Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

7/14/2014
12:00 PM
Bill Kleyman
Bill Kleyman
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
100%
0%

How Next-Generation Security Is Redefining The Cloud

Your cloud, datacenter, and infrastructure all contain flexible and agile components. Your security model should be the same.

Cloud computing has become a much more defined platform. There are more use cases, and many more organizations are actively looking at cloud models today than ever before. We have better infrastructure, more resources, and a much more connected user. All of this is fueling tremendous growth in cloud adoption.

For example, the latest Cisco Global Cloud Index report predicts that:

  • Annual global cloud IP traffic will reach 5.3 zettabytes by the end of 2017. By 2017, global cloud IP traffic will reach 443 exabytes per month (up from 98 exabytes per month in 2012).
  • Global cloud IP traffic will increase nearly 4.5-fold over the next five years. Overall, cloud IP traffic will grow at a CAGR of 35 percent from 2012 to 2017.
  • Global cloud IP traffic will account for more than two-thirds of total datacenter traffic by 2017.

This type of growth is driving cloud providers to offer new types of solutions, new ways to distribute data, and even better ways to compute. However, just like any technology that becomes a lot more popular, security concerns are also growing as data traverses the WAN and becomes much more accessible to malicious attacks.

What’s clear is that traditional security is no longer sufficient to protect the modern cloud workload. But what will next-generation security look like? Here are a few ways by which software-defined security is helping redefine the modern cloud:

Logical security abstraction
This is where we begin to separate the logical from the physical. A big part of next-gen security is having the ability to interact with technology at various layers. This means deploying virtual services that directly interact with underlying physical components. In some cases this could be asset management or a virtual service monitoring a remote physical port in a managed services scenario. Similarly, it might mean choosing between a physical appliance or a virtual security appliance. In all cases, the security of your datacenter is going to revolve around how well you can secure the virtual and cloud layer.

Scalable security services
Next-generation security uses various services to control and secure infrastructure data. Application firewalls, API-based client-less security, and network traffic service monitors all provide new levels of security. Imagine having a key application sitting behind a powerful application security engine. This engine heuristically learns how your application operates and halts any anomalous traffic.

Data security and control
It’s not just about securing your information. Because there is so much more data, next-generation security solutions can also help with traffic flow. This could mean pushing traffic to one logical node or another for a variety of reasons. Controls can be set up to manage inbound users and user groups. This creates a dynamic environment where data and users are managed intelligently while they utilize the cloud. What's more, because data and virtual machines are very fluid, agile, and capable of traversing a number of datacenter points, next-generation security is refining how all of this information is controlled and secured as it passes through various cloud points. This will really help advance data security, integrity, and control.

As more IT organizations gravitate to the burgeoning array of new cloud options, security teams will also need to consider what modern technologies they can add to their toolsets. New features and tools for your next-gen infrastructure could include virtual security services, security integration with cloud-based applications, and technologies that ensure that user data is always secure, in motion or at rest.

Regardless of the options or security features you choose to work with, it’s important to understand that there is a lot more data being generated every single day and that this data is becoming a lot more valuable. Next-generation security enables flexibility and diversity within a security offering. Your cloud, datacenter, and infrastructure are flexible and agile components -- your security model should be the same.

  Bill Kleyman brings more than 15 years of experience to his role as Executive Vice President of Digital Solutions at Switch. Using the latest innovations, such as AI, machine learning, data center design, DevOps, cloud and advanced technologies, he delivers solutions ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
QuadStack
50%
50%
QuadStack,
User Rank: Author
7/16/2014 | 1:21:58 PM
Re: Is this happening now?
@Rick - You're right IoT is going to become a pretty big topic moving forward. Just look at the Tesla as an example. You have a center console built on an Android platform. 

With a few "modifications" you can pretty much start launching apps on it (like Windows applications). 

Data integrity, cloud security, and having a solid virtual infrastructure are all critical pieces to creating the next-gen cloud platform. 

Next-generation security revolves around our capability to better secure a very diverse cloud environment. This will mean the combination of virtual and physical technologies. As I mentioned earlier - you can have a physical appliance running 30-40 virtual machines all running a different type of security service. 
Bill Kleyman
50%
50%
Bill Kleyman,
User Rank: Apprentice
7/16/2014 | 1:16:00 PM
Re: Is the hypervisor a future seat of security?
@Charlie - Next-gen security will show up in all sorts of forms. It will be physical and it will be virtual.

Phsyical appliances will still sit at the gateway. The big difference is that they'll be capable of also acting as security hypervisors. They'll be able to process a massive amount of information by leveraging hardware resources while using virtual security machines to process, quantify and secure data.

The future spells for a much more interconnected cloud environment. This means that more information will be passed through the modern data center. Already we're seeing security platforms like the Citrix NetScaler or Juniper Security products make a direct impact on security and security virtualization. 
QuadStack
50%
50%
QuadStack,
User Rank: Author
7/16/2014 | 1:11:21 PM
Re: Is this happening now?
@Marilyn - Great question! I'll give you an easy example -- Heartbleed. 

A really good friend of mine, working as a security professional at a large enterprise, told me how he was impacted by Heartbleed. Although they had vulnerable services, their IPS/IDS solution spotted the bots and alerted the engineers to shut down services which were being impacted. Although they still released a bulletin to alert their users, the ramifications were much smaller. Virtual security appliances can be application firewalls, virtual firewalls or just security services running within your infrastructure. These powerful agents can create a very good proactive system capable of advanced security monitoring.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/15/2014 | 10:08:00 AM
Re: Is the hypervisor a future seat of security?
Agree. It has to be different  because of the fact that threats on the cloud are generally different than on your SME business network.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/15/2014 | 10:05:58 AM
Re: Is this happening now?
Layered approaches are always better than non-layered approaches. We have to assume that the control we put in place will not protect us, what do we need to do next?
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/15/2014 | 10:05:05 AM
Re-inventing security
 

I agree with the article. We may have better infrastructure but amount of breaches is increasing exponentially every year for both security and privacy. That tells us we are not ahead of the game, bad guys has better control over it. We have to re-think our security controls and reinvent new ways protecting ourselves.
kgilpin
50%
50%
kgilpin,
User Rank: Apprentice
7/14/2014 | 7:25:09 PM
Re: Is this happening now?
I'd suggest this SlideShare by Mike Kail, VP of IT Operations at Netflix:

http://www.slideshare.net/mdkail/it-ops-2014-technology-roadmap

They are moving their IT operations completely out of the data center and into AWS, including SOX apps like payroll and accounting. That means:



* No more Active Directory

* No more "trust the perimeter" (aka "crunchy exterior with soft chewy center") approach to security

* Zero trust between internal services

* Layered authorization internally, both for end-user auth and for access to services (ssh, service-to-service authorization)

 
RickDelgado
50%
50%
RickDelgado,
User Rank: Apprentice
7/14/2014 | 6:20:58 PM
Re: Is this happening now?
I'm also interested in a specific example of next-gen security. Bill makes a good point that with so many advances in the cloud, big data, IoT, it's time for security to become more dynamic as well. 
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Ninja
7/14/2014 | 3:53:11 PM
Is the hypervisor a future seat of security?
Bill is onto something; security in the cloud will be different. But I can't quite tell where he thinks the differences will show up and in what form? For example, I would think an inspection engine as part of the virtual machine hypervisor would be in order as a key vantage point.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/14/2014 | 1:34:52 PM
Is this happening now?
Interesting food for thought, Bill. But is this happning now? Can you paint us a picture with some real-world examples of how "the" cloud or "a" has been redefined by next gen security?
Cybersecurity Industry: It's Time to Stop the Victim Blame Game
Jessica Smith, Senior Vice President, The Crypsis Group,  2/25/2020
5 Ways to Up Your Threat Management Game
Wayne Reynolds, Advisory CISO, Kudelski Security,  2/26/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8741
PUBLISHED: 2020-02-28
A denial of service issue was addressed with improved input validation.
CVE-2020-9399
PUBLISHED: 2020-02-28
The Avast AV parsing engine allows virus-detection bypass via a crafted ZIP archive. This affects versions before 12 definitions 200114-0 of Antivirus Pro, Antivirus Pro Plus, and Antivirus for Linux.
CVE-2020-9442
PUBLISHED: 2020-02-28
OpenVPN Connect 3.1.0.361 on Windows has Insecure Permissions for %PROGRAMDATA%\OpenVPN Connect\drivers\tap\amd64\win10, which allows local users to gain privileges by copying a malicious drvstore.dll there.
CVE-2019-3698
PUBLISHED: 2020-02-28
UNIX Symbolic Link (Symlink) Following vulnerability in the cronjob shipped with nagios of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 11; openSUSE Factory allows local attackers to cause cause DoS or potentially escalate privileges by winning a race. This issue affects: SUSE Linux...
CVE-2020-9431
PUBLISHED: 2020-02-27
In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, the LTE RRC dissector could leak memory. This was addressed in epan/dissectors/packet-lte-rrc.c by adjusting certain append operations.