There is no doubt cloud computing is sweeping across the enterprise world. RightScale’s 2018 State of the Cloud survey of 997 IT professionals revealed that 96% of respondents use cloud computing, with 38% seeing it as their top priority. Nevertheless, concerns remain.
According to KPMG/Harvey Nash figures, data loss and privacy risks worry 53% of enterprises surveyed, while one in four frets about the governance of cloud solutions. How can companies maintain their cloud security with appropriate network management practices?
Before cloud computing, networks had two defining characteristics: First, although mobile users and external partners would still need access to computing resources, most components resided in the data center under a company’s physical and logical control. This end-to-end control gave administrators a high level of network visibility.
The other characteristic of pre-cloud networks was their traffic flow. Packets traveled between the server in the datacentre and client devices accessing services from elsewhere, in a configuration known as “North-South.”
Network characteristics change in a cloud environment. Firstly, companies using public cloud services must monitor and manage virtualized infrastructure components located outside their physical environment. Their network, computing, and storage resources are now remote, but they still need the same visibility and management capabilities they had before.
The other difference is traffic is no longer simply North-South. Thanks to changes in application architecture, servers talk to each other across the data center far more often. Software containers running small applications or microservices interact with each other to provide business services. This traffic is known as East-West, and there is a growing amount of it. Because it happens inside the data center, it can often involve sensitive application or control data you wouldn’t want a third party to see.
The network channels this East-West traffic travels along are hacker highways. When attackers gain a foothold in a network, the first thing they do is move laterally, exploring the network resources visible to them, and compromising them before moving onto the next. Eventually, they may find the sensitive information they are seeking. Protecting cloud-based components from lateral movement is a critical part of cloud networking security.
How can IT, networking, and security teams cope with these changes?
One solution is to make use of the appropriate network and management information from any public cloud services you use. Many providers will provide monitoring and management solutions (Amazon Web Services has CloudWatch, for example) and you can often also get rule logging information via functions such as Amazon VPC Flow Logs.
You can use a cloud service provider’s dashboard or command-line tools to monitor what’s happening in the public cloud. You may choose to go a step further and import this data into the appropriate management tools. These include on-premises network management and security incident and event management (SIEM) systems that are compatible with your cloud service provider’s APIs.
For fine-grained control in private cloud environments, companies should consider software-defined networking (SDN). By abstracting network control away from hardware components, SDN enables companies to configure network routing more dynamically. It also makes it easier to set security policies to control that routing.
Management teams can use this flexible routing capability to create zones of control at a highly granular level, enabling them to cordon off individual components of their cloud infrastructure. This concept is known as microsegmentation, and it can help prevent intruders from moving laterally between different segments of your cloud infrastructure.
By monitoring and controlling cloud infrastructure using these tools and techniques, companies can mitigate some of the risks associated with this new, virtualized infrastructure while enjoying some of its benefits, such as improved elasticity and potential cost savings.
Expect a skills gap. These refined management approaches will present an entirely new challenge to existing administrators used to working with more traditional network management systems. Companies should not underestimate the task of recruiting or training experts able to manage API-based software-defined infrastructures. But with the right team in place, cloud-focused organizations should be able to build infrastructures that include a dynamic, adaptable security platform.
Danny Bradbury has been a technology journalist since 1989. He writes for titles including the Guardian newspaper, and Canada’s National Post. Danny specialises in areas including cybersecurity, and also cryptocurrency. He authors the About Bitcoin website, and also writes a regular blog on technology for children called Kids Tech News. You can follow Danny on Twitter at @DannyBradbury
For more help and guidance with your security concerns, click here to visit our Security Resource Center.
© 2018 SolarWinds MSP Canada ULC and SolarWinds MSP UK Ltd. All rights reserved.
The SolarWinds and SolarWinds MSP trademarks, service marks, and logos are the exclusive property of SolarWinds MSP UK Ltd. or its affiliates. All other trademarks are the property of their respective owners.