Cloud
7/14/2014
12:00 PM
Bill Kleyman
Bill Kleyman
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

How Next-Generation Security Is Redefining The Cloud

Your cloud, datacenter, and infrastructure all contain flexible and agile components. Your security model should be the same.

Cloud computing has become a much more defined platform. There are more use cases, and many more organizations are actively looking at cloud models today than ever before. We have better infrastructure, more resources, and a much more connected user. All of this is fueling tremendous growth in cloud adoption.

For example, the latest Cisco Global Cloud Index report predicts that:

  • Annual global cloud IP traffic will reach 5.3 zettabytes by the end of 2017. By 2017, global cloud IP traffic will reach 443 exabytes per month (up from 98 exabytes per month in 2012).
  • Global cloud IP traffic will increase nearly 4.5-fold over the next five years. Overall, cloud IP traffic will grow at a CAGR of 35 percent from 2012 to 2017.
  • Global cloud IP traffic will account for more than two-thirds of total datacenter traffic by 2017.

This type of growth is driving cloud providers to offer new types of solutions, new ways to distribute data, and even better ways to compute. However, just like any technology that becomes a lot more popular, security concerns are also growing as data traverses the WAN and becomes much more accessible to malicious attacks.

What’s clear is that traditional security is no longer sufficient to protect the modern cloud workload. But what will next-generation security look like? Here are a few ways by which software-defined security is helping redefine the modern cloud:

Logical security abstraction
This is where we begin to separate the logical from the physical. A big part of next-gen security is having the ability to interact with technology at various layers. This means deploying virtual services that directly interact with underlying physical components. In some cases this could be asset management or a virtual service monitoring a remote physical port in a managed services scenario. Similarly, it might mean choosing between a physical appliance or a virtual security appliance. In all cases, the security of your datacenter is going to revolve around how well you can secure the virtual and cloud layer.

Scalable security services
Next-generation security uses various services to control and secure infrastructure data. Application firewalls, API-based client-less security, and network traffic service monitors all provide new levels of security. Imagine having a key application sitting behind a powerful application security engine. This engine heuristically learns how your application operates and halts any anomalous traffic.

Data security and control
It’s not just about securing your information. Because there is so much more data, next-generation security solutions can also help with traffic flow. This could mean pushing traffic to one logical node or another for a variety of reasons. Controls can be set up to manage inbound users and user groups. This creates a dynamic environment where data and users are managed intelligently while they utilize the cloud. What's more, because data and virtual machines are very fluid, agile, and capable of traversing a number of datacenter points, next-generation security is refining how all of this information is controlled and secured as it passes through various cloud points. This will really help advance data security, integrity, and control.

As more IT organizations gravitate to the burgeoning array of new cloud options, security teams will also need to consider what modern technologies they can add to their toolsets. New features and tools for your next-gen infrastructure could include virtual security services, security integration with cloud-based applications, and technologies that ensure that user data is always secure, in motion or at rest.

Regardless of the options or security features you choose to work with, it’s important to understand that there is a lot more data being generated every single day and that this data is becoming a lot more valuable. Next-generation security enables flexibility and diversity within a security offering. Your cloud, datacenter, and infrastructure are flexible and agile components -- your security model should be the same.

Bill is an enthusiastic technologist with experience in datacenter design, management, and deployment. His architecture work includes large virtualization and cloud deployments as well as business network design and implementation. Bill enjoys writing, blogging, and educating ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
QuadStack
50%
50%
QuadStack,
User Rank: Author
7/16/2014 | 1:21:58 PM
Re: Is this happening now?
@Rick - You're right IoT is going to become a pretty big topic moving forward. Just look at the Tesla as an example. You have a center console built on an Android platform. 

With a few "modifications" you can pretty much start launching apps on it (like Windows applications). 

Data integrity, cloud security, and having a solid virtual infrastructure are all critical pieces to creating the next-gen cloud platform. 

Next-generation security revolves around our capability to better secure a very diverse cloud environment. This will mean the combination of virtual and physical technologies. As I mentioned earlier - you can have a physical appliance running 30-40 virtual machines all running a different type of security service. 
Bill Kleyman
50%
50%
Bill Kleyman,
User Rank: Apprentice
7/16/2014 | 1:16:00 PM
Re: Is the hypervisor a future seat of security?
@Charlie - Next-gen security will show up in all sorts of forms. It will be physical and it will be virtual.

Phsyical appliances will still sit at the gateway. The big difference is that they'll be capable of also acting as security hypervisors. They'll be able to process a massive amount of information by leveraging hardware resources while using virtual security machines to process, quantify and secure data.

The future spells for a much more interconnected cloud environment. This means that more information will be passed through the modern data center. Already we're seeing security platforms like the Citrix NetScaler or Juniper Security products make a direct impact on security and security virtualization. 
QuadStack
50%
50%
QuadStack,
User Rank: Author
7/16/2014 | 1:11:21 PM
Re: Is this happening now?
@Marilyn - Great question! I'll give you an easy example -- Heartbleed. 

A really good friend of mine, working as a security professional at a large enterprise, told me how he was impacted by Heartbleed. Although they had vulnerable services, their IPS/IDS solution spotted the bots and alerted the engineers to shut down services which were being impacted. Although they still released a bulletin to alert their users, the ramifications were much smaller. Virtual security appliances can be application firewalls, virtual firewalls or just security services running within your infrastructure. These powerful agents can create a very good proactive system capable of advanced security monitoring.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/15/2014 | 10:08:00 AM
Re: Is the hypervisor a future seat of security?
Agree. It has to be different  because of the fact that threats on the cloud are generally different than on your SME business network.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/15/2014 | 10:05:58 AM
Re: Is this happening now?
Layered approaches are always better than non-layered approaches. We have to assume that the control we put in place will not protect us, what do we need to do next?
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/15/2014 | 10:05:05 AM
Re-inventing security
 

I agree with the article. We may have better infrastructure but amount of breaches is increasing exponentially every year for both security and privacy. That tells us we are not ahead of the game, bad guys has better control over it. We have to re-think our security controls and reinvent new ways protecting ourselves.
kgilpin
50%
50%
kgilpin,
User Rank: Apprentice
7/14/2014 | 7:25:09 PM
Re: Is this happening now?
I'd suggest this SlideShare by Mike Kail, VP of IT Operations at Netflix:

http://www.slideshare.net/mdkail/it-ops-2014-technology-roadmap

They are moving their IT operations completely out of the data center and into AWS, including SOX apps like payroll and accounting. That means:



* No more Active Directory

* No more "trust the perimeter" (aka "crunchy exterior with soft chewy center") approach to security

* Zero trust between internal services

* Layered authorization internally, both for end-user auth and for access to services (ssh, service-to-service authorization)

 
RickDelgado
50%
50%
RickDelgado,
User Rank: Apprentice
7/14/2014 | 6:20:58 PM
Re: Is this happening now?
I'm also interested in a specific example of next-gen security. Bill makes a good point that with so many advances in the cloud, big data, IoT, it's time for security to become more dynamic as well. 
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Moderator
7/14/2014 | 3:53:11 PM
Is the hypervisor a future seat of security?
Bill is onto something; security in the cloud will be different. But I can't quite tell where he thinks the differences will show up and in what form? For example, I would think an inspection engine as part of the virtual machine hypervisor would be in order as a key vantage point.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/14/2014 | 1:34:52 PM
Is this happening now?
Interesting food for thought, Bill. But is this happning now? Can you paint us a picture with some real-world examples of how "the" cloud or "a" has been redefined by next gen security?
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3580
Published: 2014-12-18
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.

CVE-2014-4801
Published: 2014-12-18
Cross-site scripting (XSS) vulnerability in IBM Rational Quality Manager 2.x through 2.0.1.1, 3.x before 3.0.1.6 iFix 4, 4.x before 4.0.7 iFix 2, and 5.x before 5.0.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-6076
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allow remote attackers to conduct clickjacking attacks via a crafted web site.

CVE-2014-6077
Published: 2014-12-18
Cross-site request forgery (CSRF) vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

CVE-2014-6078
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for remote attackers to obtain admin access via a brute-force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.