I’m tired of hearing quotes like “cloud is completely different from traditional IT” as well as those that say “cloud is just like outsourcing, mainframes, etc.” Those who like the former quote will sometimes add that organizations should scrap all the tools they use for traditional IT and buy new tools for the cloud. Those who like the latter quote would say that organizations just need to continue doing what they’re doing, with the same tools.
At this point, it should be clear to most of my enlightened readers that the truth is somewhere in between. Some tools and approaches will continue to work; some tools and approaches will not work while others will work depending upon the circumstances – such as what is being migrated to the cloud, how it is being migrated, etc.
Let’s review some of the things, which are known to be different in various public cloud models:
- Transient assets that appear and disappear, go up and down, etc (for IaaS)
- IP address means less for tracking of those transient assets
- There are layers of the computing stack that are NOT under enterprise control
- Remote environments, sometimes accessed via links of limited bandwidth
- For SaaS and PaaS, lack of ANY traditional “IT infrastructure” such as OS
- “Alien” operations model (sometimes) dissimilar from traditional data center management models
What does it mean for security monitoring? It means that the approach you take will not only depend upon the technical considerations, provider platform choice, application logs, security agents, etc. However, it would also depend on how the organization is moving IT capabilities to the cloud.
- For a “forklift scenario," new applications or even “cloud-only” organizations, these differences will play A BIGGER ROLE in the choice of monitoring approaches, architectures and technologies.
- For a “trickle scenario”, legacy application and “barely cloudy” organizations, these differences will play A SMALLER ROLE in the same choice.
Thus, you might not need any new tools for security monitoring of your cloud environment: your current SIEM, DAM/DAP, DLP, even NIPS (for virtual private cloud with sole route through your network) will work more or less fine.
Or, on the other hand, you might discover that most of your security tools that have to be replaced or at least augmented by tools that are optimized and tested in public cloud environments. New approaches (some mentioned here) such as cloud gateways, detailed application logs or hypervisor telemetry (provided by the CSP) will have to be used.
Thus, we have an ultimate triumph of “it depends” here!
Previous cloud security monitoring related posts are: