11:30 AM
Amrit Williams
Amrit Williams
Connect Directly
E-Mail vvv

Cloud Security: To Scale Safely, Think Small

Why today's enterprises need an adaptable cloud infrastructure centered around flexibility, portability, and speed.

“Intelligence is the ability to adapt to change.” —Stephen Hawking

Enterprises would be wise to follow Hawking’s definition of intelligence. The modern data center, in all its incarnations, is becoming increasingly more dynamic and elastic. Chances are, your network was designed according to last century’s perimeter-based security principals and is likely composed of a hodgepodge of legacy infrastructure. From a security perspective, this is untenable. While throwing everything out and starting from scratch is both financially unfeasible and operationally unproductive, enterprises cannot continue to use last-century’s techniques to deal with today’s threats. 

Many enterprises are moving to adopt cloud infrastructure to both reduce their hardware footprint and the resulting costs and effort it takes to house and maintain the servers, and take advantage of on-demand compute and storage resources. Whether you are an enterprise evolving your data center to adopt private, public and/or hybrid cloud computing solutions, or an infrastructure-as-a-service provider offering compute and storage services to organizations, your security strategy must evolve, too. Securing data beyond that now-mythical perimeter is imperative. To accomplish this, security professionals have to let go of any residual antipathy toward automation and sever any attachments to the infrastructure-centric security mindset. In a word: adapt.

So where to begin? If you want to scale safely, you have to start by thinking small…very small.

In the DevOps world where agile development is all the rage, we’re seeing the emergence of containers and microservices -- systems and applications that are broken down into smaller, modular, self-contained components. As with computing in general, the microservices movement similarly breaks applications down into smaller, independent processes focused on specific tasks that communicate with each other.

The security use case

In this article, I’m going to focus on the security use case for network infrastructure. You still need firewalls and intrusion detection for traffic coming in and out of the network (north-south traffic). But due to the very real potential for an attack to take advantage of lateral movement between applications and compute resources (for example, an attacker compromising a fairly insecure resource and then using that access to pivot to a more critical application or internal resource), an adaptable security strategy must now also focus on what’s going on inside the datacenter (east-west traffic) and in cloud environments at the workload level itself.

To reduce the attack surface, micro-segmentation can be used to partition the workloads and their interactions with each other into logical application groupings. Those groupings form smaller protectable units, each accompanied by its own lightweight layer of security. You still have the firewall monitoring the source of traffic with coarse-grained controls, but it’s no longer the primary sentry; it’s just one of a number of safeguards in a multilayer, multidirectional defense structure. And now, micro-segmentation at the workload level itself, and not just at the network, offers an additional layer of fine-grained controls.

This is important because some of the more nefarious attacks have been able to bypass the network level controls and easily move between workloads, compromising machine-to-machine communication. It’s an important construct to understand, especially when moving to cloud computing, since the workloads lose some of the natural perimeter provided by traditional data centers.

Automated traffic discovery

Management is actually easier at this level with micro-segmentation. Partitioning is too complex to manage manually, but automated traffic discovery and firewall orchestration tools enable the micro-segmentation itself, and the management. The tools allow network security admins to collect, aggregate, and visualize all the intricate traffic behavior. The tools also define and orchestrate all security policies and parameters, which can then be applied and enforced automatically throughout the system. Automation provides both visibility and a means by which to manage its complexity, enabling the data to be better protected.

The migration from traditional servers to IaaS can be tricky for organizations that need strong access controls, continuous monitoring, logging, and sensitive data inventory for compliance purposes. Micro-segmentation takes the burden of protecting dynamic computing environments and configuring the underlying network infrastructure (such as firewalls and VLANs) away from the lower level stack in network security admin teams. It also allows server owners themselves to set a finer grained control for their organization’s compliance and security needs. So enterprises can get on-demand and fully automated workloads at any scale, along with system integrity and security, but with the oversight and control they need. 

We’ve moved from a world of manual control and hardware to one of automation, virtualization, and the cloud. The new model offers flexibility, portability, and speed that the old paradigm just couldn’t offer. New technologies such as micro-segmentation add security by keeping things small and contained, while allowing the environment to expand to cloud scale. And most importantly, they provide the ability to adapt to meet the needs of the modern enterprise. 

Related content:


Amrit Williams has over 20 years of experience in information security and is currently the chief technology officer of CloudPassage. Amrit has held a variety of engineering, management and consulting positions prior to joining CloudPassage. Previously, Williams was the ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/1/2016 | 7:05:32 PM
Cyber Security Solved
In consideration of cloud security this stuff should be of interest.

Most cyber security solutions fail because they rely on outdated, post-attack listing strategies that simply cannot identify or stop  unknown threats. Patented Vir2us technologies end the game with hackers by creating built-in secure processes and disposable computing environments where malicious software simply cannot propagate or persist. Only Vir2us secures your business from the inside out to deliver what you need to take control today.

 Vir2us empowers you to achieve genuine cyber security now, with managed solutions delivered from the cloud, configured in minutes and deployed globally.   With powerful cloud-based controls that preempt both known and unknown cyber threats, and provide real-time actionable information and response tools. 

Seems like a end game to hacking and  meets the new and recommended compliance standards of regulatory authorities inculding SEC, FINRA, NIST, NSA, DHS, HIPAA. Any thoughts?






User Rank: Ninja
1/19/2016 | 12:44:53 PM
Agile methodology provides a huge benefit not only to cloud security but security as a whole. Even if your hardware is on premise breaking larger security initiatives into smaller more manageable ones is beneficial will help to transition older antiquated security protocols into ones that will combat a more current threat.
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "I've seen worse.  Last week Tim had a dragon."
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.