Infrastructure-as-a-Service (IaaS) cloud providers also have perimeter security measures to protect their customers’ server instances.  The IaaS players typically do have firewalls protecting their customers, but bypassing the IaaS perimeter security only requires a credit card.  Bad guys could potentially access the infrastructure by renting some IaaS time with a stolen credit card and end up with their cloud server on the same physical hardware as your virtual server.

How do enterprises mitigate these threats?  For enterprises protecting their infrastructure, this means the classic “defense in depth” where one needs to consider protecting the individual host that might be living in a dynamic, virtualized environment.   For the IaaS situation, enterprises need to understand that they are responsible for the security of their servers and should consider augmenting existing cloud security with host-based security that the enterprise can control including firewalls, vulnerability shielding (IDS/IPS), system file integrity, and log inspection.

If you are an enterprise who is concerned about whether you might be at risk from botnet infections, I would suggest considering some sort of gateway assessment tool that can determine whether you are compromised.   If you are a consumer or concerned about your home PCs, you can scan your system with our free online scanners available from various content security vendors (my one shameless product plug: check out Trend Micro’s HouseCall to scan your PC).

The datacenter operators told us they had no security issues and were completely secure.  However, the CSOs told a different story.  They said they didn’t know whether there were security problems in their datacenters.  After further investigation, we found that indeed there are a lot of security issues in the data center.  As we dug deeper, we kept hearing about the operational issues related to the platform shift to virtualization and the cloud, but we didn’t hear much about malware concerns.  Traditional server security is perimeter-based.  We hear a lot about the potential for rogue VM attacks, and while we haven’t seen such an attack, it’s completely possible that they could occur.

The companies to whom we talked had a range of security solutions deployed, from traditional AV deployed on every VM (which hammered performance) to absolutely no security deployed on thousands of VMs.  There are two problems facing the datacenter today with regard to security:

• Problem #1:  The existing network-based security model can’t keep up with the pace at which virtualized servers are being brought online and clearly won’t work for companies wanting to use a public cloud.
• Problem #2:  Data protection is the most strategic concern, but how do you protect data that is mobile and distributed?

The second problem is extremely relevant to the public cloud.  Even if a vendor can guarantee that only the vendor will touch a customer’s data, the customer doesn’t know who at the vendor will be touching that data.  There’s no guarantee that customer data is safe from compromise or copying.

What’s required for cloud security is a shift in thinking.    Instead of preventing the data from moving – which is completely unrealistic in today’s dynamic world– we have to have protection surround and move with the data.  At Trend we see two solutions:

• A host security model where the host protects itself. (Trend Micro Deep Security)
• An encryption model enabling enterprises to maintain better control of their data in private and public clouds.  It won’t matter whether the environment where the data sits is untrusted because the data will be secured.  If a customer wants to move the data to another cloud vendor, they can do it while having the security surround their data and not rely on an individual cloud provider.  This encryption model can help further the move to the public cloud. (New Trend solution coming soon)

As a smart entrepreneur, the biggest problem to contend with regard to cybercriminals is that they’re smart entrepreneurs, too. They’re highly motivated and technically proficient workers.

What they’re after isn’t fame or notoriety. It’s about money. Specifically, that means stealing data–personal and business facts and figures that can be used to generate illegal profits. It also means hijacking the computing power of your PCs and servers to steal other people’s data in order to generate more profit.

It’s true that businesses of all sizes are at risk and successful hacks at large corporations can pay off in a big way, but multinationals can also put up better defenses. Smaller businesses, by contrast, typically have limited IT resources, and the sheer number of firms in this category makes them irresistible. Even if your online transactions don’t involve money or billing, you’re still a fair target just by being connected to the internet.

So how do business owners avoid becoming another statistic?

Get in the cloud. Cloud-security’s value proposition is focused on saving money by scaling to your business needs and improving productivity; it also allows you to stay connected wherever you are, whether you’re using a laptop, desktop, or smart phone.

By working in the cloud, you get faster, more responsive protection without overburdening and slowing down your computers, especially as the volume of threats increase. Cloud security uses the internet and the security company’s computers (data centers) to shoulder security technologies instead of relying on your PC’s storage space.

But not all cloud-security is created equal. Before you make the final decision on which security product to purchase, I’d encourage you to ask these questions either to yourself, your channel partner or to the security vendor you’re considering:

• Does the vendor offer cloud-security products that can actually stop online threats before they even hit your office, and without slowing down your computers? Many vendors claim to do this, but unless the technology is integrated in the products that’s specifically tailored for your business, their claims can come up empty.

• Does the vendor have the size, expertise, and experience to not only invest, but maintain a cloud security infrastructure? An effective cloud security vendor needs global reach, a brigade of security experts, and multiple datacenters that can continue to scale to stop hundreds of millions of threats per hour around the globe.

• Is the technology mostly organically developed or through acquisitions? This is important because a big component of cloud security is how the technologies involved all work together. Companies that “grow” and develop their own technologies have a higher success in making sure they all meld together seamlessly which equals more effective protection.

The idea of the most effective protection not completely residing on your PC, but floating somewhere out there can be a hard concept for some self-sufficient business owners to accept. But, in today’s borderless, electronic universe, relying on security outside of your businesses wall can be the safest measure of all.

This post appeared March 18 on Entrepreneur.com.

Last week, I had the chance to sit down with Prasenjit Saha, vice president and global head of enterprise security solutions at Wipro. As I mentioned in my last post, I promised to bring you industry experts to contrast and compare challenges across physical, virtual and cloud environments.  As the founder of Wipro’s Enterprise Security Solutions Division, over the last 10 years Prasenjit has created the world’s third largest security service provider practices. His global customers have been defining the next-generation datacenter environment which is spanning virtualization and cloud computing, not to mention influencing the product direction of security vendors around the globe. Check out our conversation.

WAEL:  In the last 10 years, can you describe the transformational impact virtualization has had on your customers’ datacenters?

PRASENJIT:  The primary impact of virtualization on our customer is easily the reduced operational costs and TCO which have been brought about by less hardware utilization, efficient power consumption and ease of administration. This has been further boosted by advances in the technology that improve the scalability, availability and mobility thereby reducing the risk and impact of failure. Also, the opportunity to further expand capacity with ease and the easy recovery capabilities have allowed customers to be ready for any change in their infrastructure – be it a ramp-up or a disaster. These advantages have further strengthened the overall return of investment.

WAEL: So that is all the good news, what has been the downside?

PRASENJIT: The downside to virtualization from a security perspective has been the challenges with actually maintaining the same security posture. Poor virtualization strategies can result in poor network security between multiple VMs on the same Virtualization Server with inter-VM attacks becoming easier. Moreover, improper tenancy can lead to potential data leakage from a high security to a low security zone. Also, the ease of virtual server administration has made it imperative to have tight Virtualization procedures and controls to prevent the sprawl of obsolete and rogue VMs that lead to resource hogging and potentially vulnerable entry points to the network.

WAEL: As MSSP, you have two, somewhat divergent objectives: to keep your customers protected and keep your costs down. What is your greatest challenge in meeting both of these objectives?

PRASENJIT: One of the biggest challenges we face is definitely the cost of actually deploying solutions to customers for which we are dependant on the product vendor to provide us the options to make deployment options much more flexible hence allowing us to concentrate on innovations around security operations as opposed to working around product limitations. Customers have started moving into the virtual environment, especially with cloud-based services on the rise, and it is imperative that we be able to provide cost-effective services around these technologies as well to maintain the ROI for the customer. A lot of products have been deployed at customer sites and it is always to a challenge to not only keep up with the pace of technology but also develop in-house expertise and services at the same pace.

The biggest challenge for an MSSP would be to develop a multi-tenanted infrastructure to minimize the cost of technology deployment using shared infrastructure and services and yet provide data segregation and privacy across different customers. With virtualization technology, effective workarounds can be found where products don’t support multi-tenancy and thus provide an efficient infrastructure with reduced operational costs.

WAEL: What about cloud? Are your services evolving to a more cloud-based approach? Do you run secure clouds for your customers? What is the unique security challenge in cloud environments, even more than virtualization?

PRASENJIT: The cloud impact on our services can be classified as either Cloud Security or Security In-The-Cloud. The greatest challenges about it lie around Data Segregation and Privacy, Access Control and Cloud-based administration. Clouds take multi-tenancy to the next level and that introduces concerns with how well protected data is from unauthorized access leakage. Also, geo-political regulatory issues could arise with the physical location of the data. There are also concerns around regulatory compliance as various customers have different requirements and providers are expected to adhere to all of them. More importantly, security controls implemented in the cloud are typically shared between multiple customers that will have to be customized for each requirement.

WAEL: We are now working together to offer virtualized datacenter security solutions to meet the growing demand that your customers are driving for server consolidation.  Tell me why you chose to add Trend Micro to your current services. Maybe start with what your current services are.

PRASENJIT: Wipro ESS engages with its customers to assist in defining the security needs, evaluation, and implementation and management services for robust security solutions including information security, application security, data security, user and endpoint security, network & infrastructure security etc. Datacenter security solutions encompasses a large part of our portfolio incorporating multiple components of our services

Wipro’s verticalized businesses are also actively involved in helping customers identify potentially IT services that can be consolidated and migrated to private and public cloud infrastructures. Such initiatives need to be underpinned by an effective risk management strategy for Cloud security which we are helping to address.

TrendMicro’ s products will fit in very well with our services as we can now provide high-value services targeted at unified endpoint protection especially in a virtual environment with the Deep Security VM-aware technology. We will now be able to provide consulting expertise on endpoint protection in the virtual environment and also be able to architect, implement and manage a VM-specific host security solution for customers.

WAEL: One last question. How much is compliance playing in the security spending that you are seeing?

PRASENJIT: It is widely accepted by the security community that being compliant does not mean being secure, but the requirements of compliance imply that you need to be secure to be compliant. Wipro implements security best-practices for its customers that have been developed bearing in mind multiple compliance requirements across different business verticals.

With the advent of virtualization and cloud computing, the compliance strategy is going to change a little bit because of the underlying data segregation and access control issues. Virtualization and Cloud Security will require the development of security solutions that can be mapped to multiple compliance requirements and at the same time protect customer resources. Regulations may also need to incorporate changes to accommodate virtualization and its security aspects.

RSA 2010 iPod touch sweepstakes clue #2:  OfficeScan 10.5 with VDI

Yesterday’s security threats used to damage computers and networks.  Today’s threats want to steal data and information – credit card numbers, social security numbers, financial information, etc.  To confound things, businesses and consumer alike are inundated with data.  The amount of data running through today’s global networks is currently being measured in petabytes.  Not only is there a lot of data, but it’s now mobile.  We have multiple devices on the client side – laptops, netbooks, tablet PCs, smart phones – all capable of receiving data and using applications that reside in the cloud.  Data no longer resides on just one server or device.  So, how can we ensure that such vast amounts of information are indeed secure?  Especially given that at Trend our philosophy has always been to ensure the safe exchange of data and information.

To protect customers from threats from the cloud, Trend turned to the cloud itself to deliver the Smart Protection Network.  We needed to overcome two challenges:  1) the explosion in volume of malware and 2) the proliferation of different network devices in the workplace.  The cloud allowed us to block threats in the cloud rather than at the device level where giant-sized pattern files would have choked emerging net-based devices.  The Smart Protection Network would not have been possible without the cloud as the real-time correlation of threats requires high-performance computing and the goal is to block threats before they leave the cloud itself.

Some in the industry argue that cloud computing will result in security consolidation.  But I don’t see this happening.  When every layer is decoupling, how can security possibly consolidate?  Security needs to be present at every layer to be effective.  And what matters most is the protection of data.  Businesses don’t care where their data is coming from, but they do care how it’s protected.  Businesses today need to ask their cloud providers the following key questions:

• Where is my data?
• Who’s accessing my data?
• Is my data being modified?

This new environment requires security innovation.  This innovation has to be evolutionary rather than revolutionary.  IT departments want to leverage the cloud, but security that “fits” their needs has to be there for them to make this jump. They also realize that if they don’t make a Secure Cloud available to their internal customers, those customers will go around them and get access to the cloud without them, and perhaps without the security that’s required to ensure adequate protection.  We see the need for security innovation in the following areas as they are all focused on the movement of data across physical servers, endpoints and devices:

• Virtualization
• Cloud computing, including SaaS, PaaS and IaaS
• 3G network/net devices

If you’d like to learn more about where Trend is going in these areas, please come by our booth at RSA.  I’ll be on hand along with my esteemed colleagues, Raimund Genes, Wael Mohamed, Steve Quane and Tom Miller to answer your questions about securing the cloud.

RSA 2010 iPod touch sweepstakes clue #1:  Deep Security with CPVM

There are several industry organizations and groups which help facilitate understanding of the cloud, provide best practices and enable standards:

• The Cloud Security Alliance is a non-profit organization that promotes best practices for providing security assurance and general education about the best uses of cloud computing.  They’ve got both an active Google Group and LinkedIn Group where you can ask questions or check out the issues facing other IT folk.  Follow them on Twitter at @CloudSA.
• The Jericho Forum is an associated dedicated to advancing secure business in a global open-network environment.
• Cloud Computing Interoperability Forum is a non-profit association formed to drive the adoption of cloud services.  Join their Google Group to learn more.
• Open Cloud Computing Interface Working Group is working on an API specification for remote management of cloud computing infrastructure.
• Distributed Management Task Force:  Open Cloud Standards Incubator addresses management interoperability for cloud systems.
• The European Network and Information Security Agency (ENISA) has compiled a Cloud Computing Risk Assessment which examines the security benefits and risks of cloud computing.

There are also several online discussion groups:

• Cloud Computing (Google) and Cloud Computing (LinkedIn)
• CloudCamp (Google) and CloudCamp (LinkedIn)
• A6 (Automated Audit, Assertion, Assessment, and Assurance API) Working Group aims to provide a common interface that allows providers to automate the audit, assertion, assessment and assurance of their environments.
• The VM People Virtualization & Cloud Group on LinkedIn is targeted at Virtualization & Cloud Computing professionals to network and discuss industry related topics.

The industry is lucky to enjoy a good number of experts who discuss the cloud via blogs, tweets and podcasts:

• Craig Balding:  Cloud Computing Security, @craigbalding, Cloud Security Podcast with Christofer Hoff
• Christopher Hoff:  Rational Survivability, @Beaker, Cloud Security Podcast with Craig Balding
• David Linthicum:  Cloud Computing (InfoWorld), Cloud Computing Podcast, @DavidLinthicum
• James Urquhart:  The Wisdom of Clouds, @jamesurquhart, Overcast podcast with Geva Perry
• Geva Perry:  Thinking Out Cloud, @gevaperry, Overcast podcast with James Urquhart
• Randy Bias:  Cloudscaling, @randybias
• Kevin Jackson:  Cloud Musings, @Kevin_Jackson
• Sam Charrington:  Cloud Pulse, @samcharrington
• Reuven Cohen:  ElasticVapor, @ruv
• James Watters:  SiliconANGLE. @wattersjames
• Jay Fry:  Data Center Dialog, @jayfry3
• Jeff Barr:  Amazon Web Services Blog, @jeffbarr
• Chris Wolf:  Chris Wolf’s Virtualization Tips and Ramblings, @cswolf
• Chenxi Wang:  Chenxi Wang’s Blog
• John Willis:  IT Management and Cloud Blog
• Chirag Mehta:  Cloud Computing
• George Reese:  @GeorgeReese
• Stuart Miniman:  @stu
• Lori MacVittie:  @lmacvittie
• Simon Wardley:  @swardley
• CloudAve, @krishnan
• Plug Into the Cloud (Information Week)
• Inside Enterprise IT (Dell)

Trend Micro has published some nice, actionable information along with details of the Google attack.  My colleagues at Trend Micro’s TrendLabs Threat Research Team have some outstanding details in their blog describing on the actual exploits.  Microsoft released an out-of-band patch this morning for this public vulnerability and seven privately reported vulnerabilities.

If you are an enterprise who is concerned about whether you might be at risk, I would suggest you consider a Trend Micro Threat Management Services (TMS). A TMS Assessment can do wonders to alleviate worries whether or not you use Trend Micro for your enterprise security.  If you are a consumer or concerned about your home PCs, you can scan your system with our free HouseCall scanner.

Sounds great, until you consider how much control you are really giving up from a security perspective:

Visibility – In a PaaS environment users deploy applications and data. From the vantage point of the end-user there is no standard way to ascertain the patch level, collect system/server logs, or perform a vulnerability assessment (remote tests are generally prohibited). How do you know you are running on a solid foundation?

Portability/Interoperability – Unlike IaaS, where generally the virtual machine can be converted between different providers, PaaS involves custom APIs, specialty application containers and sometimes even language extensions. Will you be able to move your application if needed?

Security – For the most part, PaaS offerings do not provide the ability for customers to deploy network or host-based WAF, DAM, IPS, FIM, AV or DLP. Some platform service providers include built-in security services, but the end-user has little to no visibility or choice. Can you really afford to run your application ‘naked’?

These issues are resolvable, with work on the part of the platform providers.

Chris Hoff, a well known cloud aficionado, is working with a group on a general purpose security API that would supply the information needed for vulnerability scans, audit, configuration management and patch management. If adopted by the PaaS providers the API (known as A6 – the Audit, Assertion, Assessment, and Assurance API) would provide a much needed means of manual and automated verification.

Portability and Interoperability in the PaaS world may get better with service provider co-operation. There will be evolving standards, copy-cat service providers, conversion services and some day multi-provider abstractions where applications can run on a variety of services. It’s up to the customers to push for portability for their applications and data.

In order to have the control and flexibility with security in a PaaS environment, service providers need to offer standards based methods of plugging in security. This may be virtual appliances (using inline networking or advanced hypervisor-based introspection) or methods of deploying host-based security. Highly scalable cloud applications need best of breed security.

While the development department may be attracted to PaaS, until service providers can solve these issues, you may actually want to pass on PaaS.

Virtualization is Running Rampant: The VMware session overflowed the room, and most sessions dealing with virtualization and storage fabrics were packed with attendees.  The session on virtualization security highlighted that there is some disconnect between the IT folks dealing with applications & storage and those dealing with security.  The virtualization train is running full steam ahead, but the security teams are running to catch up and come to grips with the security implications of virtualization.  The old perimeter security model is being stressed as applications VMotion around the VMware environment (watch out for that sensitive app accidentally landing in the DMZ).  The security implication: you better architect your virtual data center carefully and think about VLAN’s with Distributed Virtual Switches.

Private Cloud Computing is the Enterprise Short-term Response: CIOs are getting asked by CEO’s to “get some of this cloud stuff to lower costs”, and the CIOs are responding with, “Yes, we’re doing that today, and it is called a private cloud”.  Much of the focus of the Gartner event from vendors and Gartner analysts was around private cloud computing.  Everyone seemed to have their own definition of what constituted a private cloud with marketers and enterprise IT exploiting the sexy concept de jour that is cloud computing.  Some cloud purists might be uncomfortable with this, but enterprise IT and vendors are jumping on the cloud bandwagon with the “private cloud” concept.  Much of what I saw at the Gartner Data Center Conference was an aggressively virtualizing data center, but you can get more organizational mileage by saying “I got myself a private cloud.”

Public Cloud for Storage: One cool application of SaaS/PaaS/IaaS was provided by Matthew Merchant (CTO) from General Electric in his session “Cloud Storage @ GE”.  GE created an inhouse application take care of backup that used the public cloud storage vendors such as Amazon AWS.  They were able to slice 40% to 60% out of the cost of backup using the public cloud – very cool stuff.  The security implication: encrypt the data to meet your compliance obligations.

Public Cloud for Resiliency & Disaster Recovery:  John Morency from Garter had a very cool session titled “Building Resiliency via Colocation and the Cloud” that touched on the use of the public cloud as a “warm spare” or “cold spare”  failover site for Disaster Recovery (known affectionately to the cognoscenti as “DR”).  One excerpt from Mr. Morency’s pitch that I found enlightening was “By 2014, 15% of large enterprises will use a combination of private infrastructure and public cloud services in order to improve recovery and continuity readiness.”  DR is a sweet application of public cloud computing to lower costs and increase flexibility.  The security implication: enterprises need to consider securing the cloud instances with solutions like Trend Micro Deep Security 7.0 for servers (a shameless promotion for a sweet product).

Cloud for Test & Development: Something I heard from Gartner analysts in the past is that the public cloud is a great place for test and dev for applications, but those test and dev environments are using real data that needs to be secured.  When I speak to Trend Micro’s IT security customers about the cloud, they frequently say “We’re not using it.”  But when you ask if some app developers might be going directly to Amazon EC2, the security folks grudgingly nod their heads.  The security implication: test and dev environments in the public cloud may need securing when real data is being used.

IT Security in the Cloud World: One comment from Cameron Haight and Milind Govekar’s pitch titled “Cloud Computing Management — Making Sure Mountains Aren’t Hiding in the Mist” resonated with me from a security perspective.  “Cloud computing is not the death knell for IT; in fact, it’s an opportunity to reinvigorate IT’s service delivery role, provided appropriate updates are made with respect to processes, tools and organizational structure.” This is especially relevant in world of IT security;  no one else will look out for the corporate crown jewels.

OSSEC performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alert and active response as ways to protect servers.  OSSEC has a phenomenally loyal base of users – we had 21% of the OSSEC email distribution list complete the survey (a phenomenal response rate … the stylish T-shirt we’re giving away might have juiced results slightly).  This November 2009 survey helped me to cut through some of the cloud hype to get at today’s reality.

OSSEC provides basic server security that helps users with compliance. 71% had deployed OSSEC to comply with PCI mandates, 18% HIPAA, 18% SOX, along with a scattering of other mandates such as EU Data Privacy and UK Data Protection Act.  When we asked for ways to improve OSSEC, a plurality of users echoed what one user said, “As it is, I truly love OSSEC.”  The survey highlighted room for OSSEC improvement (manageability, reporting, deployment), but that is why you pay money for Trend Micro Deep Security 7.0, for functionality above and beyond OSSEC.

The survey uncovered four useful nuggets of information

1.  10% of the OSSEC survey respondents had suffered a data breach.

The data breach number caught my attention, especially in view of the TrendLabs Malware Blog report on the issue.   The malware researchers found:

“During the analysis of approximately 100 million compromised IP addresses, we identified that half of all IP addresses were infected for at least 300 days. That percentage rises to eighty percent if the minimum time is reduced to a month.”

1 out of 10 of the OSSEC users has suffered from a data breach, and the TrendLabs data shows that the actual number could be higher because of undetected compromises.  The OSSEC users are typically protecting servers (10% of OSSEC users encountered a breach) while the TrendLabs numbers are different because those numbers include lots of PCs (both business and consumer) in addition to servers.

2.  OSSEC survey respondents have a heterogeneous mishmash of various operating systems (lots of Linux and Windows) and hypervisors (mostly VMware, but Citrix, Hyper-V, etc).

The heterogeneous mix of OSSEC operating system and hypervisor environments speaks to the need for solutions to adapt to customer needs.  “Point” security solutions might protect that point, but enterprises will not readily accept such approaches.  This is one reason why Trend Micro Deep Security can support physical, virtual and cloud environments.  We support a variety of operating systems, VMware VMsafe virtual appliances, and use an agent-based approach to work with multiple hypervisors feeding  a single console to manage all such environments.

3.  36% of respondents deployed OSSEC for compliance, and over 2/3rds of that was for PCI DSS compliance.

Compliance drives a large amount of IT security activity.  I recall a recent survey from Ted Ritter at Nemertes Research on virtualization sercurity that showed 80% of IT spending tied to compliance initiatives.

4.  74% listed security as the top concern in considering deploying applications to the public cloud.

The cloud adoption in the survey is relatively modest – 2 in 10 are evaluating moving applications into the public cloud.  I suspect that part of the reason for that modest uptake is the respondent pool.  Open source folks using OSSEC do not have a ready budget to pay for cloud computing Infrastructure-as-a-Service.

The OSSEC survey (to the hundreds of respondents – thank you to each and every one!) tells me that cloud computing is happening, but the reality is somewhat behind the cloud hype.  We will continue to listen attentively to the open source community that is so committed and enthusiastic about OSSEC.