There are two sides to cloud security: the tenant and the provider. At the moment, it appears from both perspectives that cloud computing is using bolt-ons to create a sense of security. This is more perception than reality. Perception is what is preventing cloud adoption. What does this perception mean? Are clouds really using bolt-on technologies?
Let us look at three aspects of the cloud:
- Management: The interfaces used to manage a cloud instance
- Tenant Security: The tenants’ requirements for security, compliance, etc.
- Cloud Security: The security provided by the cloud service provider
Cloud Security Management
Why split out management? Recently, I was told all you needed was management isolation to be a multi-tenant cloud. Granted, this is where multi-tenant security begins. However, much more is required. Many private clouds (OpenStack, VRA-based clouds, VCD-based clouds, and others from Embotics, etc.) provide management access control. At the same time, identity management is only one piece of this puzzle. Identity management must be offered to each tenant.
We know that most public clouds are more secure than most enterprises. However, can we prove this? We have no inside information that allows us to attest that this is true. Can we trust reports on security or compliance? Are our tenancies in scope for such reports?
Enterprises require these cloud management controls:
- Identity Management (Authentication)
- Two-Factor Authentication
- Role-Based Access Controls (Authorization)
- Object-Level Granularity
- Logging (errors, all identities activities)
- Behavioral Analytics (who did what, and when and where did they do it?)
- Alerting on incidents outside the norm (and well-known attacks)
- Incident Response
The controls span providers and tenants. Yet, tenants bolt on a third-party tool to achieve this within their areas of management. The cloud provider provides these controls for its management. Can tenants use these controls? The answer is no. The tenant must bolt on increasing levels of controls.
Cloud Security Tenant Bolt-Ons
Early cloud tenants are trusting the cloud provider as the source of security. Yet, tenants do not see what cloud providers see. That data is not available to tenants. Tenants are discovering what they are missing and bolt on security to cover the lack or hire managed security providers. Many cloud providers offer such services. Cloud providers know it is difficult to gain visibility, and such visibility costs extra.
Gaining visibility is as simple as adding a cloud-aware security broker (CASB), web application firewall, or even DDoS prevention tools. Why these tools? Each provides visibility. Each of these tools can be provided by a cloud service provider, though perhaps not the one you are running within. Most, if not all, such tools work best for web services, which are the future of applications today.
Many of the SaaS-based security options are designed to be bolt-on technologies to cover the gaps between the cloud providers’ and the tenants’ security measures. Solutions provide a depth of network to absorb DDoS and other attacks, yet they are not necessarily part of any infrastructure cloud. The solutions for active defenses also seem to be bolt-ons added after the application is deployed.
Cloud Security Providers
Cloud security providers provide identity, database, proxy, and web application firewall services in the form of easily deployable images. In essence, the use of these are still up to the tenant. What the providers offer for security is easily accessible but not automatically available as part of any tenancy. This is the unfortunate part. The bits exist, and the knowledge to use them exists, but the two are not often together.
This is where clouds that provide managed security services shine. They can put both together and help the customer using the knowledge and visibility of the cloud provider.
The knowledge of cloud security exists within the cloud service provider. The cloud service providers are exposing their capabilities and knowledge, yet they are doing so too slowly. Hence, there is a need to fill the gap. The gap that appears to be more bolt-on than integrated.
This calls for more tenants to have a good security architecture that takes advantage of the cloud, its services, and those of other clouds. A unified approach to security is required, not the continual application of bolt-ons.
Where is your cloud presence in this journey? Ours relies on a WAF and DDoS protection integrated within our cloud provider, as well as a WAF and DDoS protection within a SaaS. Visibility is from active logging within the application while performance logging exists within the cloud provider. This type of integrated approach needs to be considered from the beginning of any cloud tenancy. The approach should be the end goal as well.