Cloud or On-Premise Security: Striking A Balance for Optimal Protection

nikhil

There is an important trend in security that looks to cloud-based resources to help mitigate the rise in virulent cyber-security threats. It is driven in part by the same motives spurring a shift in moving applications, computing and storage functions to the cloud; namely cost effectiveness and reduction in infrastructure management complexity. However, the movement to cloud often creates its own infrastructure management challenges. And in the case of security, it can lead to less than ideal architectures for managing the growing array of threats.

For information security professionals and organizations where strong security is the core requirement, it is critical to consider the common shortcomings of these cloud-only architectures (both on-demand and always on models) and understand the benefits of leveraging cloud and other deployment models.

Influenced by today’s headlines of mega-sized attacks, some organizations mistakenly conclude that the cloud is the best solution for complete cyber-threat management. While cloud-based resources, such as third-party scrubbing centers, play an important part in a comprehensive security strategy, there are some inherent limitations that make it less than optimal for teams looking for complete protection.

The motivation to quickly move potentially malicious traffic away from networks and application infrastructure to an outside resource is logical, but comes with some implications that warrant consideration. First, many “always on” cloud-based resources require full-time redirection of all traffic to remote security or scrubbing centers. This can introduce non-trivial latency into the application’s performance even during peacetime. Many applications require minimal latency that comes from full management of the security and application infrastructure.

Another overlooked risk of cloud-only security for cyber-attack protection is the collateral risk. For providers delivering customers an always-on option only in the cloud, it’s important to note how quickly a collection of attacks targeting a growing customer base can create a threat against all customers. Alternatively, organizations that leverage cloud resources in conjunction with on-premises components incur none of these risks at peacetime and are able to better detect attacks that can be mitigated without having to swing traffic.

Speed and accuracy are top priorities of service providers looking for cyber-attack protection. For providers offering cloud only services, there are some challenges to ensure timely and accurate attack detection.

Many solutions in the market are very specific about the various attack vectors its technology can block, but are generally less specific about how well it identifies and isolates these attacks from legitimate traffic.

Over mitigation becomes a common problem with many solutions that cannot use a full view into normal traffic patterns to detect anomalies that warrant further inspection for potential malicious intent.

Additionally, cloud-based resources are trying to detect attacks by monitoring sample traffic flows from existing network monitoring tools, such as Netflow data. Typically, these solutions are simply detecting traffic patterns that exceed established rates and thresholds, rather than looking deep into the traffic for behavioral patterns that may signal an attack.

In the end, many cloud-only solutions leave the end customer with the burden of detection and having to make a trade-off between low thresholds for mitigation and low false positive rates.

Lack of On-Premises Limits Cloud View

There are very specific cyber-attack protection strategies that have proven to be more successful than others in defending against increasingly sophisticated adversaries. There is a focus on minimizing ‘time to mitigation’, the period of time it takes mitigation resources to fully understand the nature of an attack and apply the appropriate defense tactics. Many cloud-based defense offerings support a swing or redirection of traffic from the target resources to a scrubbing center for mitigation.

However, without proper visibility into the attack prior to receiving the traffic, these services can take upwards of 30 minutes to start active mitigation and even longer for application of the right tools for effective protection. Conversely, hybrid solutions that combine the cloud-based resources with on-premise components have the advantage of attack visibility in advance of this traffic redirection.

Advanced hybrid solutions go a step further by supporting deep defense messaging between premise and cloud to share a full footprint of the attack and knowledge of already proven mitigation tactics for defense.

Effective Architecture for Threat Vectors

An undeniable fact about the cyber-security threat landscape is that the attacks are rapidly evolving in order to stay ahead of many security technologies and thereby evade detection. The unending race between malicious actors and security professionals largely defines the risk profile of organizations and industries. To better defend against these powerful and dynamic threats, organizations need a thoughtful architecture to stay one step ahead.

There are two particular recent threat types that are trending and creating significant challenges for protection from cloud-only security solutions: Low & Slow attacks and SSL encrypted attacks.

Low & Slow attacks leverage targeted resource exhaustion, going after specific design flaws or vulnerabilities of a server or application with a relatively small amount of malicious traffic, eventually causing it to crash.  Low and slow attacks mostly target application resources (and sometimes server resources). By nature, they are very difficult to detect because they involve connections and data transfers that appear at a normal rate. This creates significant challenges for cloud only solutions that are either monitoring Netflow data levels or are engaged only when overall traffic rates exceed predetermined thresholds.

The use of SSL/TLS in applications to encrypt traffic and secure end-to-end data transit is on the rise. Many businesses now have a high majority of traffic and transactions occurring through encrypted sessions. The use of encrypted traffic in cyber-attacks is also on the rise, creating significant challenges for many security technologies in terms of computing and capacity, as well as simple visibility into the traffic for attack detection. Most attack mitigation technologies do not inspect SSL traffic, as it requires decryption of the traffic. HTTPS Floods—encrypted HTTP traffic floods are now frequently participating in multi-vulnerability attack campaigns. Compounding the impact of “normal” HTTP Floods, encrypted HTTP attacks add several other challenges, such as the burden of encryption and decryption mechanisms.

Cloud-only security solutions require end customers to share private keys and certificates in order to support decryption and inspection of potentially malicious traffic. This compromises the overall security posture of the customer and in many cases will violate compliance with certain security standards.

Correct Cloud Fit

Cloud-based security, much like cloud computing in general, is designed to reduce the complexity of virtualization and computing resource management away from the end user. In this regard, cloud-based resources should have a significant and meaningful role in modern security architecture. The availability of cloud based resources can support the need for organizations to tap into massive levels of capacity and computing power in order to defend against large attacks. It can also be leveraged to align with the ongoing migration of applications into cloud hosting environments.

Cloud Security Supporting Application Migration

The migration of applications and computing resources into the cloud is well underway and rapidly accelerating. However, because of legacy business processes; legal, compliance, or resiliency reasons, complications from management and loss of real-time visibility, most businesses will not be able to completely eliminate IT infrastructure and rely solely on the cloud. As a result, organizations may evolve into a hybrid hosting environment, with applications and resources spread across multiple cloud hosting providers as well as its own data centers.

This hybrid hosting environment creates many challenges for security teams:

• Different operating environments (premise, cloud, hosting, managed, collocated, etc.)

• Ability to detect threats in one location and react in real time

• Crafting the right security rules in one location and automate policies throughout the entire IT 

   and application infrastructure regardless if internally owned or operated

• Orchestrating changes to the affected systems quickly and universally. Making changes manually  to all the necessary devices can take some time and be prone to mistakes

With the increased focus and attention on headline-grabbing volumetric attacks, the focus on outside cloud-based resources for protection is understandable. But organizations need to keep in mind that these types of threats represent only a small percentage of overall attack volume; roughly 10-15% based on the attacks Radware mitigates on behalf of customers.

The best strategy for protection from today’s advanced threats is an architecture that effectively leverages cloud-based resources for attacks exceeding internal resources and capacity, balanced with on-premises technology for immediate detection and mitigation of non-volumetric threats.