lolloj - Fotolia
Like many companies, Fenwick & West LLP's IT services are delivered through a hybrid of on-premises, software-as-a-service and cloud infrastructure. The situation has significantly expanded the scope of the security challenges faced by the Silicon Valley law firm and has forced it to implement new technologies to fill in gaps where legacy security tools are no longer effective.
"As we straddle the cloud and on premises, our security problems have just broadened," said Matt Kesner, CIO at Fenwick & West LLP, which provides legal services nationally to companies in the technology and life sciences sectors.
"We have all of the same security technologies still in place for our on-premises solution," he said. "But we also have invested in new security technologies for the cloud."
Fenwick & West's experience is typical of the growing number of companies that are running into legacy security obstacles as they move workloads to the cloud while maintaining parts of their IT infrastructure in-house.
In October 2015, the SANS Institute published a survey-based report, "The State of Dynamic Data Center and Cloud Security in the Modern Enterprise," and found that, overall, computing surfaces at most organizations are expanding as a result of hybrid cloud service adoption. The majority of the 430 IT security professionals surveyed said that their organizations' security concerns were exacerbated with the addition of private, public and hybrid cloud services. Many said their companies were using legacy security controls that didn't work well, or at all, in the cloud. As SANS analyst -- and frequent Information Security magazine contributor -- Dave Shackleford noted in the report: "Among the key security capabilities missing in modern dynamic data centers and clouds are visibility, rapid attack identification and fast, accurate and automated containment."
Here are some of the key takeaways, from security executives and analysts, to consider when you integrate legacy security systems with hybrid cloud services.
Old security technologies won't die, but they will evolve.
Legacy security technologies designed to protect enterprise applications and data on premises are often ill suited for cloud environments. But that doesn't mean they are about to go away any time soon. A good case in point is firewalls.
Regardless of whether IT services are served from an on-premises or cloud infrastructure, chances are you will need to protect your systems against external attackers and segment them to mitigate lateral movement.
For more than 20 years, firewall technologies have provided this capability in traditional, on-premises data center environments, first in signature-based systems and more recently in next-generation anomaly detection systems.
Expect the technology to play a role not just in traditional data centers, but in the cloud as well.
"None of the major firewall vendors are shipping fewer firewalls," said John Pescatore, director of emerging threats at the SANS Institute.
Matt KesnerCIO at Fenwick & West LLP
The biggest difference is that, rather than hardware appliances, firewall capabilities are delivered via software in the cloud. While demand for physical appliances may fade as more enterprises and applications move to hybrid cloud services, there will be an expansion in the need for vendors who sell virtual firewalls, or firewall-like filtering and blocking capabilities, under some other name.
The notion that you can use the baked-in security policies major cloud vendors offer in place of firewalls is a myth: "The infrastructure will never protect itself. You still need firewalls, but [they] will be delivered and managed differently," Pescatore said. The same is true of antivirus and antimalware tools, in general, he added.
Firewalls and virtual private networks (VPNs) are obvious candidates for how delivery mechanisms for security controls may change because of cloud adoption. Other technologies include intrusion detection and prevention systems, network-based antimalware tools and some data leak prevention functionality. However, the need for the capabilities these tools deliver, according to Pescatore, will remain the same.
"It is hard to assert obsolescence per se," said Pete Lindstrom, vice president of security research at IDC. "It's just an evolution."
Increasingly, legacy security technologies will evolve from monolithic enterprise models to highly distributed services delivered via the cloud, according Lindstrom. Many security technologies will move up the stack and into the cloud and become part of the virtualization layer.
Until everything has migrated to the cloud, you will likely need more security controls, not less.
The adoption of cloud services makes it harder to keep on top of everything that is going on in the enterprise.
"Overall, we haven't seen security simplified," Kesner said.
Back when everything was on premises and there was a perimeter around your applications and infrastructure, it was easy to see all of the data flows into and outside of the organization and keep tabs on who was accessing what, where, when and how.
That task becomes more complicated when some of your data and applications are on premises and the rest are in the cloud and people are accessing them from PCs and mobile devices from behind the firewall and from outside.
"There's a lot of data that our users are creating for business and [they're] accessing that as an IT group we just can't see anymore," Kesner said.
Traditional security tools don't enable that visibility. Presently, a Microsoft enterprise system authenticates access to all applications that are hosted on premises at Fenwick & West. But it doesn't log users into the company's Salesforce database or its cloud-based human resources system.
The law firm has been forced to look at other technologies.
Kesner's strategy was to implement a single sign-on capability in the cloud as a way of gaining more visibility over what his users were doing with enterprise applications and data. "The only [way] we see to simplify our security architecture is in moving our authentication architecture to the cloud. That will support on premises as well as cloud and broaden what we offer to end users."
The Fenwick & West CIO is looking to supplement cloud-based authentication with a new logging capability for some of the company's cloud applications, starting with Salesforce. The law firm is also evaluating technologies from a couple of start-ups to use in implementing firewall and VPN capabilities for accessing cloud applications. "What we have seen is promising," Kesner said.
Like Fenwick & West, most companies with a mix of on-premises and hybrid cloud services will need more tools for managing security, not fewer. While organizations tend to use firewalls, intrusion prevention and detection systems (IPS/IDS) and server and application monitoring tools heavily in the data center, according to the SANS report, the use of such tools falls off sharply in the cloud. Just 34% of IT security professionals said their organizations use cloud-based firewalls. Almost all, or 96%, use the security technology on premises. Similarly, only 29% of respondents said their organizations use IPS/IDS in the cloud, while barely 28% monitor servers and applications. In comparison, 83% and 77%, respectively, use these tools in on-premises data centers.
According to SANS, the situation, which stems both from a relative lack of security technologies for the cloud and a lack of strategic thinking, is problematic because it exposes enterprises to security risks.
The types of security controls you need depend on the cloud model.
The effectiveness of your existing security controls and what you are likely to require in the cloud depend to a large extent on the cloud model you adopt, noted Christopher Pierson, executive vice president, general counsel and chief security officer at Viewpost, a provider of online billing and invoicing services based in Maitland, Fla. "Infrastructure-as-a-service environments [need] nearly all of the same controls that a traditional data center requires," he said. "Anywhere that threats could pose a risk to key data will require controls to be implemented."
With platform-as-a-service (PaaS) models, understanding the security paradigm is part of the challenge, according to Pierson.
"In PaaS environments, much of the security becomes something that is accessed and reviewed by a SecOps team as opposed to [being] built and maintained by that team," he said. "Since the business really just owns the data and application layers, things like IPS/IDS and DDoS [distributed denial-of-service] mitigation are not managed by the company."
Because there are no real hosts on premises in a PaaS model, there's less need for in-house antivirus and antimalware capabilities and technologies. Even technologies like firewalls can be morphed into the cloud or removed entirely when everything is delivered from the cloud.
"All the company is concerned about are the applications they build, secure coding practices and encryption of the underlying data," Pierson said. Access, encryption and related technologies, such as a hardware security module for managing keys, are the main controls that enterprises need to contend with and manage.
Security vendors will need to cloud-enable their products.
A lack of options and virtual appliances for the cloud and for specific cloud service provider hypervisors poses a challenge for enterprises, according to SANS. "Fundamental network security technologies such as firewalls and intrusion detection/prevention platforms have significantly lower adoption rates in the public cloud," the report found last October, partly due to a lack of provider support for such technologies.
For this to change, SANS' Pescatore said, vendors of data center security technologies need to cloud-enable their products. In the near term, technology providers may add cloud-based delivery to their offerings while maintaining their data center products. Over time, as more legacy security applications move to the cloud, vendors may start delivering their capabilities entirely from the cloud. Several security functions of critical importance to enterprises can benefit from this approach, he noted.
For example, many vulnerability scanning technologies that enterprises use to scan their applications and networks do not work in the cloud context. So developing a virtual scanner capable of auditing an enterprise's cloud infrastructure and providing information on things like virtual machines, firewall configurations and access control lists can make a huge difference.
Similarly, having a web security gateway that is enabled for Amazon Web Services, Microsoft Azure and other cloud environments gives enterprises a way to filter traffic and enforce security policies on cloud-hosted applications and data.
Another area that could benefit from such cloud enablement is forensics, Pescatore added. Data center forensics tools are of little use for looking into data stored on hard drives belonging to third-party service providers. Organizations that need the ability to forensically examine events and data in a cloud environment must have the tools to be able to do so.
Moving technology off premises? Cloud Security Alliance's top 12 threats
CIO strategies to integrate legacy systems with cloud services
Top five security issues to watch out for in hybrid cloud environments