Log4j/Log4Shell

Log4j Vulnerability Response Center. Get Informed Now

Back to blog results

July 24, 2019 By Sumo Logic

Cloud Security: What It Is and Why It’s Different

The principles of data protection are the same whether your data sits in a traditional on-prem data center or in a cloud environment. The way you apply those principles, however, are quite different when it comes to cloud security vs. traditional security. Moving data to the cloud introduces new attack-surfaces, threats, and challenges, so you need to approach security in a new way.

Organizations typically have a mix of traditional IT and cloud services, so security solutions need to protect both. The security controls in place for the data center may not be suitable for new challenges introduced in the cloud. Big data, the new skills required of security teams, and compliance and regulatory requirements all add to the complexity and cost of cloud security solutions.

The good news is that there are security solutions available to address the challenges. Ideally, you want a solution that minimizes the load on your security team, as well as the training time required to support the solution. It also needs to address the new cloud security threats, while still protecting traditional systems. Understanding the differences between cloud security vs. traditional security is key to finding the right security solution.

Cloud Security Threats

Cloud and traditional IT environments need to protect against many of the same threats. Even though the threats may be the same, new solutions are needed to protect resources in the cloud. The cloud may introduce new threats, as well.

Containers, Microservices, and Serverless

Applications in the cloud often run serverless, as microservices, or in containers. Traditional security solutions are not equipped to handle these newer technologies. Threats can and do go undetected.

Elastic Scalability

The cloud is the dynamic and elastic in nature. The frequent, sudden, and hyperscale changes seen in the cloud would cripple many traditional security solutions.

Hybrid and Multi-cloud

Another unique challenge is hybrid and multi-cloud architectures. Monitoring and analysis of traffic traversing multiple clouds from different providers are difficult with on-premises security solutions.

It makes sense that the best way to address security threats in the cloud is with a cloud-native security solution. These solutions are built in the cloud with the capabilities to handle today’s varied architectures.

Why Cloud Security is Different

Cloud-native security solutions, built specifically to protect cloud resources, excel where traditional on-premises security solutions struggle. Here’s a breakdown of how cloud and traditional security solutions address major challenges:

Challenge

Cloud Security

Traditional Security

Visibility

Monitoring of both on-premises and cloud resources. On-premises resources across different locations can be monitored without having additional security appliances at each site.

Monitoring of on-premises resources, but only limited monitoring of cloud resources.

Deployment

SaaS model eliminates the need to deploy hardware or software. Saves time on change management, facility, provisioning, etc. Runs on an established platform, so deployment issues are rare.

Security appliances must be procured, shipped to each site, installed, and configured. Given the new infrastructure and initial configuration, deployment issues are common. Gartner says that over 50% of SIEM deployments fail.

Time to Value

Rapid deployment, built-in and updated content, updated use cases, simplified user experience gives you to get started on security in just few hours or days.

Typical project lifecycle—procure, ship, install, configure, tune—causes slow time to value. Long cycles for updating, managing, and running the use cases, etc. Most deployments run more than 9 months and you cannot usually see value in the first year.

Maintenance

Handled by cloud service provider (CSP). The vendors usually update the platform every day and update features and bugs more frequently. It is typical for cloud vendors to have 12 releases a year where software/ appliances will be updates once a year.

Handled by in-house IT and security teams. This is a big point of failure. We see more customers looking for cloud solutions after they go through a maintenance cycle and stop seeing value.

Total Cost of Ownership and ROI

Opex based

Consumption model

Subscription based

No long term contracts

Easy to replace vendors if there is no fit

Low risk solutions

Payback is typically 6-9 months

Subscription cost covers almost 70% of the TCO

Capex based

Big budgetary investments

Long planning and deployment cycles

Multiple groups from security, IT, facilities, ops, DevOps, to LOB, and apps are all involved

Licensing cost is only 9% of the TCO. HW/SW/facilities and other hidden costs are involved.

Tough to predict the pricing for the next quarter/ year

Updates and Patches

Cloud vendors take care of updates and patches through the shared responsibility model

Low risk of vulnerabilities for unpatched systems

Requires periodic maintenance windows and planned outages

Unpatched systems are a big threat for security

Capacity planning and elasticity

No planning needed for capacity

Elastic scaling takes care of unplanned capacity planning

Seasonality, peaks, and burts are handled effortlessly

HW, SW, and licensing needs to be planned for over capacity for occasional bursts or peaks

Your TCO is designed on seasonal peaks

Extreme bursts lock you out of tools when you need the most

Cloud Security and Log Management

Logs are the Cornerstone of Security Best Practices.

Anyone who has worked in the field of Information Security for any length of time will tell you: there is a lot of security and security-relevant data out there in the enterprise. Access logs, database logs, application logs from web, email and other services are all useful and sometimes essential in bringing a security investigation to a successful conclusion. Of course, traditional firewalls alone generate a tremendous volume of logs, and web-proxy log volumes can be staggering. Intrusion Detection Systems (IDS) are very noisy, and then you have the Anti-Virus logs, the DHCP logs, Active Directory or LDAP logs, authentication logs from disparate operating systems spread across the globe (often in different time-zones).

But is Log Management your Core Competency?

There is meaning and value that an experienced security analyst can glean from this ocean of data, but simply managing it all and getting it all into a place where the analysts can access it, while ensuring proper access controls, (and yes, logging access to the sensitive logs may be a requirement in many cases!) and maintaining the complex and expensive tools required to wrangle all of it can be a huge burden to your bottom-line. Security teams already face the burden of being a cost center and struggle in the face of increasing threats and decreasing budgets to secure an increasingly distributed and heterogeneous environment, and they do not need the added overhead of heavy and high-maintenance tools.

Large-Scale, Cloud-Based Data Management and Analytics Platforms May Fill the Gap.

By putting all of the complex and operationally intensive data management into the hands of a specialized cloud provider you can focus your security budget on defense in depth and incident response rather than the overhead of your log data. Recent advances in Big Data management and NoSQL technologies have finally started to allow for the types of analytics and correlation security analysts have long sought after, but that most enterprises do not have the resources to develop or support. Enter the cloud-based Big Data provider. They have built their platforms to scale using these technologies from the ground up, and integration with Infrastructure as a Service (IaaS) providers allow them to affordably and programmatically scale their systems to meet your changing log volumes, resulting in lower costs to you for access to cutting-edge technological platforms.

In the Cloud, Security Fundamentals are Still Measurable.

Of course, there are security concerns about trusting your potentially sensitive log data to a cloud provider, but there are number of factors that you should consider objectively when weighing these risks. First off, consider the security policies and practices in place within your service-provider, and are they doing more or less than you yourself are able to do to secure your data? I think you will find that there are certainly plenty of cases where the cloud providers can and do provide excellent security measures that are above and beyond what many enterprises can afford or enforce.

Also consider what types of security practices and certifications are followed and held by the underlying infrastructure services? Many IaaS providers (such as Amazon Web Services and Rackspace) maintain stringent security certifications well beyond what many enterprises themselves can provide in terms of security, availability, and compliance.

You need to weigh the risks introduced by your provider against the benefits of greater data visibility, faster and less manpower-intensive investigations, and a reduced bottom-line. And finally, consider that cloud infrastructure and service providers have a tremendous disincentive to be lax on their security. Typically a given enterprise does not stake its entire reputation and business model around its security practices, however cloud providers are at much more risk of complete brand-destruction should their defenses be breached.

Why Traditional Security Fails Today

Traditional on-premises security provides analysis and insight using a Security Information and Event Management (SIEM) system. Most of the SIEM systems running today were not designed with cloud technologies in mind. In fact, the 2018 Global Security Trends in the Cloud report shows that 93 percent of respondents say current security tools are ineffective for the cloud.

“. . . many assert that several traditional categories such as security information and event management (SIEM)—which create cumbersome silos of data, analytics, and workflow—should be completely rethought for the cloud.”

Dave Frampton

The main function of a SIEM system is to aggregate and correlate log data, mostly from other security systems such as firewalls and intrusion prevention systems. Rules are set up to generate alerts when certain conditions are met. Security teams can then take action based on the alerts.

Security teams that monitor SIEM systems often face alert fatigue, having to react to high volumes of alerts. Even with logic built into the systems to reduce and prioritize alerts, analysis of the alerts can be an arduous and exhausting process.

Being rule-based, the system also needs to be configured and tuned to get the most urgent alerts to the top priority level and to reduce false positives. That, of course, also falls on the shoulders of already stressed security teams.

Properly configuring SIEM rules takes a lot of planning based on an in-depth knowledge of the topology being monitored. Any change in topology means going back to the drawing board. Rule-based systems work fairly well in a static environment. Cloud environments are anything but static.

Why Cloud Security Is Essential

The cloud computing characteristics that are driving the move to the cloud are exactly the reasons a new security model is needed. Cloud environments are constantly changing—by design.

According to the National Institute of Standards and Technology (NIST) definition, cloud computing uses “computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” This has manifested itself today in the form of containers, microservices, and serverless computing.

These newer technologies provide the hyperscalability and elasticity of cloud computing. Services are spun up and taken down to meet demand and transient events. Traditional security cannot react to these changes in an effective way.

Cloud security is different by necessity. It is designed to understand and react to the dynamic aspects of cloud computing. It can ingest data from containers that traditional security methods would never have known existed. Cloud security is the only way to effectively secure resources in cloud computing environments.

What the Cloud Needs to Be Secure

In order to be secure, the cloud needs cloud-native security solutions that meet these criteria:

  • Visibility into containers, microservices, and serverless
  • Ability to monitor and analyze transient and elastic workload data
  • A holistic view of the entire threat surface
  • True software-as-a-service (SaaS) security solutions

Cloud Security

There are many security solutions delivered from the cloud today, including SIEM, firewall, IPS, and others. It is important, however, to differentiate those that are cloud-native from those that are really just “lift-and-shift” traditional security solutions that have been moved into the cloud.

For example, running firewall software on a virtual machine in the Amazon Web Services cloud is not a cloud-native solution. It is a traditional firewall running on an infrastructure-as-a-service (IaaS) platform.

SaaS for True Cloud Security

Cloud-native security runs on a true software-as-a-service model. One of the benefits of SaaS is that the software vendor is responsible for the entire service stack, from the hardware through to the application.

By contrast, IaaS uses a shared responsibility model in which the cloud vendor is only responsible up to the virtual machine. You are responsible for everything from the operating system up to the application. That means that as transient demand changes occur, you would have to manually provision additional resources to match the demand of your cloud resources, a task that humans could never keep up with.

Visibility into containers and microservices

Traditional security solutions do not have to ability to view activity within a container and events across containers and microservices. This leaves you blind to threats. Cloud security is aware of containers and microservices, being purposefully built to see the threats against them. A cloud security analytics platform provides insight that a traditional SIEM solution would miss.

Cloud-native Capabilities for Elasticity and Scalability

Cloud computing environments are dynamic, with frequent transient events. In order to keep up with changes in scale and demand, cloud security must be just as agile, having the same elastic and scalable capabilities.

The Sumo Logic security analytics platform delivers on the promise of cloud security. Sumo Logic uses a true SaaS model. Sumo can view activity within containers and across microservices. There are apps and integrations for many specific cloud services such as Docker containers and Amazon EC2 Container Services for deeper insight into those services and applications.

Complete visibility for DevSecOps

Reduce downtime and move from reactive to proactive monitoring.

Sumo Logic Continuous Intelligence Platform™

Build, run, and secure modern applications and cloud infrastructures.

Start free trial

Sumo Logic

More posts by Sumo Logic.

People who read this also enjoyed