A data center is a fixed environment where applications run on dedicated servers that can only be accessed by authorized users. In contrast, a cloud environment is dynamic and automated, where pools of computing resources are available to support application workloads that can be accessed anywhere, anytime, from any device. For the experienced information security professional, it seems that many of the principles that make cloud computing attractive run counter to network security best practices. What follows are the top three considerations for securing traditional and cloud-based data centers, as well as key requirements for cloud security.
The security risks that threaten a data center and network today change once applications move to the cloud, whether in a complete migration or in a hybrid scenario in which some applications move to the cloud while others remain on premises. In fact, in several ways, the security risks faced when moving to the cloud become more significant.
For example, many data center applications use a wide range of ports, rendering traditional security measures ineffective when those applications are moved to the cloud. Cybercriminals are creating sophisticated port-agnostic attacks that use multiple vectors to compromise their target, hiding in plain sight using common applications to complete their mission.
For decades, information security best practices dictated that mission-critical applications and data be separated into secure segments on the network. Often, this is referred to as Zero Trust: never trust, always verify.
On a physical network within the enterprise data center, Zero Trust is relatively straightforward to implement through the use of firewalls and VLANs (i.e., virtual LANs), managed by policies based on application and user identity.
In a cloud computing environment, direct communication between virtual machines within a server occurs constantly, in some cases across varied levels of trust. This makes segmentation a difficult task, especially given that cloud applications are based on the notion of shared resources. Mixed levels of trust, when combined with a lack of intra-host traffic visibility by virtualized port-based security offerings, will likely introduce a weakened security posture.
Virtual workloads can be created or modified in minutes. As such, cloud computing teams operate in a highly dynamic environment, with workloads being added, removed and changed constantly.
By contrast, the security configuration for this workload may take hours, days or weeks. Security delays are not designed to create roadblocks. Rather, they are the result of a process that is designed to maintain a strong security posture. Policy changes need to be approved, the appropriate firewalls need to be identified, and the relevant policy updates determined.
Unless this imbalance is understood and addressed as part of the cloud migration, the result is a discrepancy between security policy and cloud workload deployment. The result is a weakened security posture that can put important data and intellectual property in danger and might also cause violations of compliance and governance policies and regulations.
To learn more about securing traditional and cloud-based data centers with next-generation firewalls, read the whitepaper.