Securing the Cloud. Requirements for a Secure Cloud-Based Datacenter Copyright 2012 BlackRidge Technology

Transcription

1 2012 Securing the Cloud 1

2 Introduction: Transition to Cloud Traditional data centers are scoped, built, managed and maintained by the enterprise. New data centers are moving to cloud-based versions of themselves. Compelling economics and the dynamic nature of virtual environments has driven this adoption. The building blocks of a cloud based data center remain fundamentally the same as a traditional data center including the security considerations. However, in the agile and virtual environment any sophisticated address-based security scheme becomes difficult if not impossible to maintain. In fact, when auditing the virtual data center security posture, it is impossible to prove it is secure and meets the business demands of the enterprise. Key Cloud transition requirements that must be addressed: Identity Aware Networking Security Policies Scalable Performance Identity-based security policies are important elements in securing the cloud. The result of using network security solutions that meet these requirements are easier management of dynamic infrastructure and better security of the virtual data center. This simplifies the security infrastructure yielding a provably better and more maintainable implementation. This white paper explains how BlackRidge Eclipse, built on patented Transport Access Control (TAC) technology using first packet authentication, enables Identity Aware Networking for the cloud. 2

3 Data Center Requirements To address the needs of a modern and agile data center, there are specific requirements that must be met. These requirements are based upon existing well understood computing and security principles and although their implementation may require technical sophistication, their use should not. Enable Identity-based networking Historically, within the network the traffic is not associated with an Identity. If there is any knowledge of Identity, then it has been implemented at the application layer limiting policy enforcement to the end points, either client or server. Once traffic is associated with an Identity at the transport layer, the policy enforcement points span the networking infrastructure. This enables policy enforcement on local area networking devices as well as wide area devices. In other words, the Identity that originated the traffic is available across the enterprise s network, such that all networking devices across the enterprise can assert policies (commonly referred to as an Access Control List, or ACL) on the traffic. Note: It is not just network access control (NAC) policies, but is extended to all transport layer traffic across the enterprise s network infrastructure. Enterprises manage and maintain Identity in systems that exist outside of the security infrastructure. It is important that an Identity Aware Network not place any additional management burden on the enterprise. By linking Identity to the information systems, this can be avoided. A final point regarding Identity Aware Networking, and perhaps the most obvious, is any deployment of an Identity-enabled solution must not require changes to the applications nor the resources being protected. Identity must be transparent from an application s perspective. Enable security policies within an agile infrastructure To address the dynamic nature of an agile data center, the data center s resources must advertise their presence and purpose to the security architecture. For instance, a server supporting the finance department s applications will advertise its networking addresses and present that it represents the finance department. 3

4 The combination of Identity and infrastructure resource advertising allows the security architecture to operate on policies that are more natural and flexible. For instance, if traffic originating from a finance department resource is trying to access a finance department data center resource, then access is allowed. Alternatively, if the traffic that did not originate from a finance department resource (including no identity or anonymous) is trying to access a finance department data center resource, then access is denied (and more than likely logged). Scalable performance In order for cloud-based datacenter security deployments to be viable, the security infrastructure must scale for each enterprise. In the case of cloud-based service providers, it is typical to support multiple enterprises concurrently and the isolation of each enterprise s data center resources from each other is of paramount importance. Additionally, the performance impact of a security solution must be constant and not increase with the number of entities protected within each enterprise. A security infrastructure with scalable performance has several requirements. The first requirement is that it must have a computationally lightweight method of identifying and discriminating wanted traffic from unwanted traffic. To have the lowest impact on applications, the identification and discrimination should have high overall throughput and low, deterministic latency. This enables the security framework to be used with today s high bandwidth and latency sensitive applications such as voice and video. Once wanted and unwanted traffic have been identified, additional computationally intensive security resources can be focused on suspected good traffic. This enables the cloud-based security infrastructure to be more efficiently used, resulting in both greater throughput of good traffic and higher confidence in the security posture. 4

5 Transport Access Control (TAC) Specifically, BlackRidge s Transport Access Control (TAC) technology was designed to effectively deal with the challenges laid out on this whitepaper. BlackRidge TAC is an innovative network security solution that provides strong authentication and protects against sophisticated reconnaissance and attacks. TAC accomplishes this in several ways: TAC closes a long standing vulnerability in TCP/IP networking by authenticating connections starting with the first packet, engaging at the earliest possible time to prevent network scanning, reconnaissance and unauthenticated access. TAC enables the optimization of network defenses by focusing their defensive actions on suspected good traffic instead of all traffic. TAC allows organizations to leap ahead of threats to provide a richer set of network defense capabilities to protect the enterprise. TAC fits into existing network architectures and does not require changes to applications or servers. In addition to providing first packet authentication, TAC features: Very low latency. TAC is suitable for voice and video applications. Zero bandwidth overhead. TAC consumes zero network bandwidth. Scalable performance. TAC can be load balanced for scalability and redundancy. Packet payload privacy. TAC operates without requiring the decryption of payload data. 5

6 Summary The requirements for Identity-based security policies are an important element in securing today s modern, agile, and virtual data center. The result of using security solutions that meet these requirements are easier management of dynamic security infrastructure and better security of the virtual datacenter. Specifically, by moving to security policies associated with Identity, the cloud-based data center can thrive to meet the needs of the enterprise. This simplifies the security infrastructure yielding a provably better and more maintainable implementation. These requirements are achievable using technologies that are available today. BlackRidge Technology has delivered the network security industry s most innovative solution of the last 20 years. Our Transport Access Control (TAC) technology not only secures high value environments, it also contributes to optimum network availability and dependability. For cloud computing environments, this combination of security and performance allows flexibility to confidently enable customers with a wide range of services. For more information please contact info@blackridge.us or visit us online at blackridge.us. 6

7 Reston, VA Santa Clara, CA Suwanee, GA London, UK 7