1 Demystifying Cloud Security xo.com
2 Demystifying Cloud Security Contents Introduction 3 Definition of the cloud 3 Cloud security taxonomy 4 Cloud Infrastructure Security 5 Tenant- based Security 5 Security of Cloud Applications 6 Processing Security in the Cloud 6 Clean Pipes A Critical Cloud Security Category and Its Solution Paths 7 Pros 8 Cons 8 XO Hosted Security offerings 9 About StillSecure 10 About XO Hosted Security 10 Additional Resources 10 2 Solutions you want. Support you need.
3 XO Communications Introduction The running trend in the IT industry is that every new solution has the cloud label. Every organization is either consuming or providing cloud services. Even the mainstream press has latched on and is hyping the cloud. Unfortunately, there are nearly as many definitions of the cloud as there are people or companies interpreting it. Every organization is either consuming or providing cloud services. Even the mainstream press has latched on and is hyping the cloud. Even industries that are connected to the cloud are in a fog about defining it. And if the cloud isn t defined, then how can downstream users that rely on secure solutions understand the offerings? As subjective as definitions may be, our goal with this brief is to provide a framework that demystifies cloud security and allows you, the business decision maker, to quickly and easily map capabilities and solutions, to the unique needs of your organization. As the market continues to evolve rapidly, taxonomy will continue to adjust accordingly, as keeping current with technology and trends is critical. This paper defines the cloud, offers an overview of how the market is structured, and finally presents a deep dive into one specific category with a state-of-the art solution, XO s Hosted Security. Definition of the cloud Let s take a very simple and broad definition of the cloud and start from there. Put simply, the cloud encompasses any Internet-based solution that provides a computing, platform, or application infrastructure based on a pay-for-what-you-use model that can easily expand or contract based on an organization s needs. At its most basic, the cloud simply refers to the Internet and the millions of servers that connect to it. So a cloud-based solution means that you are getting an application or a service through a server you are accessing through the Internet. Generally, cloud solutions are not located on your premises and do not require you to deploy any additional physical equipment. There are two basic cloud delivery models: Public -- an open, multi-tenant solution where you can be provided with computing, storage, platform, or application capabilities; and Private -- similar to public cloud in terms of capabilities, but provided for a single company, or tenant. In either model, a provider can deploy services to provide cloud computing solutions that range from Infrastructure as a Solution the provisioning of processing, storage, network and other fundamental computing resources (IaaS) -- to hosted applications and Software as a Solution the provisioning of software applications running on cloud infrastructure (SaaS). Given that the market has not yet settled on what can be called cloud, we have segmented the various types of cloud-based security solutions and offer a description of each of them, rather than create a single, strict definition. 3
4 Cloud security taxonomy Similar to the over-arching definition of the cloud, the cloud security sub-set is amorphous and difficult to define. In this paper, we also take a broad approach to defining cloud security as we believe it best suits the reader. While vendors are all clamoring to claim their version of cloud security is the best, our goal is to allow you to create a comparison model for looking at cloud security. We have broken down the cloud security category into five major components. They revolve around two themes security of the cloud infrastructure itself and security accomplished within the cloud. 4 Solutions you want. Support you need.
5 XO Communications Cloud Infrastructure Security Companies that provide computing and storage infrastructure IaaS - are keenly aware that their infrastructure operations must be secured. These providers spend a great deal of time and resources to secure their facilities and the computing environment to embed security into their service-delivery platform. To accomplish this goal, an infrastructure provider can employ a variety of security measures, from access controls, to video monitoring the physical plant, technical controls to restrict access to the computing environment, perimeter security that restricts internet traffic from the outside, and administrative controls to protect each virtual machine encryption of stored data. This category of solutions cuts across all of the providers customers and is macro in nature. Individual customers of the cloud provider cannot customize their security to their thresholds because resources are shared. Of course, the inherent advantage of cloud computing is also the vulnerability of security; anybody can quickly implement the computing, storage, and bandwidth that they need all for a small amount of money. A critical test of any provider is met in the quality of their solution to meet the security needs of its customers. Tenant- based Security For most user organizations, a cloud provider s overarching security alone will not suffice to meet its computing environment security needs. Another significant category of IaaS cloud security is tenant-based security. For most user organizations, a cloud provider s over-arching security alone will not suffice to meet its computing environment security needs. As a result, a company may need a category of solutions that can protect their infrastructure and data in ways that go beyond a service provider s standard offerings. This is known as tenant based security because they can be deployed and controlled by the customer at its option. These solutions will likely be placed within a customer s cloud instance by the customer in coordination with its service provider. For example, a customer/tenant may place individual security solutions (e.g., access controls, encryption, etc.) within their virtual environment or require that traffic to and from their network pass through a gateway solution. These tenant-based solutions customize the configuration and manage security on a per-customer basis to meet their particular needs. It allows individual customers to benefit from the economy of scale, and at the same time, build a security solution that fits their unique needs. 5
6 Security of Cloud Applications As an example, IDPS can identify and deflect predetermined or targeted attacks, and then provide notification of the event and the corresponding action taken. Cloud applications (e.g., Customer Relationship Management (CRM), file storage, and productivity applications) in a SaaS environment often have some form of embedded security features to help customers protect their data. Some providers encrypt all customer data, while others offer applications that allow a customer to choose what data to encrypt and when (e.g., at rest, in transit), to help customers avoid and minimize the negative effects of data security breaches. Some providers have built their cloud service offerings with security solutions at the very foundation of their service and have built their reputation for providing safe storage of their customers data. With standard features and available tools like this, enterprise customers can be more confident that their data is safe and that only authorized users can access that data. Enterprises will continue to expand their use of these applications, and as a result, there will be a growing need for solutions that bridge the gap from the enterprise s own security model to that of the SaaS application provider. Processing Security in the Cloud Another segment that often falls under SaaS cloud security is related to security events that are processed in the cloud. These events are piped to a processing center in the cloud, but traffic is not sent to the security provider in the cloud, only the security events are sent to the provider. As an example, IDPS can identify and deflect pre-determined or targeted attacks, and then provide notification of the event and the corresponding action taken. The events are processed by the security provider and then made available to a cloud customer, typically displayed in a customer-facing portal. This fits within the cloud security category because the processing of the security events is done in the cloud and by a third-party provider. Many of these provider companies call themselves managed service providers, but might also consider themselves cloud security companies. 6 Solutions you want. Support you need.
7 XO Communications Clean Pipes A Critical Cloud Security Category and Its Solution Paths Perhaps one of the most significant benefits of the cloud is the ability to have traffic processing done off-site and outsourced to a third-party, without consuming valuable customer computing resources. Perhaps one of the most significant benefits of the cloud is the ability to have traffic processing done off-site and outsourced to a third-party, without consuming valuable customer computing resources. A significant part of any security solution is focused on providing clean bandwidth to organizations. The architecture of these solutions is relatively straightforward. The enterprise pipes their inbound or outbound traffic through a service that cleanses the traffic. This is often done with solutions such as intrusion detection / prevention, anti-spam, content filtering, and Web-based firewalls. These functions all lend themselves to having traffic sent to the cloud where it is filtered and then sent on to its destination. The benefits of this approach minimize on-premise equipment requirements, leverage experts to handle the security application, and employ pay-per-use metrics. Additionally, it filters malware out before it reaches the customer s premise, rather than delivering it to the customer s premise before unwanted packets can be filtered out or discarded. This is often considered cloud security because the security function is truly happening in the cloud and organizations do not have to invest in the equipment, people, software, and processes to accomplish a large number of tasks. Clean pipes is one of the most exciting innovations in the security space. By implementing this type of solution, organizations can expect clean bandwidth as a result. Malicious traffic can be identified and filtered out before it reaches the customer. Customers don t need to be saddled with the problem of trying to separate legitimate from rogue traffic, purchasing and operating complex expensive equipment, or assigning personnel to keep pace with identifying and stopping risks in order to protect their network. Instead, organizations are provided with bandwidth or network traffic that is cleaned when it arrives. The architecture of the system is relatively straight forward. All traffic passes through a cloud security solution that is set up to filter inbound and outbound traffic. Ideally, this solution is hosted by an Internet service provider to keep latency low and reliability high. As the traffic is routed to a customer s cloud security solution, that service can cleanse the traffic based on the firewall rules and security policies applied by the customer to meet their needs. A clean pipes service can help rid the traffic of malicious packets and inappropriate content. After the traffic is inspected and appropriate action is taken, it is then forwarded to the enterprise or up to the Internet. 7
8 The clean pipes approach is growing in popularity; however, it is not for every organization. A brief overview of the pros and cons of the approach are described below. Pros Minimal customer intervention - No additional on-premise equipment and no additional personnel required to manage the solution, in most cases Managed by security experts The solution is managed by a security company that performs this work 24x7x365 with a team of trained experts. Cost effective The provider gains from economies of scale and is able to provide a solution that is more cost-effective than doing it yourself. Customer control - The customer maintains control of what they want their security profile to be, and has the ability to modify their security profile as business needs grow or change. Business centric - By relying on security experts, enterprises can focus on their core business rather than the chore business of security. Bandwidth efficiency helps ensure bandwidth is being used for valid business purposes Consistency Policies are applied consistently across the enterprise, as they are defined in the cloud Cons Latency - Enterprises may experience increased latency, as their traffic is hauled to the security provider s Unified Threat Management (UTM) platform location. Customer control Actually, it s the perception of loss of control, because multi-tenant cloud services are an outsourced solution. A third party is managing your security and therefore, organizations often perceive a loss of controlthis is much more of a perception than it is a reality. Firewalls and security policies are defined by the customer, and implemented by an experienced security engineer on their behalf. Existing equipment - A cloud solution may or may not leverage a customer s existing equipment, and thus, a significant investment may not be required. But if the on-premise solution is difficult to manage and no longer provides the optimal levels of security and cost savings, then there isn t much point in staying wedded to the existing equipment. (Though odds are it still has value to your organization for other purposes such as proprietary applications). For all these reasons, the clean pipes category of cloud solutions is extremely promising and will only grow over the coming years. The benefits of the approach are significant and as it becomes more difficult and expensive for organizations to secure their networks, they will seek different and unique ways to do so. 8 Solutions you want. Support you need.
9 XO Communications The benefits of the approach are significant and as it becomes more difficult and expensive for organizations to secure their networks, they will seek different and unique ways to do so. XO Hosted Security offerings XO, in partnership with StillSecure, has developed a high quality Hosted Security solution that provides a portfolio of security features in a modular design, meaning the customer can pick and choose only the features they need, and can easily add features as the need arises. The XO Hosted Security solution is a fully managed suite of network-based security products designed to protect enterprise networks, that is easy and cost effective to deploy. The solution helps shield the network infrastructure and applications from being compromised or disrupted by security threats. The XO Hosted Security offering leverages the security expertise of StillSecure, a leading managed security service provider. StillSecure Security Operations Centers (SOCs) reviews security events and provides alerts 24x7 to help ensure that customer networks are protected. 9
10 About XO Hosted Security StillSecure Security Operations Centers (SOCs) review security events and provide alerts 24x7 to help ensure that customer networks are protected. XO Hosted Security is a Security-as-a-Service offering that gives companies more flexibility to deploy and manage comprehensive network-based security. XO Hosted Security is a Security-as-a-Service offering that gives companies more flexibility to deploy and manage comprehensive network-based security. The solution provides high-speed, unified threat management capabilities and advanced technology, and supports customers 24/7 through a certified security partner, StillSecure. XO Hosted Security includes next-generation network-based firewalls; intrusion detection and prevention, including Distributed Denial of Service (DDoS) protection; secure web and content filtering; and secure remote access to the company network. Since all of the security applications reside in the cloud, organizations with widely distributed operations can implement robust security services without having to manage and maintain the equipment and infrastructure at each location. XO Hosted Security is fully integrated with the award-winning XO MPLS IP-VPN intelligent networking service. For more information, visit About StillSecure For IT executives facing escalating security threats and evolving compliance requirements, and data centers looking to cement long-term customer relationships, StillSecure designs and delivers managed network security and certified compliance solutions so you can focus on growing your core business. StillSecure unites our security experts with our certified processes and innovative technologies to provide holistic solutions that eliminate the need for dedicated resources juggling multiple vendors, products and requirements, as opposed to vendors with uncertified partial fixes, or worse, self-audited solutions. Additional Resources For more information please call or visit HostedSecurity. You can also check out more on the XO Pulse blog at or the StillSecure blog at Follow us on Twitter: or and 13 Gartner Research, Gartner Predicts 2011: Infrastructure Protection is Becoming More Complex, More Difficult and More Business-Critical than Ever, November 16, Solutions you want. Support you need.
11 About XO Communications XO Communications is a leading nationwide provider of advanced broadband communications services and solutions for businesses, enterprises, government, carriers and service providers. Its customers include more than half of the Fortune 500, in addition to leading cable companies, carriers, content providers and mobile network operators. Utilizing its unique combination of highcapacity nationwide and metro networks and broadband wireless capabilities, XO Communications offers customers a broad range of managed voice, data and IP services with proven performance, scalability and value in more than 85 metropolitan markets across the United States. For more information, visit For XO updates, follow us on: Twitter Facebook Linkedin SlideShare YouTube Flickr Copyright XO Communications, LLC. All rights reserved. XO, the XO design logo, and all related marks are trademarks of XO Communications, LLC. XONSWP-0412