CLOUD SECURITY: Securing Your Data in a Digital Age

Speak with a Data Center Expert

    Receive updates from Switch

    The new ‘oil’ of our generation is data. This data isn’t benign, it’s extremely valuable, and it’s also a big target. However, to support growing data, application, and digital requirements, leaders in the tech and business space are turning to cloud for improved scalability, performance and user experience. Today, organizations are deploying more cloud platforms to support an ever-growing distributed user-base.

    DDoS ATTACKS

    Let’s start here – Over the past few years, there have been more DDoS attacks against more IT infrastructures all over the world. These attacks have evolved from simple, volumetric attacks to something much more sophisticated. Basically, these attacks are downright vicious against our networks.

    Now, attackers are using application-layer and HTTP attacks against certain targets within an organization. Consider this, DDoS attacks are larger than ever before. Arbor Networks 13th annual Worldwide Infrastructure Security Report illustrates this point very clearly:

    • The largest attack reported by a service provider was 600 Gbps. Ten years ago, the largest attack was 8 Gbps.
    • Complex, multi-vector attacks are experienced by 59 percent of service providers.
    • Demand for managed DDoS mitigation services is strong across the board. The top five verticals requesting managed services are financial, government, cloud/hosting, e-commerce and education.

    Remember, service providers aren’t the only target. Even though Arbor reported that the largest attack against a service provider was 600 Gbps; some enterprises aren’t as lucky when they become direct targets. Just about a year ago, in 2018, 1.35 terabits per second of traffic hit the developer platform GitHub. All at once. This was the most powerful distributed denial of service attack ever recorded to date.

    It’s important to point out that it’s not just DDoS. Although you should be working with a partner that can mitigate a DDoS attack, cloud security goes beyond link saturation and denial of services. You also need to worry about the physical aspect of securing your cloud and ensuring data security.

    SAFELY SECURING YOUR CRITICAL APPLICATIONS

    CLOUD & VM-LEVEL SECURITY

    There’s a bit of a misconception around security that happens deep inside the virtualization, virtual machine, cloud, and even container level. In fact, new solutions have introduced powerful data-driven security solutions that proactively analyze for malicious code, malware, viruses, and other security holes. Furthermore, these solutions, when deployed either within the hypervisor or on the network will actually scan for anomalous behavior, even if it doesn’t necessarily know what the data is, and block or quarantine the threat.

    This is far beyond traditional antivirus solutions and even firewalls. To keep up with advanced persistent threats (APTs), you’ll need to look for security solutions that actually integrate into the hypervisor and with your cloud solution. Here’s the other cool part, many of these next-generation security options can actually improve the performance of your cloud and applications. For example, in many cases, you wouldn’t even need to deploy a client at the VM-level. So, you don’t have to sacrifice performance for security. These types of solutions are specifically designed to help you secure data points, improve user experiences, and mitigate emerging risks.

    Other tools allow you to inject solutions like software-defined network (SDN) and network functions virtualization (NFV) right into your cloud ecosystem. These tools help you segment networks, insert virtual network security monitors, and incorporate significantly better reporting and alerting tools. This is where you start to get into the proactive nature of cloud security. That is, these solutions can actually scan for malicious behavior and adjust your network accordingly.

    This holds true for DDoS attacks and link saturation. It’s important to note that DDoS attacks have only become more ferocious as they target more systems and grow in size. Working with a good cloud and data center partner means having additional bandwidth should an attack occur. From there, incorporating good security tools deep into your application and virtualization layer will help secure core data points.

    CLOUD MEANS MULTI-TENANCY, SERVICES, USER EXPERIENCES & MANAGEMENT

    Remember, cloud also means being ready for some high levels of multi-tenancy. Your virtual infrastructure must support a large number of users all sharing resources. Within the realm of cloud and security architecture, it’s absolutely critical to understand how users are interacting with applications and data, and how you can effectively isolate resources. This basically means controlling the flow of data. To make this happen, you’ll need to incorporate intelligence into your network, cloud, and overall data center ecosystem. Policies will allow you to segment user groups, applications, and entire regions for both security as well as compliance requirements. So, not only are you controlling your VMs and hypervisor, you are effectively managing your cloud to help it operate effectively. That said, it’s absolutely critical to focus on data and the flow of information throughout your cloud.

    When you look at network data, how information flows through your ecosystem, and where it might leave your cloud, you can control data delivery as well as quality of service (QoS) based on the classification of the workload. This basically means you have the ability to classify data and even applications. Furthermore, you’re able to see how that data interacts with users, cloud resources, and distributed locations. The most important piece to remember here is that there is no one security solution that’ll solve all of your IT and business requirements. Rather, a security solution is much more of an architectural approach and can be truly contextual. To create truly powerful cloud security designs, you’ll need to understand your users, how they interact with data and applications, and how various use cases will impact your security strategy. And, when you define your business and technology use cases, the security architecture becomes clearer and easier to define.

    Need to isolate your data for data locality purposes? Work with a partner and system that can support this initiative and help geofence entire data sets and applications. Or, maybe you’re working with governance, risk, and compliance. In this case, it’s absolutely critical to leverage solutions that can help you stay compliant while still delivering a powerful solution. Challenge your partners and be sure to ask good questions to ensure both security and positive user experiences.

    ENFORCING COMPLIANCE & SECURITY FOR YOUR CLOUD

    It’s important to focus on the topic of compliance a bit more. Many industries which were once limited in terms of what they could do with cloud now have many more options. That said, what if you could enforce PCI-DSS, HIPAA and Sarbanes-Oxley compliance all from one management plane – all for your own cloud environment? The good news is that you can now integrate on premises resources with a respective cloud ecosystem. Furthermore, there are amazing technology and cloud partners that’ll actually help make cloud and compliance much easier to design. That said, it’s very important to validate your partner’s ability to support governance, regulation, and compliance (GRC) workloads. This might mean asking for certifications, ensuring there are personnel that can support compliance workloads, and that there are already customers using the architecture.

    For example, if you’re a healthcare organization and you want to leverage cloud, you’re in luck. Updates to HIPAA now allow for cloud and data center partners to work with and process protected healthcare information (PHI) and other potentially sensitive data points. However, that same partner needs to have signed a business associate agreement (BAA) to process PHI as well as other types of data. Again, it’s completely possible to work with cloud even if you’re in an industry where compliance can be a challenge.

    Here’s another example. Others in the online or retail space have created powerful e-commerce gateway platforms for PCI-compliant workloads. In these cases, you can isolate the flow of data, create payment and processing gateways, and even ensure that data only flows within specific regions as needed. This is a great way to offload processing to a cloud or data center partner while still staying agile and compliant.

    Compliance aside, your security model should not complicate the way you manage cloud and your data center. In fact, good partners will actually help you design around simplicity and security. Most of all, they design around user experience. This means working with advanced solutions that support virtualization, new types of applications, working with new data-driven solutions, and much more. When it comes to cloud security and user experience, it doesn’t have to be either one or the other. New designs now allow you to have the best of both worlds.

    NEVER FORGET THE PHYSICAL ASPECT OF CLOUD SECURITY

    Can your cloud or data center provider ensure physical intrusion protection? Do they have armed and well-trained security personnel? Can they pass a SOC audit? You can have all the connectivity and space in the world; but if security is in any way lax, you’ll have challenges down the line. Maintaining strong security regulations on the physical side of cloud is just as important as ensuring virtual machine and data security. There have been numerous issues where open rack doors, unsecure servers, or even lost drives have all presented serious security issues. When creating your own cloud strategy, be sure to examine the physical security capabilities of your provider.

    Again, threats against cloud and data center operators are only getting more advanced, persistent, and targeted. In the latest AFCOM State of the Data Center report we saw the top 5 infrastructure threats facing today’s data center. This includes:

    • Ransomware: 56%
    • Outside threats (human): 48%
    • Advanced Persistent Threats (Theft of IT and/or corporate data): 44%
    • Inside threats (human): 42%
    • Loss of PII (personally identifiable information): 40%

    When it comes to deploying a cloud, your strategy really does need to be holistic. That is, be sure to look at all security design aspects as you architect your own cloud model. This may even mean hiring a security team to do things like pen and vulnerability testing.

    Cloud security doesn’t have to be complicated. In fact, a good partner will actually help guide the design to simplify management while still helping the organization grow. Security solutions can now be deeply integrated into the visualization, cloud, and even physical layers. All of this translates to better user experiences, simplified and centralized management, and greater capabilities to respond proactively to evolving threats.

    Ultimately, a good design also gets you user and customer confidence. Remember, mitigating risk not only helps with brand image and your stance in the market, it will absolutely help your organization leverage more cloud options in a digitally-connected world.