How Security Changes with Cloud Networking
In cloud computing there are two macro layers to infrastructure:
- – The fundamental resources pooled together to create a cloud. This is the raw, physical and logical compute (processors, memory, etc.), networks, and storage used to build the cloud’s resource pools. For example, this includes the security of the networking hardware and software used to create the network resource pool.
- – The virtual/abstracted infrastructure managed by a cloud user. That’s the compute, network, and storage assets that they use from the resource pools. For example, the security of the virtual network, as defined and managed by the cloud user.
All clouds utilize some form of virtual networking to abstract the physical network and create a network resource pool. Typically, the cloud user provisions desired networking resources from this pool, which can then be configured within the limits of the virtualization technique used.
There are two major categories of network virtualization commonly seen in cloud computing today:
- Virtual Local Area Networks (VLANs): VLANs leverage existing network technology implemented in most network hardware. VLANs are extremely common in enterprise networks, even without cloud computing. They are designed for use in single-tenant networks (enterprise data centers) to separate different business units, functions, etc. (like guest networks). VLANs are not designed for cloud-scale virtualization or security and shouldn’t be considered, on their own, effective security control for isolating networks. They are also never a substitute for physical network segregation.
- Software-Defined Networking (SDN): A more complete abstraction layer on top of networking hardware, SDNs decouple the network control plane from the data plane (you can read more on SDN principles at this Wikipedia entry). This allows us to abstract networking from the traditional limitations of a LAN.
Security challenges with cloud networking:
- The lack of direct management of the underlying physical network changes common network practices for the cloud user and provider. The most commonly used network security patterns rely on control of the physical communication paths and insertion of security appliances. This isn’t possible for cloud customers, since they only operate at a virtual level.
- Traditional Network Intrusion Detection Systems, where communications between hosts are mirrored and inspected by the virtual or physical Intrusion Detection Systems will not be supported in cloud environments; customer security tools need to rely on an in-line virtual appliance or a software agent installed in instances. This creates either a chokepoint or increases processor overhead, so be sure you really need that level of monitoring before implementing. Some cloud providers may offer some level of built-in network monitoring (and you have more options with private cloud platforms) but this isn’t typically to the same degree as when sniffing a physical network.
On the positive side, software-defined networks enable new types of security controls, often making it an overall gain for network security:
- Isolation is easier. It becomes possible to build out as many isolated networks as you need without constraints of physical hardware. For example, if you run multiple networks with the same CIDR address blocks, there is no logical way they can directly communicate, due to addressing conflicts. This is an excellent way to segregate applications and services of different security contexts.
- SDN firewalls (e.g., security groups) can apply to assets based on more flexible criteria than hardware-based firewalls, since they aren’t limited based on physical topology. SDN firewalls are typically policy sets that define ingress and egress rules that can apply to single assets or groups of assets, regardless of network location (within a given virtual network).
- Combined with the cloud platform’s orchestration layer, this enables very dynamic and granular combinations and policies with less management overhead than the equivalent using traditional hardware or host-based approach.
- Default deny is often the starting point, and you are required to open connections from there, which is the opposite of most physical networks.
In conclusion, the Cloud can be as or more secure than traditional on-premises deployment if configured correctly.
Vigilant simplifies the complexity and reduces the cost of managing and maintaining your IT infrastructure including servers, network, backup, and storage technologies. Please reach out to firstname.lastname@example.org for a spirited discussion on maximizing the Cloud’s benefits for your company.
We look forward to your feedback.
Principle Security & Cloud Architect, Vigilant Technologies