The New Era of On-Demand Cloud Security
Author:Erik Winebrenner, CSC
The cost benefits of moving server workloads to public cloud environments are far too great to ignore, but traditional security solutions and public cloud "add-to-shopping-cart” security features will not bring the savings many organizations may envision.
Every day another business unit is standing up its own systems and workloads in the cloud, putting sensitive company information at risk from advanced persistent threats (APTs) and threats from other sophisticated adversaries. To gain control, organizations need a single security platform that allows them to manage all of their cloud and virtual workload security, while paying only for the security services being consumed. Read this paper to learn the latest trends in on-demand workload protection, based on pay-per-usage cost.
Typically, cloud consumers try to extend their traditional security controls to cloud workloads. However, the cloud and virtual infrastructure lack natural borders. Traditional big-box security controls such as antimalware, host-based intrusion prevention systems (HIPS), vulnerability scanning, host-based firewalls, configuration compliance, file integrity monitoring and other techniques depend on big-box infrastructure, skills and management, which are costly and quickly eat up most of the cost savings organizations had gained from moving to the cloud in the first place.
Although some security controls can be purchased directly from cloud providers through a shopping-cart system, each requires self-management. Keeping track of systems across cloud providers can be tedious — assuming IT even knows which business units have deployed to which public clouds.
Maintaining policies, configuration and reporting of public cloud activities is not for the faint of heart. Alerts and incidents for multiple cloud workloads require a costly dedicated security operations center (SOC). Organizations that begin to add up all of the costs of securing their “cost-saving” moves to the cloud begin to question its true benefit.
CSC has an alternative position on cloud security: Since a chief cost-saving benefit of the cloud is the ability to pay only for services that are being consumed, CSC believes that cloud security should also be paid for according to usage.
Industry shift to flexible, consumption-based security models
The industry is shifting rapidly from traditional security models, provided 24/7, to flexible security models that are delivered as a service.
Consider: A company is managing transactional cloud systems that are up and running 70 percent of the week or for a limited number of days per week. When the company’s cloud workloads are dormant, it also wants the security service that is protecting them to be dormant. The company does not want to be paying for 24x7 workload security when its cloud servers are not up and running.
Traditional security tools simply do not work well in dynamic virtual environments. They require a heavy footprint on each workload, which can affect server performance, and they do not scale well. Neither can they be configured to scale automatically based on prepared security policies, scripts and instructions. They require extensive manual labor and the use of multiple monitoring and reporting tools.
Because of the cost and effort required, organizations often end up picking and choosing which servers will receive a full set of security tools — leaving many other servers unprotected and vulnerable to attack.
Lightweight agents: the key to enabling an “as-a-service” security model
Rather than deploy traditional, 24x7 security services, the industry is shifting to the deployment of lightweight, nondisruptive security agents that can monitor every server instance, anywhere in an enterprise — delivering instant visibility into all public, private and hybrid clouds, as well as virtualized data centers.
Typical agents deploy quickly and easily through orchestration tools, with automated scripts, or they can be deployed manually. They establish a single platform through which users can maintain complete visibility into all virtual workloads and applications. For instance, if a business unit has set up 500 workloads utilizing a public cloud service, all IT needs to do is deploy an as-a-service security agent to those workloads. The cloud workloads will then be visible via the security platform and begin receiving security services immediately.
The agents are deployed through orchestration tools, with scripts or manually — even on live systems — without rebooting. Users can automate workload firewalls, receive information on important security events, see any systems left exposed to newly discovered vulnerabilities, discover configuration issues, and receive alerts if any workloads have been tampered with.
Pulse, CSC’s proprietary portal, delivers a comprehensive set of features that allows users to maintain complete visibility into all of their systems with a single user interface. It is a comprehensive online portal through which users can conveniently manage all security and compliance needs for every cloud workload.
Key features to look for in cloud security providers
- On-Demand Workload Protection – Organizations need a comprehensive set of continuous security and compliance functions right where it counts — at the workload. The security platform should be able to orchestrate security on-demand, at any scale and work in any cloud or virtual infrastructure, providing clear visibility into all of an organization’s traditional and next-generation platforms and workloads.
- Flexible consumption-based delivery – If a virtual workload runs only three days per week, the security service should also run only three days a week — or be flexible enough to be run at any daily, weekly or monthly interval, as desired.
- Centralized visibility through a single portal – The point of moving to the cloud is to save time and money. Our Pulse portal gives you clear visibility into your entire cloud workload security posture, even when it spans multiple cloud providers.
- Cloud and virtual application regulatory compliance – New rules and regulations are emerging daily, and cloud workloads may need to comply with a variety of regulatory controls (e.g., ISO-27001, FISMA, NIST, HIPAA, PCI DSS). It’s important that customers be able to track and
- report on all systems that fall under compliance regulations — SOX, SOC2, PCI DSS, HIPAA or others — to ensure that their cloud workloads are in full compliance.
- Proven cloud security experience and global capabilities – In the security business, experience matters. To keep abreast of emerging threats requires an extensive global risk-management footprint and proven track record. Skilled staff should monitor your cloud workloads for threats
- 24x7x365. There is no substitute for deep industry experience across multiple industries and accessibility to knowledgeable security specialists.
Conduct business in the cloud with confidence
Cybersecurity is no longer a mere compliance matter or the “cost of doing business.” With different business units standing up their own cloud workloads daily, cybersecurity has become a primary business challenge that requires organizations to choose the right managed security services provider.
CSC’s Cloud Security Services can help organizations conduct business in the cloud with confidence that their sensitive company information is being protected, while they are also saving money.