Why trusted clouds require a layered security approach

The Edward Snowden leaks about US National Security Agency’s surveillance practices in 2013 bore a timely reminder for companies to revisit their enterprise and service provider security and privacy policies.

Enterprises’ emphasis on cloud data security and protection is expected to grow further this year as companies realize how little control they have over data stored in the cloud.

“There cannot be any chink in the trust chain from internal resources to the cloud and back,” says Richard Stiennon, principal at consulting firm IT-Harvest. The recent case of a Korea Credit Bureau employee stealing personal data of at least 20 million customers from three Korean credit card firms highlights the importance of this trust chain.

Trust factor

Perceiving security as a trust chain becomes necessary as organizations increasingly struggle to defend a perimeter blurred by cloud computing. IT may no longer have direct and immediate control over company assets, such as servers, applications and data that are located in the cloud. Moreover, the emergence of shadow IT, where employees subscribe directly to external cloud-based services, often infringes on corporate security policies.

Security requirements and drivers in the cloud are different from those in traditional data center environments … The dynamic nature of the cloud, coupled with the lack of customer ownership of infrastructure and limited transparency, has essentially broken traditional security models and architectures,” says Gartner analyst Jeffrey Wheatman.

Dimension Data, a US$5.8 billion global technology provider, believes that an effective hosted cloud service “involves much more than migrating sensitive data into an environment, simply wrapping a virtual perimeter around it and calling it secure”.

Corroborating this conviction is the Check Point Security Report 2014, which showed 88% of organizations in its study had “at least one event which may indicate a potential data loss occurrence throughout 2013, and organization experiences 29 events of potential exposure of sensitive data on a daily basis”. Tools and practices that it identified can lead to data leakage include cloud servers, Google Docs and the simple unintentional abuse of company procedures such as an employee bringing work home.

Change on the fly

These vulnerabilities call for a trusted cloud that is protected by integrated, layered security, one that considers networking and security in the context of the applications and data being moved to the cloud and the capabilities of the target cloud infrastructure.

For example, IT can leverage programmatic controls that support automation, if available, to evolve business security �?on the fly’. Such automated adaptability in security is important in a dynamic cloud environment where assets are provisioned and moved quickly.

Security by segments

At the same time, Dimension Data and Check Point Software are jointly tackling the challenges of virtualization – a pillar that underpins cloud computing – and supporting VMware-based networks.  For example, Check Point firewalls and standalone IPS are used to cordon traffic to critical servers, data centers, Internet access and wireless network across a hybrid cloud environment.

This paves the way for IT to secure data by network segment, with each segment functioning as an extension of the in-house IT structure, replicating its security functions regardless of location. As Dimension Data officials highlight, an integrated, layered approach to cloud security is a natural extension of enterprise security models.

It establishes more granular control of the network, enabling enterprise IT to extend the same user access controls and network permissions it has over its own on-premise networks into the cloud.

Segmenting the private cloud into many security zones and subnets also allows many virtual gateways running on a physical box or virtual machine to be optimized for each security zone managed by a different administrator. “This reduces the capex and expedites the process of securing this dynamic private cloud,” says Itai Greenberg, product line manager at Check Point Software.

Integration with VMWare’s vCloud Director, meanwhile, gives IT administrators the ability to “define policies using information despatched from vCloud,” Greenberg adds. “In addition, we have security injected inside the hypervisor so you don’t have to reroute the traffic to manipulate your environment or infrastructure to secure it.”

Multi-layered protection

To achieve multi-layered security, businesses have often found multi-purpose firewall gateways and unified threat management devices that offer high throughput and low latency adequate.

Check Point’s Software Blade Architecture, for instance, enables comprehensive protection, including VPN, IPS, application control, identity awareness, URL filtering, anti-spam, antivirus, anti-bot, data loss prevention, mobile access and threat emulation.

Its security gateway module delivers both protection and performance for data centers, telecommunications and cloud service providers. The blade’s high port density allows more segmentation and greater flexibility in deploying security technologies based on network needs.

Other innovative ideas catching on include a threat emulation firewall module that safely “detonate” files in a sandbox to try and uncover zero-day attacks, and a compliance software module that continuously assesses security posture across all software blades and recommends actions to improve compliance and security.

Check Point also offers a virtual appliance – a security gateway for virtual environments – in the Amazon Cloud to prevent network attacks and data breaches, while securing connectivity in public cloud environments.

On-premise robustness

Ultimately, both Dimension Data and Check Point aim to help businesses implement the appropriate layered security to make the cloud a true extension of the corporate infrastructure.

Dimension Data’s Managed Cloud Platform is built on a robust architecture that automates and orchestrates both public and private cloud services to extend self-service provisioning to the end user. That also means compute, storage and networking resources can be delivered based on strong SLAs, configurable networking and security and high performance systems.

As Steve Nola, Cloud Business Unit CEO at Dimension Data points out, “our cloud was built to support more than just testing and development or non-critical applications.

“Our public Compute-as-a-Service (CaaS) customers use our cloud for running production web and software-as-a-service applications, as well as enterprise applications like SAP.”

More importantly, Dimension Data advocates a security approach that addresses common concerns regarding physical, software and infrastructure security. Only a layered approach to security enables enterprises to replicate and extend the level of user access controls and network permissions achieved over on-premise networks into the cloud.