18Apr
ShieldX earns top marks in customer product review
Uncategorized

ShieldX was reviewed by our customer, Larry H Miller dealership group. Some highlights:

  • For other security professions who are looking for something which is low in cost that does microsegmentation, they should look at ShieldX.
  • With Illumio, you have to install an agent on every server, and you don’t have to do that with ShieldX, because it is agentless.
  • What I like about it now is that it has a single pane of glass to view our networks and groups.

The full review is here: https://www.itcentralstation.com/product_reviews/shieldx-review-60870-by-branden-emia.

 

Read More
07Feb
ShieldX Earns Perfect Five Star Rating
Uncategorized

SC Media has published its February 2019 “cloud-based security management” group test which included a review of ShieldX’s Elastic Security Platform product. You can view the five star review HERE.

Some highlights:

  • With the capability to have a single pane view into any environment, along with dynamic scaling, visibility and discovery across a multi-cloud infrastructure, this product is worth adding to the top of your list.Full stack protection is offered with FireEye, APP-aware ACL, DLP, malware detection, full-flow packet capture IDS/IPS threat detection and prevention, virtual tap, URL inspection for reputation and classification/filtering, unique anomaly detection, and micro-segmentation.
  • Every workload and application in your data center will be fully mapped automatically without agents.
  • Automating infrastructure, security and applications helps ensure microservices are inserted when and where they are needed. These microservices are inserted directly into infrastructures. This allows for automated intent-based security policies.
  • Security Analytics has a unique component called Indicator of Pivot (IoP) which is based on kill chain methodology.
  • With a fast time-to-value return after a quick 30-minute installation, operational efficiency increases visibility and discovery seamless across a multi-cloud structure with a single pane view into any environment using tools you know.
  • WEAKNESSES:None that we found.

 

 

Read More
30Jan
The Rubric Automated Security Policies
Business

No matter how security focused an organization is, the cloud era has brought on a new set of issues tied to lack of visibility and control over what gets deployed and where it’s deployed. This is why having automated security controls is critical in the protection of critical information being exposed, and more importantly leaked.

Today, Tech Crunch reported a security flaw at Rubrik, a major IT security and cloud management provider that could have lead to the exfiltration of key customer data had it not been caught. The article noted that a server, which was a part of developing a new customer support system, was improperly configured, leading to the risk of data being exfiltrated. It would be easy to point the finger at Rubrik and say they are responsible, however the truth is, in a consistently changing environment such as the cloud,  it is difficult for us as humans to effectively ensure all systems are properly protected during provisioning and migration of workloads and applications.

Many people who are deployed in Azure and AWS assume they are automatically protected through native cloud security controls. This is a perfect example of how those controls are not sufficient in protecting the workloads that are being rapidly provisioned and constantly migrated due to agile development of new applications to support customer functionality and business operations.  But even with a solid level of security in place, the system could have still gone unnoticed. This is where automation becomes important.

Preventing this type or issue is exactly why ShieldX was founded.  With ShieldX you can set Application Aware ACLs to be automatically applied to servers as they are provisioned or migrated. This means ShieldX security policies would have been applied to the elastic search service and guaranteed the same access restriction no matter where it appears in the cloud environment. With ShieldX, customers get “Layered Security and Layered defense” by means of “ACLs/Micro segmentation”, and Indicator Of Pivot modeled around “Cyber Kill chain”, providing single pane of glass for security controls deployed on-premise, AWS and Azure.  With ShieldX in place, organizations like Rubrik can create automated policies that will automatically apply the appropriate security controls as the systems come online. Finally, enterprises can focus on defining the appropriate security intent and have cloud native security platform offered by ShieldX  transform that intent into actual policy and rich set of controls with automation and orchestration to increase security posture and reduce TCO .

Read More
03Jan
PART III: AWS and Azure–Cloud security isn’t true security
Business

This is part III of III.

Solve it

If individual cloud-based security isn’t the quick fix customers are seeking, what is? Well, that was a trick question of course. There is no quick fix. There IS a fix. And that is a pre-planned comprehensive stack that addresses your responsibility in cloud computing. Theses include but are not limited to segments such as the storage and exchange of customer data according to HIPAA compliance, GDPR, PCI-DATA, the SEC, and the list goes on.

 

When you go with a trusted multi-cloud provider like ShieldX, you replace the patchwork of features and providers with a high-visibility solution that addresses the above and more. You get your manager off of your behind when you remove those licensing and maintenance fees. Your costs go down. And instead of playing 3-D chess to avoid misconfigurations, you can breathe.

 

Some CISOs get started by consulting with their team, then building a map to show the missing pieces of their security apparatus and their solutions. Don’t forget to work with application owners to understand any potential threat vectors. A solid strategy will address:

  • Missing security apparatus
  • Threat vectors in application/components
  • A good security hygiene
  • Access control permissions

 

Regardless of what your security approach you are planning in your cloud or multi-cloud environment, please do not go with the approach of lift and shift. Understand the security implications of your presences by evaluating the difference and exchange between on-premises and cloud security. Then call us.

Read More
03Jan
PART II: AWS and Azure–Cloud Security Isn’t True Security
Technology

This is a continuation of from a previous blog.

Cloud security isn’t true security.

Digital transformation, the cloud, and the increased popularity of DevOps, may have sped up your business practices and driven innovation. Unfortunately for network and security operations teams, the combination of these factors means a significant increase in the resource protection needed. Securing the above can become a complex, multi-vendor, multi-technology, and hybrid-cloud-environmental issue.

 

With limited resources and manual processes, it is difficult for cloud-based IT organizations to keep up with demand and document changes. While both Amazon and Azure provide too many services (Wikipedia lists these for your general Azure interest) to detail in a short security article, it suffices to say that with each cloud capability your company utilizes, the importance of securing your presence only increases. Now we’ll go into the most obvious reason security breaches are increasing on all cloud platforms: misconfiguration.

 

Cloud-provided security is a miss on misconfigs

With financial and time pressure only on the increase for CISOs, there’s a real temptation to “lift and shift,” or drop assets into a cloud without considering the security of their configuration and relationships to on-premises assets. Not the best idea.

 

We won’t mince words here: Misconfigurations are THE BIGGEST driver behind breaches today. The skyrocketing rate of poorly configured cloud infrastructure is the driver behind the major source of these breaches. According to Computing Cloud, problems arising from this one issue jumped by 424% this year, accounting for nearly 70% of compromised records over the year.

 

Computing Cloud’s 2018 Review notes that 86% of organizations cite data breaches and loss as the primary reason they hesitate to adopt the cloud. Unfortunately, a simple misconfiguration, even a failure to set a single option in a company’s cloud service, can create a major security risk. Take problems at Equifax, Cathay Pacific and others as an indicator of what’s to come when you leave the door open behind you.

 

So Retro-active!

Cloud companies are learning, but slowly, while customers are left to piece together their security after the fact. Some enterprise customers who already use Azure for example, may extend active directory (AD) controls into the cloud, so they can define “new” security controls using their existing AD controls. AWS is adapting to the new security customer in working toward enterprise-readiness in their network monitoring. They have a ways to go though. Over time both platforms have added a few resources, but neither offer a comprehensive security stack.

 

The problem is that the Cloud providers are securing their networks not your applications. They are providing insight and monitoring of suspicious activity on their network but not on your databases. This is like a security guard that monitors the streets for suspicious activity when the actual suspicious activity happens at the homes they’re breaking into, not on the streets.

 

It gets even worse though. Because it’s still up to you to properly use all the security products they are making available AND use them correctly. Meanwhile they are still learning how to properly provide them themselves. Add to that how each Cloud provider does it differently and you’re looking at a security resource problem as in you won’t find enough security resources to help you with securing all the different types of Cloud environments.

 

Now please ask yourself and your team if these add-ons, workarounds, and limited cloud-provided security insight are good enough and consider alternative solutions. Some multi-cloud security vendors, ShieldX included, give customers a single viewpoint or “pane of glass” to define security policies and control. A micro-services driven approach with custom-built orchestration for discovery and scaling makes these solutions very effective in cloud migration.

 

Other features provided by ShieldX are important when it comes to cloud security readiness: the ability to micro-segment and do DPI for “threat protection” on the traffic to detect any threats within the E/W (core) network.

Read More
03Jan
PART I: AWS and Azure–Cloud Security Isn’t True Security
Technology

Like taking flight, most enterprise CISOs begin (and remain) building their security structure while their assets on the ground, before transitioning a number of them to AWS or Azure cloud storage and apps. And rather than building on a cloud foundation from the very beginning of their business model, the most likely scenario for our readers is to have a fair amount of data centers stationed on their own servers, even after their move to their cloud(s).

 

However these assets are positioned, assessment of your own security posture should take into account their configuration as well as their location—and cover everything in between. Below we go into the different considerations for secure AWS and Azure storage, as well as the importance of a holistic security plan for whatever your organization has decided to shift—or keep on premises.

 

The basics

In a general sense, AWS and Azure have grown more similar than apart. AWS was initially built to hold Amazon’s assets and information. Their data center was then converted to use for customers. So from day one, the security architecture was not built to allow customer control in several aspects, let alone the microsegmentation that you can only get from a third-party provider.

 

As far as Azure is concerned, they launched in 2010 but are now a Fortune-500-favorite to the cloud game, starting as an internal project for building and deploying their own applications.

 

Add-ons add up

Neither AWS nor Azure features security as a pillar on their website, and there’s a reason for that. If there’s anything you take away from this article, it is vital to remember that when it comes to security, anything put on the Cloud is a shared responsibility model.

 

If you build an application, do anything on your own that holds customer data, or write code—that’s all your security responsibility. It works well only as long as every user has done their bit.

 

According to their marketing, both the Azure Active directory and AWS Directory Service profess their “reliability” and “scalability” and touch on security features that can basically be categorized into:

  • Visibility
  • Threat protection
  • Security assessment
  • Cloud configuration assessment, and
  • Policies and constraints, including varied microsegmentation

 

One security researcher summarizes that, though he prefers them for data protection, his main challenge with AWS is that “they don’t offer control over the subnet level. For a security provider to mitigate that issue we need to look at every machine’s traffic.”

 

We encourage you to visit both websites or this handy comparison guide for specifics, but let’s move forward. According to Azure’s Advanced Threat Protection offering, as an add-on security feature, they profess to:

  • Identify suspicious user and device activity with both known-technique detection and behavioral analytics
  • Analyze threat intelligence from the cloud and on-premise
  • Protect user identities and credentials stored in Active Directory
  • View clear attack information on a simple timeline for fast triage
  • Monitor multiple entry points through integration with Windows Defender Advanced Threat Protection

But comparison of in-cloud offerings is not the takeaway point of this article. Other articles do that. Our point is this: We believe any cloud’s security description should not satisfy you. You should leave a clouds’s website with multiple questions and assumptions. Cloud security isn’t true security. Never believe the hype.

 

Take the above bullets. You may ask yourself, How does Azure identify suspicious user activity via analytics, when a user could be monitoring on-premise apps before breaking in without suspicion? How do they analyze threat intelligence on premises? Would that require timely installation and automatic updates? Yes, Azure monitors multiple entry points—cloud entry points. Is every department of your company using the same cloud login? Is that a good thing?

 

So let’s pretend, with all your open-ended questions, you’ve opted to purchase their security plan. But you need more. To secure on-premise apps you’ve gone with an agent-based solution. A few other departments have added on a patchwork of virtual appliances to supplement their data security. Like many companies, you may throw consistency out the window and inadvertently end up using multi cloud/platform approaches even across divisions. Suddenly, in Q3, the CFO calls you in a panic, asking why vendors are emailing and asking for overdue licensing and maintenance fees.

 

We’d like to offer you a little reminder. Rather than relying on multiple add-on security providers, with an agentless network provider like ShieldX, you are consolidating and applying one set of controls across multiple platforms. It’s this problematic nature of cloudy security issues which is why ShieldX devised the solution in the first place. But enough sales talk.

 

PART II coming tomorrow.

Read More
21Dec
Agentless Micro Segmentation: How Does ShieldX Do It?
Technology

At a recent trade show, I was asked: “How does ShieldX implement agentless micro segmentation?”  Not coincidentally, Gartner recently published a research note (login required) and called ShieldX out for its agentless technology, correctly calling us “microservices-based micro segmentation.”

How do we do it? ShieldX deploys a network-based architecture where we insert in multi-cloud environments to collect and inspect infrastructure traffic for visibility, analytics and security control, instead of relying on end points (agents). We implement agent-less network traffic inspection using an overlay network. Insertion is handled by Segment Interfaces (SI) microservice. In VMware ESXi environment, we use SI on trunk tap for Tap Mode and Layer2 VLAN Bridging to SIs for Inline and Microsegmentation Mode. In Azure environment, we use Flow Inspectors (FI), placed inline as a NAT provider for N/S traffic and route traffic between workloads via User Defined Routes (UDR) for E/W traffic. In AWS environment, we use the FI as a NAT provider for N/S traffic and use Network encapsulation and route entries for E/W traffic. This ensures we are placed in the “Goldilocks Zone”: not on the system (too close) where it makes deployments, upgrades, testing and maintenance more difficult, but also not removed from the network at the perimeter only (too far), where traffic cannot be rerouted and steered in a timely and effective way. This makes ShieldX the “just right” solution for all of your micro segmentation and cloud security needs.

But what is the most important impact?  Friction-less deployment and maintenance with no additional testing at every upgrade.  I always say the proof is in the pudding: in their review of ShieldX, Alaska Airlines noted: “We evaluated vArmour and Illumio. They didn’t meet our requirements. ShieldX is a superior solution.”  We deploy in just a few hours or less, and immediately begin to provide a full set of security controls and automated micro segmentation.  Longer term, managing perpetual flux on an ever changing network means—with machine learning—making changes to a micro segmented network is easy.  Again, noting our customer: “The Adaptive Intention Engine is fantastic. It allows us to develop security policies using the language of our internal customers. It’s machine-learning applied to security workflows. That allows us to much more easily construct the policies that will protect those workflows.”

Read More
17Dec
VMWare Security Analysis
Business

Data center virtualization was originally designed to improve the utilization rates of computing, networking and storage assets. As the early pioneer of such technologies, VMWare grew to become the dominant vendor of data center virtualization software. Unfortunately, cloud providers’ popularity and rapid feature expansion have not matched the limited security solutions they offer along with their data packages.

Unaware customers who migrate their assets via providers like VMWare, without a holistic inter-cloud security strategy in place, are left both insecure and financially vulnerable.

While every cloud provider should be considered an analog, in this advisory we will address VMWare specifically as both a trendsetting example and leading cloud provider. Here we provide users with five reasons to consider an inter-cloud security approach when those assets are in play.

 

A successful software-defined data center implementation should support scaling of computing resources

This allows for business units to add new applications rapidly and with enhanced DC security. This should be enabled in a VMWare-powered data center. But this is not a feature VMWare offers. A barely hidden secret in IT corners is that many previous loyalists have chosen to convert to AWS and prompted a rapid rise in demand for cloud computing and IaaS.

A comparison of the growth in AWS-based virtualization and VMWare’s on-premise virtual servers illustrates the movement toward AWS.

Solution 2013 2014 2015 2016 2017
AWS 3108 4644 7880 12,219 17,459
VMWare 5150 6040 6650 7090 7920(*)

(All figures in $mil.)

*Re-statements to account for Dell acquisition

 

The result has been that enterprises now own two separately virtualized assets. One is in their data centers with VMWare, and the other is in AWS VPCs and/or Azure Vnets. The public cloud has delivered economic benefits for them as well as more flexible control over their resources.

 

VMWare’s virtual networking and security toolkit are not built to maximize security

While VMWare has robust server virtualization offerings, its security features are simply too underdeveloped for the majority of customers’ needs.

To supplement them, customers seek alternatives with Cisco ACI and a multi-vendor mix for their security needs. Meanwhile, the cumulative cost to VMWare customers keeps rising. Gartner has seen consistent adoption of these offerings over the past year, and Cisco now reports over 3,500 paying ACI customers. (Gartner MQ on Data Centers)

 

VMWare never quite ‘got’ public cloud standards

VMWare initially took an adversarial stance towards their competitors. Of course, these were public clouds, most notably Amazon’s AWS. Not only did VMWare downplay the compelling benefits of AWS, but more importantly they did little to match their capabilities or provide alternative, legitimate pathways for customer workload migration.

Then they followed up with their own public cloud solution which experienced a myriad of growing pains. Their vCloud Air was sold to OVH in May 2017.

 

Add-ons add up

After launch when it was forced to reconsider its position, VMWare offered its cloud customers an option of deploying its virtualization toolset (VMWare cloud on AWS) on top of the already virtualized AWS cloud (functionality illustrated by VMPro).

The following table quantifies the cost of running VMWare Cloud on AWS compared to native AWS virtual servers, VMWare providing no additional benefit.

Note the additional cost requirement to heavily invest in VMWare’s private data center in order to access preferred pricing in AWS.

 

VMWare on-premise license requirements Yearly cost of 10 VMWare servers on AWS (1) Yearly cost of 10 AWS EC2 instances without VMWare overhead (2)
100 CPUs of vSphere Enterprise Plus $467,883 $193.20
100 CPUs of vSphere Enterprise Plus & 10 CPUs of NSX $441,890 $193.20
100 CPUs of vSphere Enterprise Plus & 20 CPUs of NSX and 20 VSAN licenses $389,903 $193.20

(1)(VMWare data procured from their blog.)

(2)(AWS pricing is based on a reserved instance standard for a 3-year term as derived from their pricing sheet)

 

VMWare has not delivered on its promise of a robust security platform

When it comes to segmentation and threat prevention across the data center and public cloud, its customers are still waiting for answers. VMWare has underdeveloped inter-cloud security offerings—and they are hampering customer adoption of true multi-cloud infrastructure.

Let’s go back to the very beginning of connective security, starting with virtual servers. Virtual servers naturally gave rise to virtual network switches, which connected them within a single physical server and across their data center. The servers needed to be segmented and inter-server traffic inspected for threats.

Initially, VMWare offered the VMSafe API to allow partners to bring their expertise to bear in order to keep this virtual network safe for their customers. But after getting their partners invested in this approach, VMWare abruptly canceled their API effort in favor of internally developed techniques. The outcome was that the virtual network suffered in its security posture compared to what was delivered on the physical network. This limited security foundation is unfortunately coupled with an aging virtual network and repackaged as an “inter-cloud” offering called NSX-T. NSX-T is not lacking in bold claims.

While the NSX-T design guide claims to provide “micro-segmentation for AWS workloads,” it does not offer any threat mitigation beyond the original NSX offering, which is limited to working on top of AWS with little support for other leading clouds such as Azure and GCP.

The security offered by NSX-T is based on basic firewall functionality for N-S traffic and  coupled to the segmentation built into each vNIC.

NSX-T does not begin to address the fundamental requirements of a multi-cloud security solution. The security policy must be expressed as an intention to be applied not to VMs, but to operations from application workloads. The solution must work seamlessly across all major clouds.

Customers who have integrated their assets with VMWare have been struggling to absorb and deploy this limited model as they look to mitigate inter-cloud security challenges.

Take a hint from a proprietary major utility company, which had to deploy virtual firewalls in addition to NSX to protect their virtualized data center. Operationally, these dual security frameworks were challenging to maintain.

The customer was unsure, after all their efforts, whether they had the protection they needed. When they moved their workloads to AWS, the same data center security implementation could not be deployed there. The increasing opex and capex burdens, and reduced confidence in security, set back their timeline for moving additional workloads to the cloud.

VMWare’s capitulation to AWS has resulted in a new marketing approach wherein VMs from the data center can migrate to AWS. As noted earlier, this doubles their customers’ spend and reduces their flexibility. Additionally, this migration is currently supported on AWS, but not on Azure or Google Cloud.

Meanwhile, VMWare has taken to the airwaves stating that there are too many security offerings in the marketplace. The implication is that customers should turn to VMware for a simplified and seamless security umbrella.

 

Summary

Enterprise customers are attuned to VMware messaging and some have absorbed its technology and marketing pitch. While VMWare has robust server virtualization offerings, its security solutions are inadequate in relation to its features.

When what is being provided does not meet their fast-changing usage needs, customers either turn to complex and costly add-on solutions, or are otherwise hampered in their search for workload security across multi-cloud platforms.

Moving forward, enterprises should consider a true SDDC strategy that offers overarching protection for cross-platform assets. Don’t put blind faith in security for your entire company as provided by one of several cloud platforms in use.

Read More
13Dec
ShieldX Product Reviews
Uncategorized

ShieldX has been fortunate to have our amazing customers write some amazing reviews of the Elastic Security Platform on IT Central. Both reviews can be accessed here, but we’ve summarized some highlights below.  All are direct quotes while we’ve added emphasis.

From the first product review:

  • ShieldX makes the cloud safer than on-prem deployments. That is because that the number-one cause of security incidents today is human error, and those errors are often a result of very complex security structures. ShieldX makes it a lot easier and a lot simpler to define your policies and define your rules, and that greatly reduces the opportunity for user error.
  • ShieldX also enables us to migrate to cloud environments faster. That is an important part of it for sure because it takes the exact same policies that we would apply to our on-premise environment and enables us to simply apply them to the cloud. It becomes one policy for both on-prem and for the cloud.
  • The Adaptive Intention Engine is fantastic. It allows us to develop security policies using the language of our internal customers. It’s machine-learning applied to security workflows. That allows us to much more easily construct the policies that will protect those workflows.
  • It gives us a lower dollar-per-protected-megabyte than a traditional firewall, but it’s also consuming fewer resources in our network environment because we’re not having to send our traffic out of the virtual environment just to send it back in. It also helps with lower maintenance costs.
  • We switched to ShieldX because traditional firewalls are more expensive, and they require you to take all of your traffic outside of your virtual environment to inspect it and then return it back to the virtual environment. ShieldX lives inside of your virtual environment so it’s able to protect your workloads without having to send them north to a firewall only to come back down south to another resource.
  • We evaluated vArmour and Illumio. They didn’t meet our requirements. ShieldX is a superior solution and I can give you the quick differences: Illumio is really an orchestrator so it’s not providing security controls. It is managing the security controls provided by the operating system. It manages Windows Firewall, for example. vArmour, which is a closer comparison to ShieldX because it does provide security controls inside of the virtual environment, is one of those monolithic firewalls, so it does not scale as well.

From the second product review:

  • ShieldX has been designed from the very beginning to work well in cloud environments. It understands autoscaling, automation, and auto-configuration. These are the things which are important in today’s operating environment.
  • ShieldX ensures that we can have the separation needed for our environment to avoid drastically increasing the cost on the licensing side. From this perspective, it’s been very positive and helpful.
  • The Adaptive Intention Engine is important. The Adaptive Intention Engine explains what is the reason that we’re doing this security infrastructure, what are we trying to get out of it, and what’s the intent behind it? The problem with the way that things are done traditionally is you have an intent, but you now have to apply that intent in many places in order to achieve your goals. So, you end up with a duplication of effort in several areas. This is something which could take up quite a bit of time, both from an engineering, operations, maintenance, and troubleshooting perspective. If you have an issue now, you will need to look in two or three places to try and find the source of the issue. There was a lot of tracing which had to happen in our legacy operating method. In the new method, there is one place to design and apply a policy, which is simpler.
Read More
07Nov
Cathay Pacific: Get Off of My Cloud
Business

Just today, government authorities in Hong Kong launched a formal investigation into the breach to understand if privacy laws were violated. While privacy laws are extremely important, the investigation should also focus on HOW this happened. While post-mortems for any breach is useful, I think this attack highlights a new category of cloud attacks we haven’t seen much before—but will with increasing frequency.

First, a little about Cathay Pacific and their cloud deployment.  Like many, they’ve adopted a multicloud strategy:

“In the past three years, Cathay Pacific has been making a shift away from legacy systems to the cloud,” says Aloysius Cheang, executive vice president for Asia Pacific at the Center for Strategic Cyberspace + Security Science, a U.K. think tank for cyber centric leadership. “It now employs a hybrid cloud as part of its strategy to replace their legacy systems,” he says.

The airline is using software from Redhat to build the underlying open platform infrastructure, and it is using Amazon Web Services to hold customer-facing applications, such as online check-in system, flight schedule, fares and web hosting, as was described during AWS Summit Hong Kong in 2017, Cheang points out. “As a result of these front-end apps, I presume that the customer data will be accessible from these apps which are hosted on AWS,” he says.

Last April, we wrote about the new attack surface that comes with cloud migration. One of the attacks, X-Cloud, seems to have been the attack method deployed against Cathay Pacific. By all measures, it was pretty successful as hackers took, according the headlines, 860,000 passport numbers, about 245,000 Hong Kong identity card numbers, accessed 403 expired credit card numbers and 27 credit card numbers with no card verification value (CVV).

What is a X-Cloud attack?  From our April blog:

Many enterprises are under the impression that they can go easy on security if they don’t host ‘critical workload’ or ‘sensitive data’ resources in the cloud, but they couldn’t be more wrong. Attackers commonly use public clouds to gain entry into on-premise data centers.

Once your organization makes the decision to migrate any workloads into the public cloud, the perimeter of your on-premise data center also extends into that public cloud environment.

So the appropriate defenses are needed but, the security controls used to protect your on-premise data center cannot easily extend into your public cloud environment.

This forces many organizations to adopt a fragmented security posture that is complex to maintain and leaves the door open for attackers. Public cloud workloads can become infected with malware. As the malware replicates and spreads, the attack can easily jump from the public to the private cloud using standard protocols—if there are no lateral defenses in place.

Cathay Pacific style attack patterns

Cathay Pacific moved application front-ends to the public cloud—extending their perimeter into the great beyond.  Many companies discover quickly that you can’t easily keep your old security tools in front of those migrated workloads as it would require them to migrate into the public clouds as well. Congratulations, you have a new attack surface.

In the past, the infrastructure was all on premise and shielded by comprehensive security controls.  With the onset of cloud computing, now if the web tier is extended—how do you protect assets in this contorted, new architecture?

Attackers understand this very well. One typical trick is to breach the web server in AWS and drop a backdoor accessible from the outside.  Then they tell the backdoor to copy all the data from the database, which needs to be accessible to fulfill the web application’s purpose. However, data is typically served in parts dependent on the authenticated user. With that backdoor, the authentication is bypassed, and the web server has access to the whole data set.

What is really important to note here is that even micro segmentation alone (!) wouldn’t protect against such an attack — the web server needs access to the data that it serves.

So Willkommen (I’m Austrian) to the new realities of cloud security. In this new era, we have to break old habits and old ways of thinking rooted in yesterday’s security approach and we have to admit to ourselves that the chokepoint approach won’t work anymore. For the CISO in today’s IT world, the security game has, in many ways, become a whole new model to work with.  In years past, the name of game was “containment – with chokepoints”. It was a tightly controlled world – and CISO’s had the ability to lock it down and only allow dataflows through a select set of avenues.

What is the right way?  Let’s start with some inspiration from Mick:  https://www.youtube.com/watch?v=z8HHqUwKdP8

Read More

About Author

Ratinder Ahuja

Ratinder Ahuja

Founder & CEORatinder leads ShieldX and its mission as its central pivot point, drawing from a career as a successful serial entrepreneur and corporate leader, bringing with him his unique blend of business acumen, industry network and deep technical knowledge.
+ READ FULL BIO

Test Drive ShieldX START NOW