Managing the Dynamic Datacenter

Datacenter Automation

Subscribe to Datacenter Automation: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get Datacenter Automation: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Datacenter Automation Authors: Liz McMillan, Elizabeth White, Allwyn Sequeira, Greg Schulz, James Carlini

Related Topics: Cloud Computing, Security Journal, Datacenter Automation

Article

Hybrid Cloud Security | @CloudExpo #SDN #AI #ML #Security #DataCenter

Part 1: Common attack strategies in the cloud

What You Need to Know About Hybrid Cloud Security

Thanks to its many business benefits, cloud computing is becoming commonplace within organizations of all sizes. Historically, companies have struggled to determine which model - public or private - best met their needs. But of late, IT professionals are increasingly starting to realize that both public and private clouds can exist harmoniously within the same organization, and that, in many instances, a hybrid cloud model can actually be the most effective approach.

RightScale's "2016 State of the Cloud Survey" found that hybrid cloud adoption increased from 58 percent to 71 percent year-over-year. The uptick in hybrid cloud computing has not been overlooked by cybercriminals, who have been busy adapting traditional attack methods and devising new ways to target threat surfaces and vulnerabilities in the cloud.

In order to manage cloud security with the same effectiveness as on-premises environments, it's important to consider how the threat landscape changes as assets move from a data center to the cloud. It's also crucial to determine which security resources are offered by cloud service providers (CSPs) and understand how these can augment your own security tools and measures to deliver complete hybrid cloud security.

To help address the aforementioned points, we're kicking off a three-part series focused specifically on managing hybrid cloud security. In this first post, we'll explain the basics of the shared security model and explore how security challenges persist, are amplified, or are mitigated in public cloud and hybrid cloud environments. Read on.

Understanding the Shared Responsibility Model
Any discussion of hybrid cloud security requires a fundamental understanding of the shared responsibility model and how it applies to cloud infrastructure as a service (IaaS) security concerns. Under the shared responsibility model, a CSP is generally responsible for ensuring the physical security of its data center - from managing building access, to securing network and server hardware, to overseeing hypervisor-hosting virtual machines. Users of cloud services, on the other hand, are usually responsible for securing the operating systems, applications and data running on cloud accounts.

While you are responsible for securing anything that you deploy in the cloud, CSPs also have a shared interest in making sure your data is secure. For example, they will typically provide services to help you implement best practices for controlling access and limiting network exposures. Many also supply tools to help you better defend your virtual environments. The services and tools provided by CSPs are designed to work in conjunction with your own cloud-based security management tools.

Traditional security solutions, such as firewalls, file integrity monitoring and centralized logging, remain effective as you expand your perimeter and move data into the cloud. Adding additional security measures that are purpose-built for the cloud, however, can help you to better secure and monitor your full environment.

Common Attack Strategies in the Cloud
Many of the common attack strategies cybercriminals use to target on-premises infrastructure are also used to hit cloud environments, and they can be dealt with using traditional tools, such as firewalls and proxy servers. However, it's important to note that attack strategies manifest in the cloud somewhat differently than they do on-premises. Here's a look at how four well-known types of attacks are affected by cloud environments.

1. Distributed Denial of Service (DDoS) Attacks
DDoS attacks work on a simple premise: flood a service or website with so much network traffic that it effectively crashes the service or site. DDoS attackers command a horde of botnet hosts, which send repeated requests to a target site at the same time. Because these hosts consist of thousands or even millions of internet-connected computers - and can include IoT devices, as the recent Mirai botnet attacks demonstrated - traditional defense tactics, such as blocking a particular domain or IP range, will not be effective.

The strategy behind this type of attack remains the same whether the service is hosted on-premises or in the cloud. DDoS is a numbers game between an attacker's resources and a victim's computing and networking capabilities. In the cloud, your resources are elastic, so you can dynamically add more resources to meet a sudden spike in demand. While this provides some built-in DDoS resilience, it comes at a price since these additional cloud computing resources will quickly drive up your monthly cost.

Another consideration in cloud environments is that because some resources are shared, a DDoS attack against another user's system could drain resources from your own workloads and cause your services to become slow or unavailable. However, in the shared model, CSPs are responsible for mitigating and protecting against DDoS attacks on shared infrastructure. They also protect against low-level network attacks on the cloud infrastructure as part of the shared responsibility model.

2. Exploiting Vulnerabilities
Malware infections typically start when attackers find vulnerabilities in an organization's operating systems or applications, and then exploit them to download malware and gain control of corporate networks.

A strong vulnerability management program is an essential part of minimizing the attack surface of your network environment. By proactively identifying and fixing your vulnerabilities, you can reduce the likelihood of attackers exploiting them for malicious purposes. The same is true in cloud environments.

CSPs usually provide some vulnerability management support. For example, they will typically supply libraries of up-to-date, patched operating system (OS) instances that users can deploy into their environments. This is a good starting point, but in the shared responsibility model, automated patching generally stops at the point of deployment. Ultimately, it's the cloud service users who are responsible for identifying and managing vulnerabilities and patching above the hypervisor layer.

3. Brute Force Attacks (Password Cracking)
The idea behind brute force attacks is to try all possible combinations of passwords until an attacker finds the one that works. These attacks persist, in part, because there are many automated tools available and pre-built digests that help attackers crack accounts. In addition, users continue to be a weak link, because they often choose simple, easy-to-guess passwords.

One can argue that readily available services like Amazon Web Services Identity and Access Management (IAM) and Azure Active Directory (free tier) provide decent password security and enable extra security measures like multi-factor authentication (MFA). However, the only real defense against password compromise is to always apply good password hygiene, and good hygiene in the cloud is just as important as it is on-premises.

One element that is unique to cloud computing is that root account credentials, if not handled properly, can be publicly accessible from the internet. A compromise of this credential would give attackers "the key to the kingdom," granting them control over your cloud environment and the ability to spin up cloud resources indefinitely - leaving you stuck paying the bill. There's no parallel for this type of compromise in your on-premises environment, since the resources in your data center are likely owned, static and finite.

4. Web Application Attacks
Securing applications from attacks is clearly the responsibility of cloud users in the shared responsibility model. Web application attacks can usually be mitigated with better coding practices, or supplemented with security technologies, such as web application firewalls (WAF) and proxy servers. Today, most security vendors offer licensed products for the cloud, which are similar to the products they provide for on-premises environments. Some cloud vendors have also added free tools to their offerings that defend against common attacks, such as cross-site scripting and code injection.

A Look Ahead
In Part 1, we looked at how a few of the most common attack strategies persist, are amplified, or are mitigated as assets move from the data center to the cloud. In the next installment of this three-part series on hybrid cloud security, we will examine new security challenges that are unique to cloud environments and look at what impact they have on traditional security measures and tools. Stay tuned.

Internet of @ThingsExpo, taking place June 6-8, 2017 at Javits Center, New York City, is co-located with 20th International @CloudExpo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world.

@CloudExpo / @ThingsExpo 2017 New York 
(June 6-8, 2017, Javits Center, Manhattan)

@CloudExpo / @ThingsExpo 2017 Silicon Valley
(October 31 - November 2, 2017, Santa Clara Convention Center, CA)

Download Show Prospectus ▸ Here

The Internet of Things (IoT) is the most profound change in personal and enterprise IT since the creation of the Worldwide Web more than 20 years ago.

All major researchers estimate there will be tens of billions devices - computers, smartphones, tablets, and sensors - connected to the Internet by 2020. This number will continue to grow at a rapid pace for the next several decades.

With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo 2017 in New York and Silicon Valley. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be!

Sponsors of Internet of @ThingsExpo will benefit from unmatched branding, profile building and lead generation opportunities through:

  • Featured on-site presentation and ongoing on-demand webcast exposure to a captive audience of industry decision-makers.
  • Showcase exhibition during our new extended dedicated expo hours
  • Breakout Session Priority scheduling for Sponsors that have been guaranteed a 35 minute technical session
  • Online advertising in SYS-CON's i-Technology Publications
  • Capitalize on our Comprehensive Marketing efforts leading up to the show with print mailings, e-newsletters and extensive online media coverage.
  • Unprecedented PR Coverage: Editorial Coverage on ITweetup to over 75,000 plus followers, press releases sent on major wire services to over 500 industry analysts.

For more information on sponsorship, exhibit, and keynote opportunities, contact Carmen Gonzalez (@GonzalezCarmen) by email at events (at) sys-con.com, or by phone 201 802-3021.

The World's Largest "Cloud Digital Transformation" Event

@CloudExpo / @ThingsExpo 2017 New York 
(June 6-8, 2017, Javits Center, Manhattan)

@CloudExpo / @ThingsExpo 2017 Silicon Valley
(Oct. 31 - Nov. 2, 2017, Santa Clara Convention Center, CA)

Full Conference Registration Gold Pass and Exhibit Hall ▸ Here

Register For @CloudExpo ▸ Here via EventBrite

Register For @ThingsExpo ▸ Here via EventBrite

Register For @DevOpsSummit ▸ Here via EventBrite

Sponsorship Opportunities

Sponsors of Cloud Expo @ThingsExpo will benefit from unmatched branding, profile building and lead generation opportunities through:

  • Featured on-site presentation and ongoing on-demand webcast exposure to a captive audience of industry decision-makers
  • Showcase exhibition during our new extended dedicated expo hours
  • Breakout Session Priority scheduling for Sponsors that have been guaranteed a 35 minute technical session
  • Online targeted advertising in SYS-CON's i-Technology Publications
  • Capitalize on our Comprehensive Marketing efforts leading up to the show with print mailings, e-newsletters and extensive online media coverage
  • Unprecedented Marketing Coverage: Editorial Coverage on ITweetup to over 100,000 plus followers, press releases sent on major wire services to over 500 industry analysts

For more information on sponsorship, exhibit, and keynote opportunities, contact Carmen Gonzalez (@GonzalezCarmen) today by email at events (at) sys-con.com, or by phone 201 802-3021.

Secrets of Sponsors and Exhibitors ▸ Here
Secrets of Cloud Expo Speakers ▸ Here

All major researchers estimate there will be tens of billions devices - computers, smartphones, tablets, and sensors - connected to the Internet by 2020. This number will continue to grow at a rapid pace for the next several decades.

With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend @CloudExpo@ThingsExpo, June 6-8, 2017, at the Javits Center in New York City, NY and October 31 - November 2, 2017, Santa Clara Convention Center, CA. Learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation.

Track 1. FinTech
Track 2. Enterprise Cloud | Digital Transformation
Track 3. DevOps, Containers & Microservices 
Track 4. Big Data | Analytics
Track 5. Industrial IoT
Track 6. IoT Dev & Deploy | Mobility
Track 7. APIs | Cloud Security
Track 8. AI | ML | DL | Cognitive Computing

Delegates to Cloud Expo @ThingsExpo will be able to attend 8 simultaneous, information-packed education tracks.

There are over 120 breakout sessions in all, with Keynotes, General Sessions, and Power Panels adding to three days of incredibly rich presentations and content.

Join Cloud Expo @ThingsExpo conference chair Roger Strukhoff (@IoT2040), June 6-8, 2017, at the Javits Center in New York City, NY and October 31 - November 2, 2017, Santa Clara Convention Center, CA for three days of intense Enterprise Cloud and 'Digital Transformation' discussion and focus, including Big Data's indispensable role in IoT, Smart Grids and (IIoT) Industrial Internet of Things, Wearables and Consumer IoT, as well as (new) Digital Transformation in Vertical Markets.

Financial Technology - or FinTech - Is Now Part of the @CloudExpo Program!

Accordingly, attendees at the upcoming 20th Cloud Expo @ThingsExpo June 6-8, 2017, at the Javits Center in New York City, NY and October 31 - November 2, 2017, Santa Clara Convention Center, CA will find fresh new content in a new track called FinTech, which will incorporate machine learning, artificial intelligence, deep learning, and blockchain into one track.

Financial enterprises in New York City, London, Singapore, and other world financial capitals are embracing a new generation of smart, automated FinTech that eliminates many cumbersome, slow, and expensive intermediate processes from their businesses.

FinTech brings efficiency as well as the ability to deliver new services and a much improved customer experience throughout the global financial services industry. FinTech is a natural fit with cloud computing, as new services are quickly developed, deployed, and scaled on public, private, and hybrid clouds.

More than US$20 billion in venture capital is being invested in FinTech this year. @CloudExpo is pleased to bring you the latest FinTech developments as an integral part of our program, starting at the 20th International Cloud Expo June 6-8, 2017 in New York City and October 31 - November 2, 2017 in Silicon Valley.

@CloudExpo is accepting submissions for this new track, so please visit www.CloudComputingExpo.com for the latest information.

Speaking Opportunities

The upcoming 20th International @CloudExpo@ThingsExpo, June 6-8, 2017, at the Javits Center in New York City, NY and October 31 - November 2, 2017, Santa Clara Convention Center, CA announces that its Call For Papers for speaking opportunities is open.

Submit your speaking proposal today! ▸ Here

Our Top 100 Sponsors and the Leading "Digital Transformation" Companies

(ISC)2, 24Notion (Bronze Sponsor), 910Telecom, Accelertite (Gold Sponsor), Addteq, Adobe (Bronze Sponsor), Aeroybyte, Alert Logic, Anexia, AppNeta, Avere Systems, BMC Software (Silver Sponsor), Bsquare Corporation (Silver Sponsor), BZ Media (Media Sponsor), Catchpoint Systems (Silver Sponsor), CDS Global Cloud, Cemware, Chetu Inc., China Unicom, Cloud Raxak, CloudBerry (Media Sponsor), Cloudbric, Coalfire Systems, CollabNet, Inc. (Silver Sponsor), Column Technologies, Commvault (Bronze Sponsor), Connect2.me, ContentMX (Bronze Sponsor), CrowdReviews (Media Sponsor) CyberTrend (Media Sponsor), DataCenterDynamics (Media Sponsor), Delaplex, DICE (Bronze Sponsor), EastBanc Technologies, eCube Systems, Embotics, Enzu Inc., Ericsson (Gold Sponsor), FalconStor, Formation Data Systems, Fusion, Hanu Software, HGST, Inc. (Bronze Sponsor), Hitrons Solutions, IBM BlueBox, IBM Bluemix, IBM Cloud (Platinum Sponsor), IBM Cloud Data Services/Cloudant (Platinum Sponsor), IBM DevOps (Platinum Sponsor), iDevices, Industrial Internet of Things Consortium (Association Sponsor), Impinger Technologies, Interface Masters, Intel (Keynote Sponsor), Interoute (Bronze Sponsor), IQP Corporation, Isomorphic Software, Japan IoT Consortium, Kintone Corporation (Bronze Sponsor), LeaseWeb USA, LinearHub, MangoApps, MathFreeOn, Men & Mice, MobiDev, New Relic, Inc. (Bronze Sponsor), New York Times, Niagara Networks, Numerex, NVIDIA Corporation (AI Session Sponsor), Object Management Group (Association Sponsor), On The Avenue Marketing, Oracle MySQL, Peak10, Inc., Penta Security, Plasma Corporation, Pulzze Systems, Pythian (Bronze Sponsor), Cosmos, RackN, ReadyTalk (Silver Sponsor), Roma Software, Roundee.io, Secure Channels Inc., SD Times (Media Sponsor), SoftLayer (Platinum Sponsor), SoftNet Solutions, Solinea Inc., SpeedyCloud, SSLGURU LLC, StarNet, Stratoscale, Streamliner, SuperAdmins, TechTarget (Media Sponsor), TelecomReseller (Media Sponsor), Tintri (Welcome Reception Sponsor), TMCnet (Media Sponsor), Transparent Cloud Computing Consortium, Veeam, Venafi, Violin Memory, VAI Software, Zerto

About SYS-CON Media & Events
SYS-CON Media (www.sys-con.com) has since 1994 been connecting technology companies and customers through a comprehensive content stream - featuring over forty focused subject areas, from Cloud Computing to Web Security - interwoven with market-leading full-scale conferences produced by SYS-CON Events. The company's internationally recognized brands include among others Cloud Expo® (@CloudExpo), Big Data Expo® (@BigDataExpo), DevOps Summit (@DevOpsSummit), @ThingsExpo® (@ThingsExpo), Containers Expo (@ContainersExpo) and Microservices Expo (@MicroservicesE).

Cloud Expo®, Big Data Expo® and @ThingsExpo® are registered trademarks of Cloud Expo, Inc., a SYS-CON Events company.

More Stories By Jim Hansen

Jim Hansen is vice president of product marketing overseeing all of AlienVault's product development initiatives. He is responsible for providing strategic and tactical direction for the AlienVault Unified Security Management (USM) and Open Threat Exchange (OTX) product lines, as well as introducing new products into the marketplace.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.