The Fully Aware, Hybrid-Cloud Approach

Hybrid-Cloud Approach

For over 20 years, organizations have been attempting to secure their networks and protect their data. However, have any of their efforts really improved security? Today we hear journalists and industry experts talk about the erosion of the perimeter. Some say it’s squishy, others say it’s spongy, and yet another claims it crunchy. Are they trying to say the perimeter is changing, or that the perimeter no longer exists?

In the context of the devices that allow humans to look at data, that perimeter is changing dramatically. From the workstations and laptops, to handheld computing devices, trying to define a security perimeter in this perspective can be challenging. Mobility has changed the client-side perimeter overnight. However, does the concept of mobility mean that perimeters can no longer exist?

Regardless of where data resides, anytime data is accessed, it is done through a perimeter. The world has benefited from wireless technologies that enabled mobility for years. But is there such a thing as the “virtual wire”? Anytime data enters a server, or is uploaded to or downloaded from a server, it will eventually traverse a piece of wire. That wire may be made of copper, or that wire may be made of fiber optics. Either way it’s still a piece of wire where both good guys and bad guys access data. That piece of wire needs to be protected at all costs.

Hackers today are after the data

The most secure method of protecting data on a server is to remove the wire that allows clients to access it. However, we all know what happens when you remove the wire. Short of that, how does one go about protecting that piece of wire? It all begins with a comprehensive, in-depth defense approach. Hackers today are after the data and will go to almost any length to get it. That piece of wire is where most attackers break in.

Years ago, organizations realized that their firewalls were nothing more than speed bumps to the seasoned hacker. Organizations began deploying end-point protection, intrusion detection systems, intrusion preventions systems, web applications firewalls, sandboxes, and the list goes on and on; all in an attempt to protect that piece of wire, and the data that traverses it. One of the main impediments to deploying these point solutions (often manufactured by different vendors) is their failure to interoperate. No single vendor had a complete, end-to-end solution.

Today, organizations understand the evolutionary dilemma of deploying disparate technologies. Instead, most organizations desire an ecosystem of solutions and technologies that interoperate, are fully aware of each other, communicate with each other, and defend that piece of wire to the fullest. They’re looking for a one-stop-shop that can completely defend the perimeters that still exist, and it all begins with the fully aware, hybrid-cloud approach as shown in the picture below.

image-cloud-attack

On the far left, both good (green) and malicious (red) clients are shown. On the far right shows a perimeter that exists when accessing data within a datacenter (or even within a cloud). What you put in between those two entities makes all the difference in the world.

As shown above, attackers erode your defenses, consume your resources, control your systems, and steal your data. In addition, attackers use a host of different attacks shown in red to achieve their goals.

How does one manage the risks while blocking the threats?

In the fully aware, hybrid-cloud approach, the first line of defense begins with Cloud DDoS Defenses as shown on the bottom left. These defenses ensure that your organization is never taken offline due to a large, volumetric DDoS attack. But more importantly, they play a vital role ensuring all other defenses are not affected by a DDoS attack. All types of flooding attacks are simply eliminated by the Cloud DDoS Defenses.

On-Premises DDoS Defenses is the second line of defense. These defenses are deployed to ensure that low and slow, short-duration, and/or partial saturation attacks never consume your resources – including your security team. On-Premises DDoS Defenses must work in concert with the Cloud DDoS Defenses, ensuring that all unwanted denial of service (and other traffic types) are dropped with no further downstream inspection.

The third line of defense includes Next-Gen IPS with Sandbox. These systems are designed to eliminate Malware intended to compromise and control your devices. These defenses look deep inside payloads to determine the intent of the traffic that makes it through the Cloud and On-Premises Defenses. Known malware is eliminated by the IPS. Unknown malware is eliminated by the Sandbox. Working in concert, both known and unknown malware, which are the sources of many advanced persistent threat attacks, are eliminated.

Web Application Firewalls (WAF) are the final line of perimeter defense. WAFs ensure that all client traffic behaviors when accessing data, align with corporate security policies. Data is given the utmost protection. WAFs provide complete defense for the OWASP Top Ten vulnerabilities, regardless of clear-text or encrypted traffic streams, and are deployed as close to the data as possible.

One may ask where the traditional firewall falls into all of this? The defense layers described above are designed to augment your existing firewall and provide protection for threats that the firewall is not able to prevent. Simply put, the firewall is able to block unwanted TCP and UDP ports but is not capable of preventing modern advanced threats.

The hybrid-cloud approach to security is very effective. However, the best protection is provided by a defense-in-depth architecture incorporating the four lines of defense covered above. The real power of this approach is realized if the architecture also uses closed-loop threat intelligence, whereby all four lines of defense not only collect attack data, but also share that data across all defenses. In this way, all four enforcement layers have the latest information about the complete threat landscape to reduce the overall security risk for any organization.

By Stephen Gates

Chris Collins

Why Cloud Technology is a Smart Business Move for Higher Education

Higher Education Technology Cloud technology is not just for the world of big business. A growing number of higher education institutions are also embracing the cloud’s many advantages, especially for its data gathering and analytics ...
Amazon's Varies Revenue Segments

Amazon’s Varies Revenue Segments

Amazon Revenue Amazon has become the largest retailer worldwide, however it is projected to make up less than 5% of U.S. retail sales by the end of 2020. While most people are already familiar with ...
Thomas Franklin

Future of Stock Markets : Raising Capital Through ICO is 10x cheaper and 20x easier

Future of Stock Markets: Raising Capital Through ICO How blockchain will replace the stock markets as we know them today. Welcome to the future. It’s a beautiful Monday morning of 5th June, 2023. Jane wants ...
Shells.com – Your Personal Cloud Computer

Shells.com – Your Personal Cloud Computer

Personal Cloud Computer Shells, a robust virtual desktop infrastructure, ensures better performance by enabling its users to incorporate a layer of virtualization between the control server and any device that they choose. This way, it ...
Ramanan GV

Establishing a Unified Governance Model for the Digital Workforce

Increase visual control and reduce OPEX by 30% The Digital Service Providers (DSPs) are riding an automation wave. Painful manual tasks, which burdened staffs for ages, can now be easily handled by the software bots ...
Yotascale podcast

Episode 10: The Modern Day Smokestack? The Economics of Cloud Management

The Modern Day Smokestack A conversation with Asim Razzaq, CEO, Yotascale Why is cloud cost management so difficult? What are the main challenges in achieving cloud cost optimization? What are the principles of cost optimization ...