After a recent snowstorm, and due to pending work on our generator, I had to dig out paths to the generator, the propane tank, etc. We normally dig out a few paths for moving wood around our yard, access to oil, the driveway, etc. But when we finished, we dug a moat around our entire house. This got me thinking about cloud security. The ongoing desire to put moats between us and the attackers. But what is us, in the cloud? Can we prevent the attacks? What are the current moat style technologies in play today?

There are several moat style technologies available, then include:

  • Traditional in-line firewalls
  • More advanced firewalls who kill ‘bad sessions’
  • Application specific firewalls
  • Sandboxes

And what do all these have in common? They are trying to limit but not remove all threats.

Sandbox – Moats around an attack

Take a look at Sandbox technology, such as from Bromium. This technology can only run on bare-metal and allows the attacks to happen. It does not prevent the attacks, but it prevents the spread of attacks. In essence, the attack was allowed into through the gate, but the moat around the attacked application disallowed the spread of the attack to other critical systems. This is the case for any sandbox technology. If the attack was not prevented from reaching the application, a sandbox limits the attack surface. Symantec Critical System Protection (CSP) works in the same manner. Both of these technologies look use whitelists to allow certain actions but all within the context of the sandbox. There is a moat around the application.

Firewall – Moats before an attack

When we look at a firewall on the other hand, we have a Moat that blocks attacks from getting to the other side. While a Sandbox contains an unknown attack, a firewall blocks a known attack and perhaps some unknown ones if the firewall uses whitelisting instead of blacklisting.  Some firewalls attempt to tell you which users are involved in attacks (or really any action), but that often requires the firewall to be the hub of communication. With a cloud or virtual environment we have a proliferation of firewalls that blacklist traffic from one part of the network from another.

We need both types of Moats

We all use moats within our network and cloud designs. Firewalls used to be only at the edges, but they are being used to divide tenants, etc. We have a proliferation of firewalls but we do not have a proliferation of technologies that will contain unknown attacks. This is crucial as unknown attacks are what cause the most damage. We cannot prepare for them, but we can contain them when they happen. It is definitely an important concept for multi-tenant clouds where we want to contain a tenant within their own networks and systems.

Do we have enough defense in depth to use both types of Moats? Should the moats be at the edges of the network, before each virtual machine, before the application, or surrounding the data? What happens if we move a virtual machine, application, or the data, does the definition and requirements of the moats involved move with the construct?

This is the end goal, to wrap a security context around an object. Or in other words each object has its own moat.

Share this Article:

Share Button
Edward Haletky (373 Posts)

Edward L. Haletky, aka Texiwill, is the author of VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment as well as VMware ESX and ESXi in the Enterprise: Planning Deployment of Virtualization Servers, 2nd Edition. Edward owns AstroArch Consulting, Inc., providing virtualization, security, network consulting and development and The Virtualization Practice where he is also an Analyst. Edward is the Moderator and Host of the Virtualization Security Podcast as well as a guru and moderator for the VMware Communities Forums, providing answers to security and configuration questions. Edward is working on new books on Virtualization.

[All Papers/Publications...]

Connect with Edward Haletky:


Related Posts:

3 comments for “Cloud Security: On Moats

  1. January 4, 2013 at 3:34 PM

    Interesting post, however you have forgotten the Honeytrap concept. it is OK having a Firewall (a door) and a sandbox (a room with no windows) but how do you guarantee that the attacker enters, without the fem fatalle beckoning their fingers. Some Agencies actually have completely false environments to protect their real assets.

  2. caroline nasiru
    January 27, 2013 at 6:44 PM

    hey Edward, and all your readers, you write really informative articles, lately I have picked a deep interest in cloud computing that I want to do my masters project in the area of cloud computing(security, management, something trending that will give me some skills that make me look good to employers when am done), am asking for some guidance in pointing out something specific, someone with a bit of expertise in the area could be of help. Please. thanks

  3. January 28, 2013 at 10:44 AM

    Hello Caroline,

    Good luck with your masters project. There is a wide range of topics under virtualization and cloud security, management, etc. Which areas interest you the most?

    Best regards,
    Edward Haletky

Leave a Reply

Your email address will not be published. Required fields are marked *


seven × 8 =

Top