When your servers are in the cloud, then your own perimeter provides no protection, the security is often “lowest common denominator security” which undermines both confidence and compliance. Co-location of virtual instances and data with that of strangers, competitors and possibly even malicious actors (we have already seen criminal activity being hosted in Amazon’s EC2 cloud for example) brings a host of new challenges. How do you maintain confidence that a dormant virtual machine is free of infection? How do you manage traffic between virtual machines from a security standpoint? How can you deal with emerging threats like malware capable of breaking out of a virtual machine to infect the host OS? What mitigation exists against insider attacks? How do I maintain an effective patching regime in a zero downtime environment?
In order for security to be effective in the cloud it needs to be enforceable, configurable and auditable at virtual machine level, deep packet inspection firewalls and application level intrusion prevention are key technologies here. According to the recently released IBM X-Force Trend report, out of all of the web application vulnerabilities disclosed in 2008, 74% still had no vendor supplied patch available by the end of the year. At the same time SQL injection has become the most common attack vector. SQL injection attacks against cloud-based services open up the possibility of large-scale data compromise, and in extreme cases, even allow for upload of malicious code. Web application firewalls should filter out anomalous traffic before it can impact data or servers.
For those vulnerabilities where a patch is made available, it is often difficult to deploy those patches in a timely manner to cloud-based services where downtime is undesirable. In many cases virtual machines are deployed in environments where patching windows have either been minimised or eliminated, leaving virtual machines vulnerable to attack and compromise from both within and without the host environment. It is essential that the system is able to operate in a non-vulnerable state even where patches have not yet been applied. Host-based intrusion prevention should allow you to achieve this.
Traditional anti-malware solutions for virtual machines prove inadequate on a number of levels; most obviously they can place a heavy load on the host operating system, especially when it is time for a regularly scheduled scan to take place. Typically they are not VI aware so simultaneous full system scans can cause huge performance degradation. In most cases VM security solutions are also unable to scan or update dormant machines, this means that when the machines are brought online, their virus pattern files may well be out of date, and at risk. The disclosure this year of a VMware vulnerability, that allowed malware on a compromised virtual machine to execute code on the host has certainly raised the stakes (and given some malware researchers pause for thought too)!
In the final analysis, security in the cloud is essential simply because the safety of your customers, your employees and your business should not be sacrificed in the name of economy.