Today, most organisations deploy virtualisation technologies without involving information and network security teams in the initial planning stages. As a result, many organisations are simply retrofitting their virtual networks with existing physical network security strategies and technologies. This lack of foresight and technological preparedness drastically weakens network security, which presents the biggest known challenge to the success of cloud computing with large-scale organisations.
In response, Stonesoft has identified five ways IT teams can protect themselves against cloud security threats and attacks, while helping ensure the success of their cloud computing strategies. They include:
Federated ID: Inherent in a cloud computing environment is the need for workers to log into multiple applications and services. This presents a formidable security pitfall, as organisations may lose control over their ability to ensure strong authentication at the user level. To mitigate this risk, organisations need “single sign-on” capabilities – such as those provided by the StoneGate SSL VPN – that enable users to access multiple applications and services, including those located outside of the organisation in the public cloud, through a single login. With this ability, organisations can streamline security management and ensure strong authentication within the cloud.
2. Always-on Connectivity: When the majority of an organisation’s critical business data is stored in the cloud, network downtime can shut down business operations. Access to cloud services must be always available, even during maintenance, thus requiring high availability technologies and capabilities such as active/active clustering, dynamic server load balancing and ISP load balancing within the network infrastructure. Organisations should seek technologies that are built into their network solutions, rather than purchase them as standalone products to ensure effectiveness, ease of management and reduced network costs.
3. Multi-layer Inspection: The rise of the cloud computing environment and increased sophistication of threats has created a need for a proper layered defense comprised of perimeter protection and intrusion detection and prevention capabilities within the network. Rather than implementing first-generation firewalls to protect the cloud at the perimeter, Stonesoft recommends the deployment of virtual next generation firewall appliances– like the StoneGate Virtual NextGen Firewall – that integrate advanced firewall and IPS capabilities for deep traffic inspection. This will allow organisations to inspect all levels of traffic, from basic Web browsing to peer-to-peer applications and encrypted Web traffic in the SSL tunnel. Additional IPS appliances should be implemented to protect networks from internal attacks that threaten access to the cloud.
4. Centralised Management: Human error is still the greatest network security threat facing both physical and virtual computing environments. As companies deploy additional network devices to secure their virtual networks, they exponentially increase this risk as device management, monitoring and configuration become more tedious and less organised. For this reason, Stonesoft recommends companies use a single management console to manage, monitor and configure all devices – physical, virtual and third-party.
5. Virtual Desktop Protection: More and more organisations are deploying virtual desktops to realise the cost and administration benefits. However, these desktops are just as – if not more – vulnerable than their physical counterparts. To adequately protect virtual desktops, organisations should isolate them from other network segments and implement deep inspection at the network level to prevent both internal and external threats. Those organisations should deploy a multi-pronged approach to security by implementing IPS technology that prevents illegal internal access, protects the clients from malicious servers, as well as providing secure remote access capabilities through IPsec or SSL VPN that protects against unauthorised external access.