As enterprises make the leap to the Public Cloud, some security problems disappear, but organizations need to solve some new ones. The public cloud is a highly dynamic environment, with rapid deployment of infrastructure and apps the norm, and infinitely scalable services everywhere. Traditionally, Intrusion Detection and Prevention Systems (IDS/IPS) provide real-time protection against network attacks, exploits, and exposures in application code and operating systems that workloads run on. But is IDS/IPS still relevant?
Some things to consider:
- Your cloud provider isn’t going to protect you against network-level threats – their security secures their cloud platform, not your apps.
- Best practice suggests the use of more and more segmentation – whether VPC to VPC across accounts, cloud to cloud, or simply network level – organizations are creating trust boundaries, but need to inspect
- traffic more deeply than simple port/protocol in order to secure access and provide containment.
- The variety of app approaches (Containers, VMs, PaaS, Serverless) means that many of the controls that sit closer to the app are fragmented, at best. The network is the only common ground.
- Attacks like SolarWinds and other supply chain attacks will continue to happen and require creative approaches to securing public cloud work- loads.
- Basic regulatory compliance and data protection standards offered by some cloud providers maybe insufficient to meet your specific application requirements.
The bottom line is that many of the capabilities that network-based IDS/IPS provides are still needed, but given the cloud landscape, IDS/IPS is going to have to take a different form.
The Cloud Landscape Dictates Network IDS/IPS Requirements
Before looking at specific network-based IDS/IPS requirements in the cloud, let’s dive a little deeper on some of the meaningful differences in public cloud networking:
- Cloud environment is dynamic and infinitely scalable
- IP is ephemeral in the public cloud
- Cloud is perimeter-less. Best practice is to segment workloads and encrypt all traffic No custom silicon is available in public cloud
All of the above means that traditional solutions that rely on stable environments, stable demand against capacity, strong perimeters and internal traffic in the clear, and high-performance silicon are not going to translate to the public cloud.
In this new world, we definitely need prevailing security knowledge but the implementation of IDS/IPS needs to be different. Lifting and shifting existing IDS/IPS tools as virtual appliances ported from the on premises datacenter results in similar inefficiencies as lifting and shifting legacy apps to the public cloud without re-factoring.
Requirements Based on Valtix Customers
Some requirements based on Valtix customer conversations:
- IDS/IPS must be a cloud native network service – needs to inherit all of the attributes of cloud: infinitely and automatically scalable, automated deployment, available everywhere
- Since we assume everything is encrypted – decryption everywhere is a must
- Fail open/fail closed is now a security discussion, not an availability one.
- Capacity is totally elastic, so the traditional rationale can and should be revisited
- Self-healing – benefits across architecture/infrastructure/ops:
- Resilience needs to be built in, can’t be overlaid with network design
- With the massive scale of inspection nodes for the cloud – need highly efficient operations
- Pace of change is high in cloud – IDS/IPS infrastructure must keep up
- WAF is often nice for app-level threats and compliance
Valtix Built IDS/IPS for the Cloud
IDS/IPS is obviously relevant in the cloud. It is one of the foundational services offered by Valtix. With a cloud native security platform, a model based on Discover, Deploy, Defend, the ability to see beyond the traditional appliance-centric view, and efficient and automatic operations, Valtix meets and exceeds the above requirements.
IDS/IPS is Not Only Relevant, But Required
IDS/IPS is not only relevant in the cloud, but required for most enterprises. Increasingly, the need for IDS/IPS is not only designed for threat protection from outside (ingress security) but to also stop lateral movement of threats and to apply inspection on outbound traffic.