Cloud Security: On Moats

After a recent snowstorm, and due to pending work on our generator, I had to dig out paths to the generator, the propane tank, etc. We normally dig out a few paths for moving wood around our yard, access to oil, the driveway, etc. But when we finished, we dug a moat around our entire house. This got me thinking about cloud security. The ongoing desire to put moats between us and the attackers. But what is us, in the cloud? Can we prevent the attacks? What are the current moat style technologies in play today?
There are several moat style technologies available, then include:

• Traditional in-line firewalls
• More advanced firewalls who kill ‘bad sessions’
• Application specific firewalls
• Sandboxes

And what do all these have in common? They are trying to limit but not remove all threats.

Sandbox – Moats around an attack

Take a look at Sandbox technology, such as from Bromium. This technology can only run on bare-metal and allows the attacks to happen. It does not prevent the attacks, but it prevents the spread of attacks. In essence, the attack was allowed into through the gate, but the moat around the attacked application disallowed the spread of the attack to other critical systems. This is the case for any sandbox technology. If the attack was not prevented from reaching the application, a sandbox limits the attack surface. Symantec Critical System Protection (CSP) works in the same manner. Both of these technologies look use whitelists to allow certain actions but all within the context of the sandbox. There is a moat around the application.

Firewall – Moats before an attack

When we look at a firewall on the other hand, we have a Moat that blocks attacks from getting to the other side. While a Sandbox contains an unknown attack, a firewall blocks a known attack and perhaps some unknown ones if the firewall uses whitelisting instead of blacklisting.  Some firewalls attempt to tell you which users are involved in attacks (or really any action), but that often requires the firewall to be the hub of communication. With a cloud or virtual environment we have a proliferation of firewalls that blacklist traffic from one part of the network from another.

We need both types of Moats

We all use moats within our network and cloud designs. Firewalls used to be only at the edges, but they are being used to divide tenants, etc. We have a proliferation of firewalls but we do not have a proliferation of technologies that will contain unknown attacks. This is crucial as unknown attacks are what cause the most damage. We cannot prepare for them, but we can contain them when they happen. It is definitely an important concept for multi-tenant clouds where we want to contain a tenant within their own networks and systems.
Do we have enough defense in depth to use both types of Moats? Should the moats be at the edges of the network, before each virtual machine, before the application, or surrounding the data? What happens if we move a virtual machine, application, or the data, does the definition and requirements of the moats involved move with the construct?
This is the end goal, to wrap a security context around an object. Or in other words each object has its own moat.