Cloud Providers and Security “Edge” Services – Where’s The Beef?
Previously I wrote a post titled “Oh Great Security Spirit In the Cloud: Have You Seen My WAF, IPS, IDS, Firewall…” in which I described the challenges for enterprises moving applications and services to the Cloud while trying to ensure parity in compensating controls, some of which are either not available or suffer from the “virtual appliance” conundrum (see the Four Horsemen presentation on issues surrounding virtual appliances.)
Yesterday I had a lively discussion with Lori MacVittie about the notion of what she described as “edge” service placement of network-based WebApp firewalls in Cloud deployments. I was curious about the notion of where the “edge” is in Cloud, but assuming it’s at the provider’s connection to the Internet as was suggested by Lori, this brought up the arguments in the post
above: how does one roll out compensating controls in Cloud?
The level of difficulty and need to integrate controls (or any “infrastructure” enhancement) definitely depends upon the Cloud delivery model (SaaS, PaaS, and IaaS) chosen and the business problem trying to be solved; SaaS offers the least amount of extensibility from the perspective of deploying controls (you don’t generally have any access to do so) whilst IaaS allows a lot of freedom at the guest level. PaaS is somewhere in the middle. None of the models are especially friendly to integrating network-based controls not otherwise supplied by the provider due to what should be pretty obvious reasons — the network is abstracted.
So here’s the rub, if MSSP’s/ISP’s/ASP’s-cum-Cloud operators want to woo mature enterprise customers to use their services, they are leaving money on the table and not fulfilling customer needs by failing to roll out complimentary security capabilities which lessen the compliance and security burdens of their prospective customers.
While many provide commoditized solutions such as anti-spam and anti-virus capabilities, more complex (but profoundly important) security services such as DLP (data loss/leakage prevention,) WAF, Intrusion Detection and Prevention (IDP,) XML Security, Application Delivery Controllers, VPN’s, etc. should also be considered for roadmaps by these suppliers.
Think about it, if the chief concern in Cloud environments is security around multi-tenancy and isolation, giving customers more comfort besides “trust us” has to be a good thing. If I knew where and by whom my data is being accessed or used, I would feel more comfortable.
Yes, it’s difficult to do properly and in many cases means the Cloud provider has to make a substantial investment in delivery platforms and management/support integration to get there. This is why niche players who target specific verticals (especially those heavily regulated) will ultimately have the upper hand in some of these scenarios – it’s not socialist security where “good enough” is spread around evenly. Services like these need to be configurable (SELF-SERVICE!) by the consumer.
An example? How about Google: where’s DLP integrated into the messaging/apps platforms? Amazon AWS: where’s IDP integrated into the VMM for introspection?
I wrote a couple of interesting posts about this (that may show up in the automated related posts lists below):
- GooglePOPs – Cloud Computing and Clean Pipes: Told Ya So…
- Re-branding Managed Services and SaaS For Security In the Cloud…1995 Never Looked So Shiny
- Clean Pipes – Less Sewerage or More Potable Water?
My customers in the Fortune 500 complain constantly that the biggest providers they are being pressured to consider for Cloud services aren’t listening to these requests — or aren’t in a position to respond.
That’s bad for everyone.
So how about it? Are services like DLP, IDP, WAF integrated into your Cloud providers’ offerings something you’d like to see rather than having to add additional providers as brokers and add complexity and cost back into Cloud?
/Hoff
I completely share your views. Did you gave a look to apps.gov? It seems no concern about security has been properly taken into account. It sounds more like: "yeah it will work"
If you'ld like to share your views I'ld be very pleased. Ciao!
Have a look on meedabyte.wordpress.com
A very good point, and something a few of us in the infosec practice at my former employer were chewing on for a while. On a semi-related tangent, I would also ask how cloud providers are protecting my data when, not if, another client is caught doing something untoward and forensic analysis is conducted on the storage… or how are they enabling forensic analysis of the storage used by an individual client, should it be necessary, without opening all clients using the same physical storage resource to unwarranted scrutiny?
Not sure what other people are seeing out there, but our larger DLP customers are telling their cloud providers: "here is the DLP solution we've selected. Use this."
Feels like some cloud providers feel ok with trying to bundle in low-performing Data Loss Prevention capabilities as part of the package…that is, if they provide anything at all.
Meanwhile, we've moved forward on a pack of features to support hybrid on-prem/off-prem infrastructure as well. Enterprises that have outsourced components of their infrastructure can still have a unified view of what content is flowing where.
Feels like hybridity is the defacto plan for the enterprise for the forseeable future.
Kevin Rowney
Founder, Data Loss Prevention Division
Symantec
Hoff,
"Cloud Cartography" is an interesting research angle being pursued at MIT and UC San Diego, where they experimented with VM co-location in Amazon's cloud. I jotted down my own thoughts on their research paper (http://bit.ly/7ieea), but for the real beef go straight to their website: http://people.csail.mit.edu/tromer/papers/cloudse….
Steve
@Steve Todd
Oh, I have an entire set of slides dedicated to it and other related potential discovery capabilities in my new Cloudifornication presentation and I also updated the Frogs preso…
Good stuff.
Today, when working with an IaaS provider it's a no brainer that larger IT customers want their DLP Endpoint solution to extend off prem. Their choice of DLP solution likely to involve how well it supports their domain (HIPAA, PCI).
Would like to hear opinions on aggregate level solutions, not just DLP, assuming the required underlying infra becomes available.
Mike Hancock
Partner Solutions Enablement
EMC
3 thoughts on this:
1) Agree regarding compliance support in particular. The regulations are pretty stringent and without the support of an MSSP too many companies (SMBs in particular) are playing with fire.
2) A private onramp to the cloud may be necessary when data is extremely sensitive and/or performance is a concern.
3) Instead of an edge appliance I would like to see a software shell that has all capabilities but no configuration – the shell could call to the mothership (cloud) to obtain its configuration (similar to the way a remote access client pulls down rules when logging into a VPN). The cloud based policy management could then be multi-tenant, support rapid deployment and be completely self service.
Dennis
@Dennis Piche
P.S. I was thinking of something else when you referenced the "Four Horsemen" 🙂
I agree on some level, yet I think we may be overly simplifying the cloud. For me I have a hard time with appraching a very new problem by using yesterday’s solutions. For example, you’re assuming there is a reasonble point to put DLP/IDS/FW/etc. and that those solutions will actually work relative to the cloud archetecture. I think this apprach may work in the short term but time will show that trying to force the cloud into our definition won’t work and neither will the controls. Dennis’s point #3 is where things are going. sorry for typeos… using pda. jim. http://www.realsecurity.us/weblog
Problem with "edge" security is that you only deal with risks at the edge. What about if you also care about is your apps and your data? "Edge security" gives you diddly squat in that respect. Still, it looks good on a Visio diagram to give to the auditors
Couldn't agree more with the need for providers to start thinking "full service" with cloud offerings. Right now, Co's are testing the cloud – policy, security, reliability, management acceptance, etc. These sorts of full security offerings can go a long way to pushing cloud computing forward. I can only speak from a WAF perspective here, but a good starting point needs to consider a few things. More here: http://artofdefence.wordpress.com
If your "cloud" runs on VMWare, then there is a software version that plays in that space. Check Point VE has been out for over a year, and doesn't sacrifice on functionality: FW, VPN, RAVPN, SSLVPN, IPS, basic WAF. You will see a new version in Q4 that ties directly into VMSafe for even more security functionality…outside of the firewall.
With all the complaining I see on this blog about a lack of security options with VMWare, I would think someone would have done five seconds of research. Makes me wonder if the all the griping is because the host here works for a company that is doing zero for security in the cloud; that is unless you consider ACLs, AAA, and telnet to be acceptable (Cisco v1000). And honestly would anyone really look to Cisco to secure their environment?
@Eric
You should take down that White Paper and do some research.
"Currently, web application firewalls (WAF) and other security solutions are restricted to hardware appliances,
which creates a serious bottleneck for cloud service providers."
Are you serious? Take a look at:
http://www.checkpoint.com/products/vpn-1_power_vs… http://www.checkpoint.com/products/vpn-1_ve/index…
@SomeGuy
Here you go:
1) If you're going to comment and make personal aspersions hinting at some impropriety on my part , man up and post your real name and contact information. Otherwise, go troll elsewhere.
2) I've worked for Cisco for 4 months. I've written this blog for ~4 years. Mixing metaphors regarding virtualization and Cloud within the context of this post on edge security services at massive levels of scale simply shows you have no concept of what scale and multi-tenancy means to security. It goes well beyond a fast-path driver and an API for VMware.
3) You clearly work for CHKP or a CHKP reseller given your other comment(s) pushing their product; I know their product (and the product managers) quite well. In fact, I wrote about it a year ago (http://www.rationalsurvivability.com/blog/?p=119,) as I have many other products in the space including Reflex, Altor, etc.
4) Given #3 it's clear you don't actually read my blog, choose to ignore my research and instead you're just here to shill a product.
Try your own advice; spend "five seconds of research" before you open your mouth and demonstrate your ignorance.
Don't bother responding.
/Hoff
@beaker
Jesus, lighten up Royce.
"1) If you’re going to comment and make personal aspersions hinting at some impropriety on my part , man up and post your real name and contact information. Otherwise, go troll elsewhere."
None of this was meant to be personal. It wasn't even necessarily directed at you. There were other people leaving comments if you noticed. Yeah I'm sure I would want to share my personal info now given your reaction, and the way you went after Schneier.
"2) I’ve worked for Cisco for 4 months. "
You are no longer an "independent researcher" now that you work for Cisco. You work for a company that is responsible for a massive amount of security problems, so I'd say your motives are a little suspect. I suppose we're all to believe you're just trying to be a helpful guy…no personal gain right? Okay so when are you going to "man up" and do a review of all the security shortcomings in the 1000v?
"I know their product (and the product managers) quite well. In fact, I wrote about it a year ago (http://www.rationalsurvivability.com/blog/?p=119,) as I have many other products in the space including Reflex, Altor, etc."
Great. Maybe you should update some of that info. VE has been VMWare (VMotion supported) for quite a while. If you were still in contact with them, you'd know this and more. But that would be "shillery" right?
"4) Given #3 it’s clear you don’t actually read my blog, choose to ignore my research and instead you’re just here to shill a product."
I re-stumbled on your blog and found some interesting views. In fact I used to link to you from my blog, before you changed your URL. Gee sorry I didn't comb through 12 months of your archives before I thought to post something here. If you don't want criticism, then disable the comments section or don't allow guests to post. Maybe it's time to hit the mat and work out those aggressions.
I'm not here to shill any product, I doubt you will being buying anything Check Point anytime soon. However, quite a few of your postings are product specific so to say I'm "shilling" something is quite hypocritical.
I call you on your "man up" comment by seeing if you approve this post. Congratulations (sincerely) in advance if you actually do.
Of course your attacks on me were meant as personal and they continue to be and how absolutely incredulous to suggest that they weren't directed at me when you clearly went out of your way to directly state such.
As to my motives, my job is not be your or CHKP's PR firm (or anyone's for that matter) so when I have something interesting to write, I do.
I've never been an "independent researcher." I've been employed by a vendor since I started this blog. Strangely it would appear that as long as I write something you agree with, that's not an issue.
My disclaimers, interests and who I work for are public and made clear. Yours, on the other hand, are not.
You hide behind the anonymity of a pseudonym and fire off insults and make claims about your motives that are in direct contradiction to your actions.
I don't delete or moderate comments and anytime you'd like to frame things constructively as criticism, I'm here to listen.
Until then, just go away.