Cloud security can be a bit confusing at times. What comes with the topic are lots of contradictions. That’s without a doubt.
For example, Tom Mornini co-founded Engine Yard. He wrote a commentary piece for ZDnet that compares cloud security to the Maginot Line.He describes how an on-premise environment can be a trap in some ways. You think it is safe behind lock and key. But intrusions continue due to any number of factors. He argues that the public cloud may actually be more secure. He freely admits himself that his position may seem counter intuitive.
“While it may sound counter-intuitive, I firmly believe that applications deployed to public clouds will prove to be more secure than those deployed on private clouds. Why? Because the on-premise approach to security is the modern day equivalent of the Maginot Line: Data security can only be guaranteed if the data is entirely secured from attacks from all directions. Putting data in a building secured by a guard in front of a large steel door is not the answer to today’s security problems!”
It may seem implausible that data is safer outside the walls of the data center. The problem? The data is difficult to observe as it flows through a virtual network. Tools are needed to observe how that data flows. By watching the data, abnormalities can be examined.
Mornini makes the point that cloud security needs to go above and beyond what has been traditionally developed to protect the traditional enterprise.
Protecting the Virtual Network
In many respects, security is defined by how the network can be observed and protected from an attack.
Gary Kinghorn of the Hewlett-Packard Tipping Point team says that as more apps move onto the network the potential for attacks do intensify. A malicious app may attack another app. For instance, an app with credit card data may be attacked by a botnet. The question cons down to whether the data will be safe as it travels between virtual machines.
Tipping Point monitors this virtual machine traffic with its Intrusion Prevention System (IPS) appliances. The IPS analyzes the content of a packet traveling over a network. Tipping Point’s competitors include McAfee, which markets a software-based IPS. McAfee was acquired by Intel last week.
VController is the Tipping Point software that sits in the hypervisor. It watches the traffic between virtual machines and redirects it appropriately to the IPS box if needed.
Since the traffic is passed through the IPS, it is inspected and filtered with TippingPoint’s Digital Vaccine service, which uses security intelligence from TippingPoint and information from outside researchers.
The system integrates with VMware’s VCenter, providing the capability to detect all the virtualized hosts and deploy policies accordingly.
Malware developers have their sights set on cloud computing. If apps can be hijacked in a virtual network then it creates a new dimension to what exploits are possible.
In the meantime, it’s up to the security software market to develop a new generation of first-class technologies to counter the skepticism that is so predominant in today’s market.
Hewlett-Packard covered the airfare and hotel expenses for the author to attend the company’s HP Networking Day.
