Vendors fight over best approach to cloud security

We hear a lot of chatter just now about the front, middle and centre portions of the total cloud computing technology proposition. At the same time, we hear comparatively little discussion and analysis of the back end, the engine room and the guts of the networked traffic that flows through the Internet pipe to and from the cloud.

But why should we care about the back end of the cloud back office, so-to-speak?

Although data and application security is surely the key consideration for discussion at deeper network layers; we already know that data in the cloud is only as secure as the controls that we might place upon it if were residing on a “normal” terrestrial desktop, device or server.

So the issue of additional security risks (or, conversely, additional opportunities for data lock-down) is largely over before it has begun, surely?

Despite this popularised thinking, it is still the case that the opportunity to stop malicious web-based attacks earlier in the network perimeter layer.

Network perimeter intelligence
By working to analyse the IP address level, new cloud-based IP intelligence services are emerging that are intelligent enough to evaluate the reputation of Internet hosts at source. These technologies are capable of aggregating and then analysing data from multiple sources to collate and deliver real-time IP threat information to cloud network managers.

Companies working in this space include F5 Networks who describe these tools as "context-based security" controls, saying that they pave the way for more automated application delivery decisions.

According to F5, “Although existing ‘IP Reputation’ point-focused solutions will block malicious IP addresses, they will not work to integrate with applications themselves at the cloud service level so that a more complete and dynamic application delivery control proposition can be brought about.”

By tapping into a frequently updated list of threat sources and high-risk IP addresses, F5 says that this so-called “contextual awareness” that exists with IP Intelligence results from traffic reports of client IP addresses as logged within the X-Forwarded-For (XFF) header when analysed from multiple sources across the Internet as well as information from global threat-sensor network reports.

But surely we should take it as a “given” that network security by its nature should have an awareness of its surrounding environment, including where that data is coming from and going to.

Peter Doggart, director of product marketing at Crossbeam Systems argues that in a cloud environment (where you have potentially many thousands of virtual machines with different trust zones) network layer intelligence built into network security equipment is vital to classify the flow of virtual machine traffic and to ensure the right amount of inspection is taking place.

“For instance, you will want to ringfence any virtual system that is transacting credit card payment information from other web services with a variety of security tools such as Firewall, IPS and WAF,” said Doggart.

“The key here is to make this process as automated as possible and integrate the management within the data centre management tools, so when services move – which often happens – security trust zones always follow.”

If we do this right (so say the vendors in this space), then we can potentially bring a more robust layer of security control to the total cloud proposition and keep Windows exploits, worms, viruses, cross-site scripting techniques as well as SQL injection errors, botnets, zombies, domain scanners, DDoS attacks, phishing and password brute force exhaustive key search attacks at bay.

The problem here is that we have two different "species" of vendor potentially trying to impact the issue of malicious exploits across the total breadth of our IT architectures. While we might "assume" that the work of network layer specialists will marry downwards perfectly with desktop/endpoint anti-virus suite vendor’s software, it is essentially just an assumption.

While OpenStack and CloudStack fight it out and we have no single governing body or set of open standards to work to here, it is still (arguably) “open season” for cloud botnets and zombies in many cloud ecosystems. We barely have cloud computing application development and operational standards laid down in stone yet; cloud security standards are another thing coming.