Blog post

More On Security Monitoring of Public Cloud Assets

By Anton Chuvakin | January 14, 2012 | 0 Comments

SIEMsecurityloggingcloud

This post is not a whine about how security in public cloud environments is lagging behind the traditional physical environments. There is nothing here to whine about since our experience with other IT advances – think PC, client-server, web applications, mobile devices – teaches us that it is ALWAYS the case for new technologies.  The cycle, that some people might call ‘vicious’, happens like this:

  1. Invent
  2. Deploy
  3. Popularize
  4. Disaster!!!
  5. Secure (and eventually even “build it securely”)

and then the next tech is invented and the cycle repeats. Let’s consider security monitoring of IT resources deployed on public clouds, whether SaaS, PaaS or IaaS. Such security monitoring includes logs (primarily), network traffic analysis, host activity monitoring as well as other well-known monitoring mechanisms (for a superb review of these, please review “Security Monitoring” template by Ramon Krikken). As my research project progresses, I am coming across various challenges to cloud asset security monitoring. Here is a quick list:

  • Often, unimportant assets move to the public cloud first, and the need to do security monitoring simply never appears.
  • Cloud (as well as virtual) assets are known to be transient and change more often than traditional physical systems, adding chaos to the attempts to monitor “who does what” to systems and data.
  • The familiar mechanisms – various network security appliances – do not map well to the cloud, and the new mechanisms (wherever available!) have a learning curve.
  • Similarly, lack of visibility into the lower layers of underlying infrastructure hampers many monitoring efforts as one might have to peek into the lower layers from the higher ones.
  • When lacking network data and system logs, a replacement monitoring method – application logs – comes with its own set of challenges, including working with application developers to engineer logs useful for security and not just for debugging.
  • “We just trust our CSP, they’d a great job securing and monitoring our assets!” This is admittedly more likely for users of SaaS providers, but more than a few people seem to confuse “cloud” with  “outsourcing”
  • Fragmented control over various cloud migration efforts leads to no security monitoring (and even “no security” sometimes); rogue cloud assets are by definition unmonitored by central IT.
  • Even when monitored, loss of the unified view of public cloud + virtual / private cloud + traditional makes noticing anomalous and malicious activities harder.

So, my journey continues – watch for more blog posts on cloud security monitoring as my project eventually culminates in architectural guidance for cloud security monitoring …

By the way, if you are a vendor with a technology helpful for security monitoring of public cloud assets, please brief me on your technology.

Previous cloud security monitoring related posts are:

Comments are closed