Friday, February 1, 2013

Security monitoring in a cloud environment

You have a level of visibility in a traditional enterprise that you lose in a public cloud. Today the solution seems to be be host based IDS (agent inside your VMs).

How can an IAAS end user be able to do non host based IDS without the cloud provider having to do it for you? As a tenant you're limited in what you can do and you don't normally have access to the physical network.

Collecting logs from all your systems in your part of the IAAS cloud can also give you some insight that can make you feel ok.

Most of the SAAS providers do however not provide any ability to gather logs related to specific cloud applications. People are accessing SAAS cloud applications simultaneously from all over the world. 70% of the SAAS applications do not utilize SAML for authentication. Typically it's the SAAS providers that have been around the longest that implement SAML such as Google, Amazon and Salesforce.

For IAAS you can implement controls in a reasonable way, but most of the SAAS and PAAS clouds have very limited capabilities to withdrawing logs.

If you have a requirement stating that you need real time monitoring it would need the ability to withdraw logs in real time.

These topics are being discussed in episode 99 of the Cloud Security Virtualization Roundtable.

Audio: Virtualization Security Roundtable, episode 99