11:30 AM
Amrit Williams
Amrit Williams
Connect Directly
E-Mail vvv

Cloud Security: To Scale Safely, Think Small

Why today's enterprises need an adaptable cloud infrastructure centered around flexibility, portability, and speed.

“Intelligence is the ability to adapt to change.” —Stephen Hawking

Enterprises would be wise to follow Hawking’s definition of intelligence. The modern data center, in all its incarnations, is becoming increasingly more dynamic and elastic. Chances are, your network was designed according to last century’s perimeter-based security principals and is likely composed of a hodgepodge of legacy infrastructure. From a security perspective, this is untenable. While throwing everything out and starting from scratch is both financially unfeasible and operationally unproductive, enterprises cannot continue to use last-century’s techniques to deal with today’s threats. 

Many enterprises are moving to adopt cloud infrastructure to both reduce their hardware footprint and the resulting costs and effort it takes to house and maintain the servers, and take advantage of on-demand compute and storage resources. Whether you are an enterprise evolving your data center to adopt private, public and/or hybrid cloud computing solutions, or an infrastructure-as-a-service provider offering compute and storage services to organizations, your security strategy must evolve, too. Securing data beyond that now-mythical perimeter is imperative. To accomplish this, security professionals have to let go of any residual antipathy toward automation and sever any attachments to the infrastructure-centric security mindset. In a word: adapt.

So where to begin? If you want to scale safely, you have to start by thinking small…very small.

In the DevOps world where agile development is all the rage, we’re seeing the emergence of containers and microservices -- systems and applications that are broken down into smaller, modular, self-contained components. As with computing in general, the microservices movement similarly breaks applications down into smaller, independent processes focused on specific tasks that communicate with each other.

The security use case

In this article, I’m going to focus on the security use case for network infrastructure. You still need firewalls and intrusion detection for traffic coming in and out of the network (north-south traffic). But due to the very real potential for an attack to take advantage of lateral movement between applications and compute resources (for example, an attacker compromising a fairly insecure resource and then using that access to pivot to a more critical application or internal resource), an adaptable security strategy must now also focus on what’s going on inside the datacenter (east-west traffic) and in cloud environments at the workload level itself.

To reduce the attack surface, micro-segmentation can be used to partition the workloads and their interactions with each other into logical application groupings. Those groupings form smaller protectable units, each accompanied by its own lightweight layer of security. You still have the firewall monitoring the source of traffic with coarse-grained controls, but it’s no longer the primary sentry; it’s just one of a number of safeguards in a multilayer, multidirectional defense structure. And now, micro-segmentation at the workload level itself, and not just at the network, offers an additional layer of fine-grained controls.

This is important because some of the more nefarious attacks have been able to bypass the network level controls and easily move between workloads, compromising machine-to-machine communication. It’s an important construct to understand, especially when moving to cloud computing, since the workloads lose some of the natural perimeter provided by traditional data centers.

Automated traffic discovery

Management is actually easier at this level with micro-segmentation. Partitioning is too complex to manage manually, but automated traffic discovery and firewall orchestration tools enable the micro-segmentation itself, and the management. The tools allow network security admins to collect, aggregate, and visualize all the intricate traffic behavior. The tools also define and orchestrate all security policies and parameters, which can then be applied and enforced automatically throughout the system. Automation provides both visibility and a means by which to manage its complexity, enabling the data to be better protected.

The migration from traditional servers to IaaS can be tricky for organizations that need strong access controls, continuous monitoring, logging, and sensitive data inventory for compliance purposes. Micro-segmentation takes the burden of protecting dynamic computing environments and configuring the underlying network infrastructure (such as firewalls and VLANs) away from the lower level stack in network security admin teams. It also allows server owners themselves to set a finer grained control for their organization’s compliance and security needs. So enterprises can get on-demand and fully automated workloads at any scale, along with system integrity and security, but with the oversight and control they need. 

We’ve moved from a world of manual control and hardware to one of automation, virtualization, and the cloud. The new model offers flexibility, portability, and speed that the old paradigm just couldn’t offer. New technologies such as micro-segmentation add security by keeping things small and contained, while allowing the environment to expand to cloud scale. And most importantly, they provide the ability to adapt to meet the needs of the modern enterprise. 

Related content:


Amrit Williams has over 20 years of experience in information security and is currently the chief technology officer of CloudPassage. Amrit has held a variety of engineering, management and consulting positions prior to joining CloudPassage. Previously, Williams was the ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/1/2016 | 7:05:32 PM
Cyber Security Solved
In consideration of cloud security this stuff should be of interest.

Most cyber security solutions fail because they rely on outdated, post-attack listing strategies that simply cannot identify or stop  unknown threats. Patented Vir2us technologies end the game with hackers by creating built-in secure processes and disposable computing environments where malicious software simply cannot propagate or persist. Only Vir2us secures your business from the inside out to deliver what you need to take control today.

 Vir2us empowers you to achieve genuine cyber security now, with managed solutions delivered from the cloud, configured in minutes and deployed globally.   With powerful cloud-based controls that preempt both known and unknown cyber threats, and provide real-time actionable information and response tools. 

Seems like a end game to hacking and  meets the new and recommended compliance standards of regulatory authorities inculding SEC, FINRA, NIST, NSA, DHS, HIPAA. Any thoughts?






User Rank: Ninja
1/19/2016 | 12:44:53 PM
Agile methodology provides a huge benefit not only to cloud security but security as a whole. Even if your hardware is on premise breaking larger security initiatives into smaller more manageable ones is beneficial will help to transition older antiquated security protocols into ones that will combat a more current threat.
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.