Cloud Security Monitoring!

How exciting is that? You combine 3 non-specific words – cloud, security, monitoring – and you get … what exactly? Let’s find out!

This quarter my research focuses on cloud security monitoring and cloud logging. I will try to define the subject(s) and then provide analysis and recommendations for architecting security monitoring of public cloud assets deployed in IaaS, PaaS and even SaaS environments (the word “luck” will likely be used in that last section a lot).

Here’s where I want to take the discussion: if you have IT assets deployed on a public cloud provider network today, and you want to monitor them by using log data, where would you rather send that log data? Your broad choices are (unless you have an MSSP contract, which will change the situation a bit):

1. Back to your SIEM tool deployed in your environment (if any): your cloud logs -> your environment
2. To a dedicated SaaS log management tool: your cloud logs -> another cloud environment.

When I asked a few people, whether they would conceptually lean towards Choice 1 or Choice 2, they picked Choice 3.

Huh? The Choice 3 is “we are still trying to figure it out, for now we don’t monitor those assets.” A few others mistook cloud for outsourcing and stated that “they trust their provider to deal with logs”…. That’s life in the cloud circa 2012 for you.

Future posts will touch upon such exciting subjects as “what logs you can hope to get in different cloud scenarios?”, “how to compensate for not having logs?” and a few other cloud-specific monitoring challenges that you’ll face in the near future.