“SDP-as-a-Service” emerging as solution for cloud giants
While demand for private, public and hybrid cloud infrastructure continues to grow exponentially, nagging questions about public cloud security remain.
Recent high profile reports around ASW Cloud Data Leakage Due to Misconfiguration continue to expose the issue of unqualified users attempting to secure public cloud infrastructure.
At the risk of oversimplifying the problem, public cloud vendors typically offer solutions that secure the network infrastructure and systems, but leave it up to users to secure their services and critical applications. AWS, based on their experience with the Federal Government and world’s largest enterprises, provides exceptional security controls and guidelines. But it is still up to the user to have the expertise and judgement to take responsibility for effectively securing their services and applications and not have misconfigurations that could undermine security.
Public cloud is a complex environment for even the most experienced engineers. And it’s being further exacerbated by rapidly increasing use of public cloud that is raising the potential for even more misconfigurations and security failures. Public clouds are just that…public. Anyone can attempt to deploy and secure them.
And while AWS has done a credible job of assisting and providing controls for users, their acknowledgement and accountability in the recent data leaks shows they need to do more to protect users.
In an interview with SearchSecurity, Ben Johnson, CTO at cloud security provider Obsidian Security, based in Newport Beach, Calif., said both user error and Amazon shared blame for the series of cloud data leaks.
The problems arise as users are challenged to manually perform crucial aspects of securing critical applications such as vetting of users and connections to data and devices before making connections to retrieve the data. This, combined with a lack of visibility has led to this increase in public cloud misconfigurations, particularly as it relates to effectively securing applications and infrastructure in run time environments.
“In the end, Amazon needs to do more. It goes back to the challenge of too many security controls makes it harder to install, configure, deploy and monitor your services and apps, and too little security controls leads to risk and vulnerability,” Johnson said. “Amazon needs to take a stronger look at the built-in security, but it will always be, first and foremost, the responsibility of Amazon’s AWS customers to make sure their systems and data are appropriately protected.”
And it is not just AWS. Rich Mogull, analyst and CEO at Phoenix-based Securosis, told SearchSecurity that he “would be shocked” if similar user errors and misconfiguration didn’t exist on other cloud platforms like Microsoft Azure, Google Cloud and Dropbox.
But there is an emerging opportunity for AWS, and the other cloud platforms, to lead by starting to educate their customers on other, proven, options for securing public cloud infrastructure.
The answer may lie in Software Defined Perimeters (SDPs) that represent a ground breaking and highly regarded security protocol that establishes an undetectable application infrastructure to protect mission critical applications and client data operating on networks and in the cloud.
SDPs automate the crucial processes of vetting of users and connections in an “authenticate first” approach. Even if there are misconfigurations, the SDP inherently acts as the extra layer that prevents unauthorized access and infiltration of data
SDP is based on a strong security model that only allows TCP connections from pre-authorized users and their devices. The primary effect of the SDP is that it transforms the application infrastructure into an effectively invisible or “black cloud” environment that shows no domain name system (DNS) information or IP addresses.
SDP is an emerging solution that could be provided as a service (SDPaaS) and should be seriously evaluated by public cloud providers.
Considering AWS increasing interest in providing customers with a wide range of complimentary services, evaluating SDPaaS would seem to be no brainer and might be the start of something much bigger for the industry and the future of public cloud and shared infrastructure particularly for mission critical applications.
For more information on Software Defined Perimeters, check out this white paper.