Take $400 Off Any SANS OnDemand or vLive Course Through Feb. 17

Cloud Security

Laptops as a Security Model for Hybrid Cloud

In my last post I talked about some of the powerful use cases for hybrid cloud. I also drew a parallel between what we went through with laptops in the 90's, with what we are experiencing today with hybrid cloud. In this post I will dig a bit deeper into that analogy and shine a light on the similarities and differences of the two technologies.

In the late 1990's we saw our first real erosion of the perimeter. This was brought on by business laptops directly connecting to the Internet. Sure we had laptops before this time, but prior to the Internet taking off most business users would connect to the corporate office via a dialup modem pool. From a security perspective, this effectively kept the system located behind the perimeter. Once it became more cost effective to connect directly to the Internet and VPN back to the corporate office, our security paradigm changed.

So what changed? Personal firewalls for starters. Rather than relying on a single firewall to protect all systems, we began deploying firewall software on every laptop. We also stepped up efforts to perform host-based intrusion detection/prevention, configuration management and patch management. In short, we would armor our hosts to help mitigate the risk they experienced via a direct connection to the Internet. Over time, these tools were also applied to internal desktops as well. Once management evolved, it become easier and more cost effective to apply a similar security policy regardless of whether it was a stationary desktop or a portable laptop. This provided a single pane of glass for all end point security management.

With hybrid cloud, we can apply many of the same principals. Most/All modern server operating systems come with some form of a firewall. Certainly this can be leveraged to protect a host at the IP level. Configurations can be managed and patches verified. There are even a number of tools available to help with intrusion detection and prevention. While today many organizations are using different tools to protect their public VMs versus their private servers, it is only a matter of time when efficiency will require a single pane of glass for consistent management.

Where the two models diverge, and this is arguably one of the biggest difficulties with securing hybrid cloud, is the cost of CPU time. With laptops, or Generation 2 servers for that matter, unused CPU time is effectively "free". By that I mean if local applications are not currently ticking cycles, the CPU cycles are available to be used by local security software with no impact on cost or performance. Unfortunately this is not true in hybrid cloud. When located on a private cloud, high CPU utilization will reduce the number of concurrent VMs you can support (thus increasing hardware costs). In a public cloud, CPU time is pay for use, so high CPU utilization directly results in a higher monthly bill.

So while laptops can be used as a basic security model for hybrid cloud, it is unlikely that the same tools can be applied. For example using legacy anti-virus solutions in private cloud environments have been known to slam performance via AV storms. What's needed are modern tools specifically designed to work in a cloud environment. This may require more efficient code, the ability to offload some of the work, or perhaps a combination of both.

Another place where the two models diverge is with scalability. A business company in hiring mode may see at most a few dozen laptops per week being brought online. With hybrid cloud, it is not uncommon to see to hundreds or thousands of servers spun up and then shut down in a matter of a few days. So scalability, simplicity and ease of management are even more important when dealing with hybrid cloud.

So while hybrid cloud represents a major departure from how we have deployed servers in the past, there are certainly precedence we can fall back on to help navigate the murky waters. Looking at how we went about securing laptops can give us a rough road map to mitigating risk in a modern day hybrid environment.


Posted July 12, 2012 at 7:01 AM | Permalink | Reply


Dear Chris,
I read your blogs (a series of them) on cloud security at one go. I appreciate the kind of education you are imparting on security folks like us. Just adding to what you are saying, I may also want to look at cloud security from the point of view of secured collaboration. Typical points to look at may be.
1)If an organization wants to port their IT assets (Apps, infra, data) on cloud then they must associate risks of loss due to exposures (exploitation, leakage, non-availability, etc.).
2)If an organization takes a business decision to move on cloud then standardization of IT assets (in terms of OS, hardware, software

Posted July 12, 2012 at 2:37 PM | Permalink | Reply

Chris Brenton

Hi Satyajit,
Thanks for the great feedback and topic recommendations! I absolutely plan to dive deeper into cloud risk assessment, and I'm even lining up some cool guest authors to expand on the topic as well.
I will say that in my personal experience, "the cloud" is neither more of less secure than what we had in Gen2. It is different however, and requires us to analyze risk differently and come up to speed on a different set of tools. I'll be digging deeper into this as well.
Take care!

Post a Comment


* Indicates a required field.