Data Center Security Fails In The Cloud. What To Do About It Is Easier Than You Might Think.

    by Erik Freeland 09 November 2018

    TL;DR: Legacy data center approaches to security fail in the cloud. Chokepoint tapping, pre-defining endpoints and network edges for monitoring are examples of legacy data center architectures that, if forced onto the cloud end up nerfing the cloud. Instead, security, devops and high availability teams should treat everything in the cloud as an individual resource, implement policy-driven solutions that automatically include new cloud resources as they spin up and spin down, and make use of cloud native capabilities that don’t interrupt and disrupt the applications and operating systems they’re supposed to protect. Nubeva Prisms does that.

    Digital transformation is changing every aspect of how we approach information technology. This change has been resonating throughout the security industry for many years. Security practitioners are now faced with understanding the risks, threat vectors and security postures of their cloud environments. One of the key elements you quickly realize, is that visibility in the public cloud, is nothing like visibility in the on-premises data center.


    The most obvious difference is that there is no hardware, no physical ports and no cables. All of the techniques that have been used over the years – spans / port-mirrors, optical taps, etc. - are irrelevant in the public cloud. In on-premises data centers, we have used network choke points as the preferred location for security monitoring tools. As budgets allows, these same tools have been deployed to various locations through your network.


    On-Premises Solutions That Fail The Cloud #1: Lifting-and-shifting this kind of a legacy data center strategy fails in the cloud. Choke-point and edge tapping is inefficient in the cloud; choke-points are artificial and edges are ephemeral. Inline choke-point insertion is risky and can significantly degrade the elastic advantages and dynamic nature of the cloud.

    What To Do About It: The only solution is to approach everything in the cloud as an individual resource.

    The next meta concept facing security teams is harnessing the elastic nature of clouds to supply needed data streams to on-premises tools. While it is possible to operate very elastic on-premises solutions, in general, the cloud is much more responsive and elastic than any traditional data center. This elasticity is a huge benefit of the cloud and must be taken into account when architecting security solutions.

    On-Premises Solutions That Fail The Cloud #2: Pre-defining endpoints for monitoring and requiring additional software be installed on VMs or inserted at pre-defined network locations simply doesn’t work in the cloud. Installing software like drivers or agents consume resources, interrupt the function of the applications and OSs they’re supposed to protect and may even introduce new threat vectors (e.g. if they require root or admin level access to properly function). It’s possible but not practical to try and pre-define all endpoints and edges because doing so erases the key benefits of the cloud. Cloud resources scale and launch automatically. They terminate just as quickly. Container services are meant to be constantly adjusting to load conditions. As they spin up and down, new network connections are created and extinguished in tandem. Nerfing your cloud so you can apply old and expensive security paradigms is a recipe for disaster.


    What To Do About It: The ideal solution is to have a policy-driven, cloud-native solution to acquire, process and distribute cloud packet traffic from any ephemeral cloud resource and deliver it to any destination. Policy-driven means that elastic resources meeting the policy criteria are automatically included in visibility pools. Cloud-native means that the solution uses modern microservice or even headless delivery approaches like containers, Kubernetes clusters or single include statements for headless / lambda execution – much like implementing a logging handler. Schedule a one-on-one tech-talk with our cloud experts today. No sales. Just solutions.

    The best solutions to the cloud visibility problem must address these two issues. It must be extensible to any number of potential sources in the cloud. And it must scale dynamically as the cloud itself scales. Nubeva Prisms checks both these boxes and several more. Nubeva Prisms acquires packet-level traffic from virtual machines, containers and other elements of the public cloud today. In addition, Nubeva Prisms will scale automatically, based on rules and criteria triggers as additional elastic sources come on line. Prisms’ container-based Packet Services Processor uses native cloud container solutions for dynamic scalability as the amount of traffic in the system increases. Nubeva can also ensure that your tools can scale as well by load-balancing replication to any number of destinations.


    As security teams acclimate to the cloud, they need to take these fundamental architectural changes into consideration. They also need to look at changes to threat analysis models and incident response plans. They need to look at any relevant governance, regulatory or compliance requirements. Wherever you end up, Nubeva Prisms is the fastest, easiest and most advanced way to enable complete cloud security with the tools and teams you’ve already invested in.


    Schedule a one-on-one tech-talk with our cloud experts today. No sales. Just solutions.


    Tags: cloud network cloud security cloud taps AWS Azure Cloud Packet Broker Cloud Solution Packet Visibility data center packet broker

    Want to learn more?

    Request a Demo

    Sign Up for FREE Trial

    Sign Up

    Subscribe Here!

    View video