Traditional security solutions were designed to identify threats at the perimeter of the enterprise, which was primarily defined by the network. Whether called firewall, intrusion detection system, or intrusion prevention system, these tools delivered “network-centric” solutions.
Innovation was slow because activity was dictated, in large part, by the capabilities, and limitations, of available technology resources. Much like a sentry guarding the castle, they emphasized identification and were not meant to investigate activity that might have gotten past their surveillance.
Originally, firewalls performed the task of preventing unwanted, and potentially dangerous, traffic. Then security vendors started pitching “next generation firewalls” which was based on a model that targeted applications, users and content. It was a shift that provided visibility and context into the data and assets that organizations were trying to protect.
Modern environments require a new approach
Now, with modern architectures, threats that target public clouds (PaaS or IaaS platforms) demand a new level of insight and action. They operate differently than traditional datacenters: applications come and go instantaneously, network addresses and ports are recycled seemingly at random, and even the fundamental way traffic flows have changed. To operate successfully in modern IT infrastructures, you have to reset how you think about security in cloud.
Surprisingly, many organizations continue to use network-based security and rely on available network traffic data as their security approach. It’s important for decision makers to understand the limitations inherent in this kind of approach so they don’t operate on a false sense of security. A purpose-built cloud solution is the only thing that will provide the type of visibility and protection required.
The limits of “next generation firewall”
Security teams in modern environments must first realize that in the cloud, most traffic is encrypted; that means the network has no ability to inspect it. Even if you could perform a “Man in the Middle” attack to decrypt the data, the scale and elasticity of the cloud would make the current Next-Generation Firewalls useless.
In an IaaS environment, applications are custom-written, which means there are no known signatures that can identify the app. The application becomes identified based on its security profile, and that can change based upon how it’s used. For example, a security profile and behavior of a database app will be different in communication patterns, like for HR or Finance use cases. From a launch perspective however, they are the same application and a next generation firewall cannot distinguish between them to understand the application behavior or required policy. For example, the same user in a production environment versus a development environment, working on the same application, will still have a different security profile.
As environments increasingly make use containers and orchestration systems like Kubernetes, as well as serverless computing, they present even more challenges for outdated security tools. These new types of tools are built with microservices, an innovation that befuddles next generation firewalls because they are blind to how they work.
An approach built for the cloud
One of the greatest cloud security challenges comes from the fact that the cloud delivers its infrastructure components, things like gateways, servers, storage, compute, and all the resources and assets that make up the cloud platform environment, as virtual services. There is no traditional network or infrastructure architecture in the cloud.
Deploying workloads into the cloud can quickly involve complex sets of microservices and serverless instances that function in fluid architectures that change every few minutes or seconds, creating a constantly changing security environment. Here are some of the common security challenges presented by the cloud:
- Infrastructure as code
- Machine based alerts do not make sense and machines cannot be used to understand apps
The combined effect of all this innovation? Exponential growth in a cloud environment’s attack surface. A busy cloud environment can generate as many as hundreds of millions of connections per hour, which makes threat detection a much more challenging proposition. Of course, attackers are well aware of these vulnerabilities and are working frantically to exploit them.
The only way to secure a continuously changing cloud environment is through continuous approaches to security. These security functions need to include the following capabilities:
- Continuous anomaly detection and behavioral analysis that is capable of monitoring all event activity in your cloud environment, correlate activity among containers, applications, and users, and log that activity for analysis after containers and other ephemeral workloads have been recycled. This monitoring and analysis must be able to trigger automatic alerts. Behavioral analytics makes it possible to perform non-rules based event detection and analysis in an environment that is adapting to serve continuously changing operational demands.
- Continuous, real-time configuration and compliance auditing across cloud storage and compute instances.
- Continuous real time monitoring of access and account activity across APIs as well as developer and user accounts.
- Continuous, real time workload and deep container activity monitoring, abstracted from the network. A public cloud environment provides limited visibility into network activity, so this requires having agents on containers or hosts that monitor orchestration tools, file integrity, and access control.
Moving beyond - WAY beyond - next generation firewall
New security tools designed to deeply monitor cloud infrastructure and analyze workload and account activity in real time make it possible to deploy and scale without compromising security. When operating in the cloud, businesses need to know that their infrastructure remains secure as it scales. They need assurance that they can deploy services that are not compromising compliance or introducing new risk. This can only happen with new tools designed specifically for highly dynamic cloud environments, tools that provide continuous, real-time monitoring, analysis, and alerting.
About the author:
Sanjay Kalra is co-founder and CPO at Lacework, leading the company’s product strategy, drawing on more than 20 years of success and innovation in the cloud, networking, analytics, and security industries. Prior to Lacework, Sanjay was GM of the Application Services Group at Guavus, where he guided the company to market leadership and a successful exit. Sanjay also served as Senior Director of Security Product Management for Juniper Networks, and spearheaded continued innovations in the company’s various security markets. Sanjay has also held senior positions at Cisco and ACC. He holds 12 patents in networking and security.