Part 3 – The Most Common Surprises When Moving to the Cloud
Part Three of a Three Part Series
If you have other thoughts about these areas, please drop me an email. Let’s talk about the most common surprise I found with my clients when they went to the cloud. (But it shouldn’t of been)
Surprises in Having Visibility in the Cloud
Surprise #3 – Visibility.
I like to equate cloud visibility similar to that of an MPLS WAN. Most companies see traffic going to the Internet. There is no visibility in the core. They can apply protections to it on the way in and on the way out of their network. However, what happens inside – no one knows — literally, no one knows.
In that scenario: whether it’s in the cloud or in your MPLS mesh, if a threat actor gains access it’s almost impossible to see. This is often times why threats go undetected. They lie dormant for months; when they do detonate, it takes on average of 98 days to detect them. This report from the Ponemon Institute suggests it takes on average of almost 100 days…. https://www.ponemon.org/blog/ponemon-institute-releases-new-study-on-the-efforts-of-retail-companies-and-financial-services-to-improve-the-time-to-detect-and
Zero-Day attacks are called that because there is no warning to patch the flaw in the software. The name also applies because the payload detonates as legitimate software immediately. Often, the infected host doesn’t even know they have been compromised because in theory only legitimate software is running on the host. (Or so states the Anti-Virus program.) This true story account of a O365 account that was hacked. And how there was no visibility for IT to see the breech.
Monitoring VLAN traffic in a data center
In a physical data center, all intra-connected VLAN traffic is likely seen and reported on. More advanced companies can see and report on intra-host communication even in the same VLAN. The very advanced ones cannot only see and report on that traffic, but they can control and block it as well.
Controlling VLAN traffic in the cloud
When the move to the cloud is made, controlling VLAN traffic becomes imperative. Not just for security purposes, but troubleshooting as well. If traffic cannot be seen, how is it possible to troubleshoot a problem? This is for companies that have advanced security requirements. But what about ones that just want to see ingress and egress, north-south traffic? Just the basics.
Ironically enough, 15 or 20 years ago most edge security was done with a cisco router and packet filter ACL, or extended stateful inspection ACLs. The logs where difficult to read and if you wanted to debug something, sifting through text was the only way.
Back to the Future with Logs
How do you look at north/south traffic in the cloud today? If you don’t have experience with it yet, the answer is you don’t. Every cloud provider comes with firewall security, but how do you see and report on those logs? Logging is free, but in order to analyze, review and come up with a baseline, you need to buy more product and then, and only then, do you have logs. However, you are back to 20 years ago with a bunch of text to sift through.
The point is that the cloud’s edge comes with a firewall. It has to. But for all of the advancements we have made over the past 20 years, if you don’t have a third-party firewall, you are in an advanced cloud with the same security that had been used 20 years ago. Namely, a stateful, packet-filter firewall with terrible logging. That firewall also lacks advanced threat protections — and by virtue of being in the cloud, you are a target.
Whatever you do at the edge, make sure there are advanced threat protections. At a minimum, these protections need to be at the edge, but they should also move inwards and look at east/west traffic, too. Hopefully, there is a good reporting mechanism that will allow you to build a baseline from which to work and improve. Ideally, it’s the same system you use at your physical datacenter. Even better than that is if the same controller controls both systems. If the two are not the same, then plan to work towards one controller as your goal.
Utilize experts in their fields
In summary, the key to a successful cloud strategy is a well-thought-through plan that utilizes experts in their fields for information. Where the security, capabilities, and shortfalls are well understood by everyone. In addition, your strategy should take into account visibility that controls vendor sprawl. Also, make sure it guarantees access by using today’s advanced, software-defined controllers for the existing transport that connects all of your entities.
If you need help with any of these cloud topics or any other physical data center threat vectors, reach out to your Teneo Engineer for assistance. If you don’t have a Teneo engineer and would like to speak with the author of this article, contact us here: