Trouble In The Cloud?!

What challenges does the usage of traditional, on-premise security tools [monitoring tools, like SIEM or DLP, in particular] creates in the cloud [SaaS, PaaS, IaaS models]?

Here are some I’ve come across:

• IaaS
• • IP address means less for tracking all the transient and replaceable instances
  • Rapid provisioning makes assets to appear and disappear, go up and down, in and out of scope, etc
  • Auto-scaling busts tool licensing limits (!) and disrupts node-based asset tracking (“we have 400 assets…ooops…3000..ooops 200 now!”), creates large volumes of monitoring data for some periods of time
  • Remote cloud environments are sometimes accessed via links of limited bandwidth, making it harder to move monitoring data from the cloud to the datacenter
  • Different models for network security monitoring (only at instances, not in between “on the network”)
• PaaS and SaaS
• • There are layers of the computing stack that are not under enterprise control; no network monitoring, no host monitoring (SaaS)
  • No concept of “asset IP” or, in fact, of a computer as an IT asset
  • For both SaaS and PaaS, lack of any traditional “IT infrastructure” such as OS
  • No OS logs – “apps all the way down” (SaaS)
  • No perimeter monitoring.

On top of this, many cloud environments run under a very “alien” (aka DevOps) IT operations model, often dissimilar from traditional data center management models, that further breaks down the effectiveness of on-premise security tools.

What others examples of traditional, on-premise security tools not working in the cloud have you seen?

Related blog posts:

• Cloud Security Monitoring … Revisited (aka It Is Not 2012 Anymore!)
• My Cloud Security Monitoring Paper Publishes! (2012)
• Cloud IS Different: So Monitoring Must Be Different?