Cloud Security Strategies: Where Does IDS Fit in?

Security practitioners diving into cloud computing must make older security tools like IDS work in this new world. In a CSO podcast last week, Stu Wilson, CTO of IDS provider Endace, sought to explain how this older technology is still relevant in enterprise cloud security strategies.

Defining Cloud Security: Six Perspectives

CSO also reached out to IT security practitioners through various LinkedIn security forums for an informal, unscientific poll. Here are views from four additional perspectives.

Also see “The cloud security survival guide”

Tommy Ward, senior manager, engineering compliance at Google

IDS is just like many other security tools, it may be useful as part of a security program, but the deployment details are critical. IDS deployment in the context of cloud computing starts with the questions of what assets you are trying to protect, where are those assets, where are the attacks likely to originate from and can you effectively monitor for such attacks with an appropriate signal-to-noise ratio?

Cloud consumers are still likely to face the threat of intrusion into their own enterprise networks and systems. IDS may be appropriate at the boundaries between those enterprise networks and other networks, including the Internet.

Cloud providers are also likely to face intrusion threats, and once again IDS may be useful. Here the threat vectors may be from arbitrary Internet hosts or from customers. This makes topographic decisions about IDS deployment more complex. If the cloud provider is using virtualization for hosting PaaS or IaaS, then intrusion monitoring may need to be at the hypervisor level, and I doubt that many IDS appliance vendors have a compelling story for that.

Both consumers and providers face internal attack threats. How well any IDS can function to detect misuse or abuse by insiders is a good topic for debate, but the common practice is to rely much more on analysis of various types of audit logs to detect such attacks than on intrusion detection. Certainly pattern-based IDS could be used to detect some categories of internal attacks, but it would not be useful for detecting misuse of privileged credentials to extract sensitive data. Anomaly-based detection might be able to detect such internal threats, but once again the number of organizations that use this for internal attack detection is probably insignificant.

John Kinsella, founder of Protected Industries

I work with the cloud as both a user, consultant, and, in the interest of full disclosure, I’m working on a secure cloud offering. A few thoughts while wearing those different hats: The old security problems didn’t go away when people “moved to the cloud.” They just get distracted by all the new problems.

All the old puzzle pieces still work — and are still needed — in the cloud. How they’re implemented might have changed. In a non-managed environment, it’s a free-for-all on how one builds a secure environment — probably software network/system IDS, encryption, and firewalls, although most providers have firewall offerings of various types. So if a project owner is used to having a physical SSL accelerator, IDS/IPS box, etc., they might be in for a change in their thought process. I think that really is the key part — hold on to whatever you know (so far) about security, understand how it fits into the new model, then continue learning the stuff you don’t know yet.

One aspect that hasn’t changed at all is how the provider protects their infrastructure. Scale might be greater, but the same pieces still need to be protected.

Mainak Biswas, IT security practitioner based in India

No security tool will work in the cloud because they are only effective with traffic going directly in and out a physical network. In a scenario where the traffic does not directly enter a network, there is no work for the security tool. The cloud is outside the organizational reach, and deploying any sort of security control is just impossible because you cannot keep a track of the origin of the traffic.

Donald Fish, IT security practitioner for an east-coast company

It occurred to me that when you refer to “the clouds” or “the cloud” you are speaking in a manner that conveys there is a definition of “the cloud” agreed upon by industry and/or government or standards bodies. What appears to me is there is no fully agreed upon definition of the cloud.

NIST has embarked upon a (cloud model) and is taking steps to aid in more recognition of the model as the standard. Perhaps future discussion would be more useful if put this way: “Given the NIST Cloud Definition how would use of your product have an impact on an organization’s cloud?”