauce" is its icon-driven ergonomic GUI. In multi-site or cloud deployments, the gateProtect Command Center can manage 500 gateProtect UTM firewalls, using eGUI drag-and-drop and visual rules to simplify accurate configuration.
Offering security as a service
Barracuda not only announced its own Next-Generation Firewall, but demonstrated its Purewire Web Security Service a SaaS offering that inspects Web requests (local, remote, or mobile) for policy compliance and analyzes responses before letting them enter corporate networks. Depending on requirements, inspection can be performed by the provider's cloud or a CPE gateway. Focused on Web-borne threats, Purewire combines anti-virus signatures, AJAX-aware object analysis, and behavioral analysis to block bots, spyware, and malicious Web apps that use HTTP/HTTPS.
Trustwave decorated its Interop booth with a banner announcing "Cloud Security," referring to both cloud management of CPE-based services (e.g., managed UTM, managed IDS/IPS) and in-the-cloud services (e.g., secure e-mail). For example, Trustwave recently added Data Loss Prevention (DLP) Discover to its security services portfolio. This service scans internal corporate assets to discover and classify sensitive data, applying "smart tags" to each file to enable access control, encryption, logging, etc. Trustwave delivers unified dashboard access to all of its compliance and security services (including DLP) through its on-line integrated Managed Security Portal.
Cisco announced a pair of cloud-based security services: IronPort Email Data Loss Prevention and Encryption, and ScanSafe Web Intelligence Reporting (WIRe). To support these cloud services, Cisco now owns 30+ data centers world-wide, handling 2.8B reputation look-ups, 2.5B web requests, and 250B spam messages per day. WIRe gives enterprises detailed per-user data about employee web activities, including malware interception, bandwidth usage, and policy compliance. IronPort is a hosted secure e-mail service that inspects and optionally encrypts outbound messages, applying custom or predefined policies for regulatory compliance, regional laws, intellectual property protection and acceptable use.