Blog post

Cloud Security Monitoring: The “Who” Question

By Anton Chuvakin | April 10, 2012 | 0 Comments

securitymonitoringloggingcloud

Another inherently “annoying” feature of security monitoring (apart from its “ongoing, need-to-do-it-forever” nature) is that somebody must actually do it. Yes, the dreaded “who will do the monitoring on a day to day basis?” question, who would be the “the human in the loop”, who will be ever-vigilant about security-relevant events, who will actually use the monitoring tools, etc?

Let me break this bit of news to you: cloud does NOT change it. Somebody still must do it. Now, that somebody might be spread across two or more organizations (your CSP, your MSSP, your own organization, the consultants you hired, etc), but they have to be there.  When planning your cloud deployment – public, internal private, external private, whatever – you should always keep this in mind. Here is brief example from my upcoming research report on cloud security monitoring.

Table 4. Comparison by Monitoring Entity

Where the monitoring data is obtained  (see the row to the right)

From inside CSP environment

From inside enterprise environment

From between the environments

Who looks at the data (see the column below)

CSP

Yes, for their layers of the stack and their management tools

No (CSP does not see the inside of your organization)

No

MSSP (if retained by the customer)

Yes, for cloud user layers using sensors deployed at CSP

Yes, using sensors deployed at the enterprise environment

Yes, using sensors deployed getting data from gateways/intermediaries

CSP-MSSP (if CSP offers MSSP service)

Yes, for all layers (!)

Yes, using sensors deployed at the enterprise environment

Yes, using sensors deployed getting data from gateways/intermediaries

Enterprise

Yes, using data feeds from cloud layers they control and using data shared by the CSP

Yes, using either endpoint or network sensors

Yes, using sensors deployed getting data from gateways/intermediaries

Note that these distinctions apply across all cloud models, but the scope of what constitutes “their layers” changes from SaaS to IaaS.  The comparison also highlights some advantages of CSP-MSSP combination as they can monitor the entire stack, from physical to data and user activities. However, such approach of combined monitoring+hosting makes some people think of Separation of Duty (SoD) issues. So, will YOU trust the MSSP arm to monitor the activities of the same organization cloud arm? There are definitely big advantages here (see table), but also potential risks…

Previous cloud security posts are:

Comments are closed