INSIGHT: Trouble in the Cloud?

What challenges does the usage of traditional, on-premise security tools [monitoring tools, like SIEM or DLP, in particular] creates in the cloud [SaaS, PaaS, IaaS models]?

Here are some I’ve come across:

IaaS

• IP address means less for tracking all the transient and replaceable instances

• Rapid provisioning makes assets to appear and disappear, go up and down, in and out of scope, etc

• Auto-scaling busts tool licensing limits (!) and disrupts node-based asset tracking (“we have 400 assets…ooops…3000..ooops 200 now!”), creates large volumes of monitoring data for some periods of time

• Remote cloud environments are sometimes accessed via links of limited bandwidth, making it harder to move monitoring data from the cloud to the data centre

• Different models for network security monitoring (only at instances, not in between “on the network”)

PaaS and SaaS

• There are layers of the computing stack that are not under enterprise control; no network monitoring, no host monitoring (SaaS)

• No concept of “asset IP” or, in fact, of a computer as an IT asset

• For both SaaS and PaaS, lack of any traditional “IT infrastructure” such as OS

• No OS logs – “apps all the way down” (SaaS)

• No perimeter monitoring.

On top of this, many cloud environments run under a very “alien” (aka DevOps) IT operations model, often dissimilar from traditional data center management models, that further breaks down the effectiveness of on-premise security tools.

What others examples of traditional, on-premise security tools not working in the cloud have you seen?

By Anton Chuvakin - Research Analyst, Gartner