Demystifying Cloud Security
-
Upload
xo-communications -
Category
Technology
-
view
63 -
download
0
description
Transcript of Demystifying Cloud Security
xo.com
Technology BriefDemystifying Cloud Security
Contents
Introduction 3
Definition of “the cloud” 3
Cloud security taxonomy 4
Cloud Infrastructure Security 5
Tenant- based Security 5
Security of Cloud Applications 6
Processing Security in the Cloud 6
Clean Pipes – A Critical Cloud Security Category and Its Solution Paths 7
Pros 8
Cons 8
XO® Hosted Security offerings 9
About StillSecure 10
About XO Hosted Security 10
Additional Resources 10
Technology Brief Demystifying Cloud Security
2 Solutions you want. Support you need.
3
XO Communications
Introduction
The running trend in the IT industry is that every new solution has the “cloud” label. Every
organization is either consuming or providing “cloud” services. Even the mainstream
press has latched on and is hyping “the cloud.” Unfortunately, there are nearly as many
definitions of the cloud as there are people or companies interpreting it.
Even industries that are connected to the cloud are in a fog about defining it. And if
the cloud isn’t defined, then how can downstream users that rely on secure solutions
understand the offerings? As subjective as definitions may be, our goal with this brief
is to provide a framework that demystifies cloud security and allows you, the business
decision maker, to quickly and easily map capabilities and solutions, to the unique needs
of your organization. As the market continues to evolve rapidly, taxonomy will continue to
adjust accordingly, as keeping current with technology and trends is critical.
This paper defines “the cloud”, offers an overview of how the market is structured, and
finally presents a deep dive into one specific category with a state-of-the art solution,
XO’s Hosted Security.
Definition of “the cloud”
Let’s take a very simple and broad definition of “the cloud” and start from there. Put
simply, “the cloud” encompasses any Internet-based solution that provides a computing,
platform, or application infrastructure based on a pay-for-what-you-use model that can
easily expand or contract based on an organization’s needs. At its most basic, “the
cloud” simply refers to the Internet and the millions of servers that connect to it. So a
cloud-based solution means that you are getting an application or a service through a
server you are accessing through the Internet. Generally, cloud solutions are not located
on your premises and do not require you to deploy any additional physical equipment.
There are two basic cloud delivery models: Public -- an open, multi-tenant solution
where you can be provided with computing, storage, platform, or application capabilities;
and Private -- similar to public cloud in terms of capabilities, but provided for a single
company, or tenant. In either model, a provider can deploy services to provide cloud
computing solutions that range from Infrastructure as a Solution – the provisioning of
processing, storage, network and other fundamental computing resources (IaaS) -- to
hosted applications and Software as a Solution – the provisioning of software applications
running on cloud infrastructure (SaaS).
Given that the market has not yet settled on what can be called “cloud,” we have
segmented the various types of cloud-based security solutions and offer a description of
each of them, rather than create a single, strict definition.
Every organization is either consuming or providing “cloud” services. Even the mainstream press has latched on and is hyping “the cloud.”
4 Solutions you want. Support you need.
Technology Brief
Cloud security taxonomy
Similar to the over-arching definition of the cloud, the cloud security sub-set is amorphous
and difficult to define. In this paper, we also take a broad approach to defining cloud
security as we believe it best suits the reader. While vendors are all clamoring to claim their
version of cloud security is the best, our goal is to allow you to create a comparison model
for looking at cloud security. We have broken down the cloud security category into five
major components. They revolve around two themes – security of the cloud infrastructure
itself and security accomplished within the cloud.
5
XO Communications
Cloud Infrastructure Security
Companies that provide computing and storage infrastructure – IaaS - are keenly
aware that their infrastructure operations must be secured. These providers
spend a great deal of time and resources to secure their facilities and the
computing environment to embed security into their service-delivery platform.
To accomplish this goal, an infrastructure provider can employ a variety of
security measures, from access controls, to video monitoring the physical plant,
technical controls to restrict access to the computing environment, perimeter
security that restricts internet traffic from the outside, and administrative controls
to protect each virtual machine encryption of stored data. This category of
solutions cuts across all of the providers’ customers and is macro in nature.
Individual customers of the cloud provider cannot customize their security to their
thresholds because resources are shared. Of course, the inherent advantage
of cloud computing is also the vulnerability of security; anybody can quickly
implement the computing, storage, and bandwidth that they need—all for a small
amount of money. A critical test of any provider is met in the quality of their
solution to meet the security needs of its customers.
Tenant- based Security
Another significant category of IaaS cloud security is tenant-based security. For
most user organizations, a cloud provider’s over-arching security alone will not
suffice to meet its computing environment security needs. As a result, a company
may need a category of solutions that can protect their infrastructure and data
in ways that go beyond a service provider’s standard offerings. This is known
as “tenant based security” because they can be deployed and controlled by the
customer at its option. These solutions will likely be placed within a customer’s
cloud instance by the customer in coordination with its service provider. For
example, a customer/tenant may place individual security solutions (e.g., access
controls, encryption, etc.) within their virtual environment or require that traffic to
and from their network pass through a “gateway” solution. These tenant-based
solutions customize the configuration and manage security on a per-customer
basis to meet their particular needs. It allows individual customers to benefit from
the economy of scale, and at the same time, build a security solution that fits their
unique needs.
For most user organizations, a cloud provider’s over-arching security alone will not suffice to meet its computing environment security needs.
6 Solutions you want. Support you need.
Technology Brief
Security of Cloud Applications
Cloud applications (e.g., Customer Relationship Management (CRM), file storage, and
productivity applications) in a SaaS environment often have some form of embedded
security features to help customers protect their data. Some providers encrypt all customer
data, while others offer applications that allow a customer to choose what data to encrypt
and when (e.g., at rest, in transit), to help customers avoid and minimize the negative
effects of data security breaches. Some providers have built their cloud service offerings
with security solutions at the very foundation of their service and have built their reputation
for providing safe storage of their customers’ data. With standard features and available
tools like this, enterprise customers can be more confident that their data is safe and that
only authorized users can access that data. Enterprises will continue to expand their use
of these applications, and as a result, there will be a growing need for solutions that bridge
the gap from the enterprise’s own security model to that of the SaaS application provider.
Processing Security in the Cloud
Another segment that often falls under SaaS cloud security is related to security events
that are processed in the cloud. These events are piped to a processing center in the
cloud, but traffic is not sent to the security provider in the cloud, only the security events
are sent to the provider. As an example, IDPS can identify and deflect pre-determined or
targeted attacks, and then provide notification of the event and the corresponding action
taken. The events are processed by the security provider and then made available to a
cloud customer, typically displayed in a customer-facing portal. This fits within the cloud
security category because the processing of the security events is done in the cloud and
by a third-party provider. Many of these provider companies call themselves “managed
service providers”, but might also consider themselves cloud security companies.
As an example, IDPS can identify and deflect pre-determined or targeted attacks, and then provide notification of the event and the corresponding action taken.
7
XO Communications
Clean Pipes – A Critical Cloud Security Category and Its Solution Paths
Perhaps one of the most significant benefits of the cloud is the ability to have traffic
processing done off-site and outsourced to a third-party, without consuming valuable
customer computing resources. A significant part of any security solution is focused
on providing “clean bandwidth” to organizations. The architecture of these solutions is
relatively straightforward. The enterprise pipes their inbound or outbound traffic through
a service that cleanses the traffic. This is often done with solutions such as intrusion
detection / prevention, anti-spam, content filtering, and Web-based firewalls. These
functions all lend themselves to having traffic sent to “the cloud” where it is filtered
and then sent on to its destination. The benefits of this approach minimize on-premise
equipment requirements, leverage experts to handle the security application, and employ
pay-per-use metrics. Additionally, it filters malware out before it reaches the customer’s
premise, rather than delivering it to the customer’s premise before unwanted packets can
be filtered out or discarded. This is often considered cloud security because the security
function is truly happening in the “cloud” and organizations do not have to invest in the
equipment, people, software, and processes to accomplish a large number of tasks.
“Clean pipes” is one of the most exciting innovations in the security space. By
implementing this type of solution, organizations can expect clean bandwidth as a
result. Malicious traffic can be identified and filtered out before it reaches the customer.
Customers don’t need to be saddled with the problem of trying to separate legitimate
from rogue traffic, purchasing and operating complex expensive equipment, or assigning
personnel to keep pace with identifying and stopping risks in order to protect their network.
Instead, organizations are provided with bandwidth or network traffic that is “cleaned”
when it arrives.
The architecture of the system is relatively straight forward. All traffic passes through a
cloud security solution that is set up to filter inbound and outbound traffic. Ideally, this
solution is hosted by an Internet service provider to keep latency low and reliability high.
As the traffic is routed to a customer’s cloud security solution, that service can cleanse
the traffic based on the firewall rules and security policies applied by the customer to
meet their needs. A clean pipes service can help rid the traffic of malicious packets and
inappropriate content. After the traffic is inspected and appropriate action is taken, it is
then forwarded to the enterprise or up to the Internet.
Perhaps one of the most significant benefits of the cloud is the ability to have traffic processing done off-site and outsourced to a third-party, without consuming valuable customer computing resources.
8 Solutions you want. Support you need.
Technology Brief
The clean pipes approach is growing in popularity; however, it is not for every organization.
A brief overview of the pros and cons of the approach are described below.
Pros
• Minimal customer intervention - No additional on-premise equipment and no additional personnel
required to manage the solution, in most cases
• Managed by security experts – The solution is managed by a security company that performs this
work 24x7x365 with a team of trained experts.
• Cost effective – The provider gains from economies of scale and is able to provide a solution that is
more cost-effective than doing it yourself.
• Customer control - The customer maintains control of what they want their security profile to be, and
has the ability to modify their security profile as business needs grow or change.
• Business centric - By relying on security experts, enterprises can focus on their core business rather
than the “chore business” of security.
• Bandwidth efficiency – helps ensure bandwidth is being used for valid business purposes
• Consistency – Policies are applied consistently across the enterprise, as they are defined in the cloud
Cons
• Latency - Enterprises may experience increased latency, as their traffic is hauled to the security
provider’s Unified Threat Management (UTM) platform location.
• Customer control – Actually, it’s the perception of loss of control, because multi-tenant cloud
services are an outsourced solution. A third party is managing your security and therefore,
organizations often perceive a loss of controlThis is much more of a perception than it is a reality.
Firewalls and security policies are defined by the customer, and implemented by an experienced
security engineer on their behalf.
• Existing equipment - A cloud solution may or may not leverage a customer’s existing equipment,
and thus, a significant investment may not be required. But if the on-premise solution is difficult
to manage and no longer provides the optimal levels of security and cost savings, then there isn’t
much point in staying wedded to the existing equipment. (Though odds are it still has value to your
organization for other purposes such as proprietary applications).
For all these reasons, the clean pipes category of cloud solutions is extremely promising
and will only grow over the coming years. The benefits of the approach are significant and
as it becomes more difficult and expensive for organizations to secure their networks, they
will seek different and unique ways to do so.
9
XO Communications
XO® Hosted Security offerings
XO, in partnership with StillSecure, has developed a high quality Hosted Security solution
that provides a portfolio of security features in a modular design, meaning the customer
can pick and choose only the features they need, and can easily add features as the
need arises. The XO Hosted Security solution is a fully managed suite of network-based
security products designed to protect enterprise networks, that is easy and cost effective
to deploy. The solution helps shield the network infrastructure and applications from being
compromised or disrupted by security threats.
The XO Hosted Security offering leverages the security expertise of StillSecure, a leading
managed security service provider. StillSecure Security Operations Centers (SOCs)
reviews security events and provides alerts 24x7 to help ensure that customer networks
are protected.
The benefits of the approach are significant and as it becomes more difficult and expensive for organizations to secure their networks, they will seek different and unique ways to do so.
XONSWP-0412
10 Solutions you want. Support you need.
Technology Brief
About XO Hosted Security
XO® Hosted Security is a Security-as-a-Service offering that gives companies more
flexibility to deploy and manage comprehensive network-based security.
XO® Hosted Security is a Security-as-a-Service offering that gives companies more
flexibility to deploy and manage comprehensive network-based security. The solution
provides high-speed, unified threat management capabilities and advanced technology,
and supports customers 24/7 through a certified security partner, StillSecure. XO Hosted
Security includes next-generation network-based firewalls; intrusion detection and
prevention, including Distributed Denial of Service (DDoS) protection; secure web and
content filtering; and secure remote access to the company network. Since all of the
security applications reside in the cloud, organizations with widely distributed operations
can implement robust security services without having to manage and maintain the
equipment and infrastructure at each location. XO Hosted Security is fully integrated with
the award-winning XO MPLS IP-VPN intelligent networking service. For more information,
visit www.xo.com/gethostedsecurity.
About StillSecure
For IT executives facing escalating security threats and evolving compliance requirements,
and data centers looking to cement long-term customer relationships, StillSecure designs
and delivers managed network security and certified compliance solutions so you can
focus on growing your core business.
StillSecure unites our security experts with our certified processes and innovative
technologies to provide holistic solutions that eliminate the need for dedicated resources
juggling multiple vendors, products and requirements, as opposed to vendors with
uncertified partial fixes, or worse, self-audited solutions.
Additional Resources
For more information please call 1-866-349-0134 or visit http://www.xo.com/
HostedSecurity. You can also check out more on the XO Pulse blog at http://blog.xo.com,
or the StillSecure blog at http://www.thesecuritysamurai.com. Follow us on Twitter:
http://twitter.com/XOComm or http://twitter.com/securitysamurai and
http://twitter.com/stillsecure.
13 Gartner Research, Gartner Predicts 2011: Infrastructure Protection is Becoming More Complex, More Difficult and More Business-Critical than Ever, November 16, 2010.
StillSecure Security Operations Centers (SOCs) review security events and provide alerts 24x7 to help ensure that customer networks are protected.
© Copyright 2012. XO Communications, LLC. All rights reserved. XO, the XO design logo, and all related marks are trademarks of XO Communications, LLC. XONSWP-0412
About XO Communications
XO Communications is a leading nationwide provider of advanced broadband communications
services and solutions for businesses, enterprises, government, carriers and service providers.
Its customers include more than half of the Fortune 500, in addition to leading cable companies,
carriers, content providers and mobile network operators. Utilizing its unique combination of high-
capacity nationwide and metro networks and broadband wireless capabilities, XO Communications
offers customers a broad range of managed voice, data and IP services with proven performance,
scalability and value in more than 85 metropolitan markets across the United States. For more
information, visit www.xo.com.
For XO updates, follow us on: Twitter | Facebook | Linkedin | SlideShare | YouTube | Flickr