At Trend Micro we are leading the way in security FROM the cloud with our Smart Protection Network by providing threat correlation in the cloud. That strategy, rubbished by some at the time, has since been proved out by the number of competitors now trying to imitate it and the recent real world test results from NSS labs.
We were also lucky enough to acquire Third Brigade, a Canada-based security firm, earlier this year and get our hands on their superb “Deep Security” threat protection for Virtual servers. More than just protection ahead of the patching cycle it offers excellent resource optimisation by utilising the VMSafe APIs to do much of the work once per physical server, rather than once per virtual machine.
As one of a select group of major companies who have seen the technology evolution through DOS, Windows, Client-Server and now cloud you’d expect Trend to be working hard on what security FOR the cloud needs to look like and of course we are. It’s easy to think that the public cloud is really just like a shared private cloud – one that you buy a little piece of when you need some computing power (and indeed it’s often marketed that way). From a processing perspective that’s a reasonable description, but from a security perspective it’s anything but…
A private cloud is really the ultimate goal of a virtualized data centre. First you take your physical servers and make them virtual servers to reduce your hardware costs and increase flexibility. If you are smart you implement something like Deep Security to optimise your security posture. Then you look towards resilience, using shared storage and dynamic migration of virtual servers from one host to another in the event of hardware failure. Ultimately you may have burst capacity so you can spin up extra servers for particular tasks and hibernate others depending on the workload throughout the day or year (think of the holiday season rush or closing the books at the end of a fiscal quarter). You may even go the whole way and get all of that working cross data centre to provide redundancy, scalability and performance. We’ve been living that for a while now with the Smart Protection Network. We’ve learnt a lot of lessons doing this for ourselves on a massive scale and we can pass those lessons onto our customers and use them to shape the products we build. Still though, through all those stages there is a common factor – it’s just you in the private cloud. You can still put a wall around your whole resource pool, filter everything and try to keep the bad guys out.
In the public cloud your provider runs something that looks pretty similar to the ultimate private cloud described above and they can carve you out a piece of that, charged on a per use basis, that looks pretty much like your own private cloud. There is however a big difference. Instead of being protected by a strong perimeter your servers are sitting alongside those of strangers, competitors and inevitably the same organized criminals that you work so hard to keep outside the perimeter of your data centre today – The only barrier to entry inside the perimeter being possessing a credit card number (stolen or otherwise)! So how do you guard against that?
Security FOR the cloud means that the host must defend itself. Defend itself at the front end because the firewall rules may be inadequate and because it may be attacked from within the firewall. Defend itself, and its data, at the back end because there are a lot of strangers sharing the same storage and the “trust us our systems can’t be hacked” security model that your cloud provider offers has been proven over and over to be the worst one in town. Can that really be done? Can the host defend itself in a shared environment well enough to provide compliance in the cloud? We believe it canand that we have the building blocks to augment public cloud security in the future. Security FOR the cloud is available today (Deep Security 7.0) with further pieces under development.