Network security in the cloud

Cloud computing means different things to different people, but most analysts agree it’s a style of computing in which various IT resources are delivered as services over the Internet. Cloud computing eliminates the need for enterprise resources and their users to be located in physical proximity to one another.

Clouds come in two different forms: global and private. Private clouds are where an enterprise establishes its own cloud computing platform – analogous to an intranet, which can be thought of as a private subset of the Internet. Global clouds are the kind we most commonly hear about, from providers such as Amazon.com and Google.

The promises of cloud computing include:

• Cost reduction, through economies of scale, less up-front investment in equipment, and avoidance of over-provisioning.
• Risk reduction, because it offloads the risk of running a data center, data protection, and disaster recovery.
• Greater ability to focus on core competencies, due to reduced effort and administration devoted to IT operations as well as more IT automation.
• Enhanced operational flexibility, including faster roll-out of new services and retirement of old ones, ability to rapidly scale processes up or down to meet changing business needs, quicker time to market (lower barriers to innovation), and easier access to enterprise resources from any place, any device, any time.

As with any new technology, however, cloud computing comes with a few cautions, as well. Let’s explore some advantages and disadvantages posed by cloud computing, specifically in the area of network security.

Cloud security pluses and minuses
Just as physical clouds obscure areas of the sky, so computing clouds obscure areas of your physical IT and networking infrastructure. From a security standpoint, this obscuration leads to both protective benefits as well as challenges for visibility and control of data and processes.

Some security benefits provided by cloud computing include:

• Centralizing data in the cloud helps reduce data leakage and makes it easier to monitor the centralized data. Clouds isolate customer data from employee data, preventing inadvertent intermingling.
• If security incidents do occur, clouds exhibit great forensic readiness – that is, the ability to trace the cause of an incident and, in many cases, respond more quickly and appropriately to an incident.
• Disaster recovery extensions and password assurance testing are built into cloud computing platforms.
• To remain competitive, cloud computing vendors have tremendous incentive to continually improve the performance of their security processes.
• Obfuscation of the physical infrastructure keeps physical resources and data protected from outside intrusion.

At the same time, however, cloud computing introduces novel security challenges, primarily in areas such as governance, compliance, data privacy, service availability, and identity management. Cloud-related security concerns, which represent the “soft underbelly” of cloud computing, demand certain trade-offs.

Think about it: In cloud computing, an enterprise must entrust its data, and sometimes its applications, to an outside provider. It’s easy to lose track of what happens to the data, where and how it is being stored, who has access to it, what protections are in place, how applications interact with one another, and how well protective measures are being followed. Cloud computing requires greater trust in things such as service-level agreements (SLAs) and contracts, in addition to security technologies – especially for those portions of the process where data is being handed off from one controlling entity to another.

It takes an ecosystem to manage a cloud
HP and HP ProCurve believe strongly that cloud computing requires the support of a fully interoperable ecosystem that extends from the desktop to the data center to the cloud. Under the auspices of the HP Secure Advantage Alliance, for example, security permeates and is coordinated among applications, servers, networks, storage devices, and clouds.

HP Secure Advantage reduces the complexity, risk, and cost of security by combining expert knowledge, proven methodologies, and global resources to achieve better business outcomes. As a result, it can protect data and resources, provide validation, and reduce complexity through adaptive controls of systems and networks. When extended to the cloud, such a coordinated ecosystem fosters trust in the security of your data, applications, and networks.

Within the Secure Advantage framework, HP ProCurve’s proven network security strategy – ProActive Defense – plays an important role. As you’ll no doubt recall, ProActive Defense is a comprehensive, multi-layered approach to network security focusing on a trusted infrastructure plus simultaneous “offense” (access control) and “defense” (threat management) measures.

Of particular importance in cloud computing is ProActive Defense’s trusted infrastructure, which ensures the network and its resources remain robust, highly available, and authenticated to one another. When combined with access control and threat management solutions, this trusted infrastructure enhances visibility into and control over networking operations, whether physical, virtual, or distributed in the cloud.

ProActive Defense is not itself a product, but ProActive Defense capabilities are woven into HP ProCurve products, both hardware and software. Some specific examples include:

• HP ProCurve Switch 5400zl and 8200zl series offer security built into the switches, not bolted on as an afterthought. Built-in (i.e., “free”) security features of these HP ProCurve switches include:
  • sFlow traffic visibility
  • Virus Throttle network scan protection
  • User authentication: 802.1X, Web Auth, MAC Auth with access control lists (ACLs), rate limits, quality of services (QoS), and virtual local area network (VLAN)
  • Eavesdrop prevention
  • Port security
  • MAC lockdown and lockout
  • Anomalous behavior detection
  • Secure route updates
• HP ProCurve Identity Driven Manager (IDM), a plug-in to ProCurve Manager Plus (PCM+) network management software, dynamically applies network security (as well as performance) settings based on specific types of users, devices, locations, times, endpoint health, and other variables. IDM allows network administrators to centrally define and apply policy-based network access rights, to efficiently and automatically manage the users and devices connecting to the network.
• HP ProCurve Network Immunity Manager (NIM), also a plug-in to PCM+, detects and automatically responds to internal network threats such as virus attacks, leveraging security and traffic-monitoring features built into ProCurve switches and performing network behavior anomaly detection (NBAD) to detect attacks. NIM provides visibility into internal network threat activity to help increase network availability.
• HP ProCurve Threat Management Services zl Module, a multifunction security system for the HP ProCurve Switch 5400zl and 8200zl series, comprises a stateful firewall, intrusion detection/prevention system (IDS/IPS), and VPN concentrator – enabling network administrators to compartmentalize department traffic, protect the network from malware, and provide secure remote access and site-to-site connectivity.

Cloud computing is still an evolving work in progress, and network security will also need to continue evolving within this new environment. As we always say, however, the best approach to network security remains a comprehensive approach combining a trusted infrastructure with simultaneous access control and threat management capabilities. In other words: following the HP ProCurve ProActive Defense strategy.

Mauricio Sanchez, MSEE, CISSP, is the Chief Network Security Architect for HP ProCurve. He is responsible for specifying ProCurve’s ProActive Defense security technology strategy across all product lines.