Traditional Security Lagging against the Scale of the Cloud

I came away from HP Protect 2013 wondering if current security sold by the traditional security players will actually scale to the hybrid cloud. Are these security tools still system-centric, or are they changing to be data-, user-, and app-centric? I feel that this move has started but has far to go. I do not think many of the current batch of traditional security services implemented in data centers today can scale properly. In order to understand the scale of the cloud, we first should give some basic numbers:

• Billions of  transactions per day or even per hour
• Heavily multithreaded multiprocess applications
• Tens of thousands of VMs per application (large scale web app)
• Petabyte scale databases + middleware

Traditional Security

When we look at this with traditional networking, the logical network looks quite straightforward (top row of figure 1 below).

However the physical aspect of the above appears to possibly duplicate and if not triple bandwidth requirements, as the security currently implemented in many data centers uses big iron and physical appliances for many of its aspects (lower row of figure 1 with all the plumbing lines of a layer-2 network). If we enter the virtual network just after or just before the load balancer, we then may need to reroute traffic out of our virtual network to each of the security devices in turn (at worst). This could duplicate or even triple our bandwidth requirements:

1. Data enters virtual network
2. Data is routed out to an external security device
3. Data is routed back into virtual network

When we look at this flow, the entry into the network is one set of bandwidth for the packets. The same packets are sent to the security device, which makes the second set of data. Finally, the data is routed back into the virtual environment, which is our third set of data. This process, in the worst case, repeats for each security device.
Now, this is if you want to pull traditional security modules into your private cloud instead of extending these devices into the cloud by using distributed virtual security appliances. If instead you want to add security in as a tenant, things are quite a bit different, depending on the cloud you use.

Traditional Security Inside a Tenant

For example, you want to add traditional security into your cloud tenancy, such as Amazon, Salesforce, or Dropbox, you are out of luck; you generally cannot add it, and the logging you get from cloud services for audit purposes is severely limited. In general, if you want to add traditional security into a cloud, you need to convince the cloud provider to do it just for you, which is a difficult discussion. We are now looking at the cloud component of our secure hybrid cloud (Figure 2 below)

There are three parts to our secure hybrid cloud that are of interest:

• Transition – The transitional component of a secure hybrid cloud contains all those items that either allow access to or move data between multiple cloud instances, between those clouds and a data center or centers, and between the end user computing device and clouds and data centers. The transitional component is fairly fluid yet traditional security approaches can play within this arena, if the transition is contained within a controlled area, unfortunately, that may not actually be the case. Check out these other posts:
  • End User Computing within the Secure Hybrid Cloud
  • Identity in the Secure Hybrid Cloud
  • API Security within the Hybrid Cloud
  • Data Protection for the Hybrid Cloud

• Cloud – The cloud includes all those places outside our immediate control where data could end up or be taken from. In some cases, it is even used to further our transitional goals. This is where APIs tend to live. However, the chances of adding traditional security into this aspect of the secure hybrid cloud is generally not possible without great expense (and the fact that you will end up in a managed hosted environment over a cloud). Check out this other post:
  • Validate throughout the Stack: AFORE CypherX
• Data Center – The data center is generally within our control and could be a private cloud or just a collection of virtual and physical machines. The data center may transfer data between multiple data centers or  back and forth to the cloud.  Within the data center, which is generally under our control, we can attempt to add in traditional security approaches. Check out these other posts:
  • Analytics within the Secure Hybrid Cloud
  • Logging within the Secure Hybrid Cloud

In discussions at HP Protect, most attendees and vendors said they will place traditional security at the bastion before we enter the cloud. Okay, I buy that if your users are forced to go through that bastion, but think of Salesforce; users can access it from their mobile device without the need to go through your datacenter. So, the security measure does not work in its entirety. If there is an attempt to limit this access, there will be a rebellion. But what about other tools in the cloud? They all have web interfaces and mobile apps for management. Given this, if you place security at the edge of your datacenter, it will most likely be bypassed, which means it is a false sense of security. In addition, it is an attempt to close the barn door after the horses have left. We really need to place our security within the transition layer of our secure hybrid cloud via a common identity store, possible use of gateway devices, and enhanced end user computing security tools.
The answer still seams to be, put a firewall, IDS, IPS, in front of something and we are safe, ignoring how users really use cloud services. We are missing cloud scale security. How do you protect your cloud services?
¹ HP paid for my trip to HP Protect and this concept and thoughts came out of that trip.