For organizations looking to deploy assets into a public Infrastructure as a Service (IaaS) cloud environment,
a primary concern is how (and if) existing security technologies deployed in-house will transfer over to the cloud provider environment. Intrusion detection sensors, both host- and network-based, are a standard element of many information security programs, and most organizations will need to ensure they have these capabilities in their cloud environment.
In this tip, we'll examine issues organizations need to consider when implementing intrusion detection in the cloud and options available within public IaaS cloud providers.
Intrusion detection in the cloud: Implementation issues
For organizations looking to implement intrusion detection systems (IDS) themselves into a public IaaS environment, there are a number of key factors to consider:
- Make sure you can adequately monitor network traffic in your cloud environment. Some cloud providers may facilitate implementation of "virtual taps" or port mirroring on virtual switches to accomplish this.
- Be wary of resource consumption when installing agents on cloud platforms, and realize that cloud-based IDS sensors will be treated as any other virtual machine (VM), thus costing money to run. As these systems may see high CPU and memory consumption, they may cost more than average VMs in the cloud would. These same issues are relevant to private clouds, as well.
- Consider management platform architecture when adding IDS/IPS into your cloud environment. How will you monitor events? If your existing management console is located within your physical environment, you'll need to connect to the cloud sensors for monitoring, and you’ll likely want to do this over a VPN connection for security reasons. For many public cloud implementations, this may prove unwieldy, necessitating options like the Amazon Virtual Private Cloud. Alternately, you can create a distributed management architecture, placing a management system in the same cloud environment.
- If you use managed security service providers (MSSPs) for managing and/or monitoring IDS/IPS sensors, check with them before deploying cloud infrastructure, as they may not be equipped to handle these environments.
Intrusion detection in the cloud: Provider options
Some IaaS cloud service providers include intrusion detection capabilities in their service offerings. Verizon Communication Inc.'s Terremark subsidiary offers one of the broader varieties of intrusion detection services in its Enterprise Cloud environment. Services range from both traditional host- and network-based IDS and IPS to fully managed network flow monitoring for behavioral analysis and full packet capture for network and security analytics.
Datapipe, a Jersey City, N.J.-based cloud and infrastructure services company, offers several IDS options. As a cloud provider, it offers IDS monitoring services to any of its cloud infrastructure customers. However, Datapipe also offers a service called "Managed AWS" where Amazon customers can have some or all of their systems managed by Datapipe, security included. As Datapipe uses Alert Logic's Threat Manager IDS monitoring system, this is convenient, since the Alert Logic platform is natively available as an Amazon Machine Image for use in the Amazon cloud.
Amazon, as one of the largest public cloud providers, has a number of natively available options for customers that want to install and manage their own IDS sensors and rules. The Snort IDS is available as a community-driven EC2 image (one Amazon did not create) that can be installed with support for Sourcefire's commercial Vulnerability Research Team (VRT) rule set. This allows EC2 customers to easily install and integrate IDS sensors into their public cloud environment with commercial support from Sourcefire.
A new system that has appeared on the Amazon marketplace for intrusion detection and other security monitoring capabilities is the MetaFlows Inc. Security System for EC2. San Diego, Calif.-based MetaFlows offers a variety of malware detection and prevention services, and its software is able to integrate with both Amazon and VMware hypervisors, allowing customers with hybrid cloud environments to integrate monitoring and intrusion analysis capabilities in one place. MetaFlows also integrates geo-location data and other threat intelligence feeds to help detect botnets and other malicious activity.
Organizations looking to implement intrusion detection in the cloud may also want to consider host-based intrusion detection options. For organizations using IaaS cloud services, the easiest approach may be to install whatever products or agents you currently deploy in your internal systems onto virtual machines in the cloud environment. New options are also available like CloudPassage, which uses installed agents to monitor systems for events, and also allows for firewall and configuration management of cloud systems. In addition, cloud provider Savvis offers managed host-based IDS for customer systems.
Right now, there's still some immaturity around cloud IDS. Most of the traditional vendors like McAfee, HP TippingPoint and others haven't specifically adapted their products for public cloud use, although they all have virtual appliances that will work in private cloud environments. For most customers today, most intrusion detection will likely fall to the cloud providers, especially for PaaS and SaaS environments. In the future, however, the level of configuration control and management we're used to internally will likely be available.
About the author:
Dave Shackleford is owner and principal consultant at Voodoo Security, senior vice president of research and CTO at IANS, and a SANS analyst, instructor and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance and network architecture and engineering. He is a VMware vExpert and has extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as CSO for Configuresoft, CTO for the Center for Internet Security and as a security architect, analyst and manager for several Fortune 500 companies. Dave is the co-author of Hands-On Information Security from Course Technology as well as the "Managing Incident Response" chapter in the Course Technology book Readings and Cases in the Management of Information Security. Recently, Dave co-authored the first published course on virtualization security for the SANS Institute. Dave currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.