When it comes to security and cloud, it’s no surprise that it’s a headache. Traditional security tools focused on network and physical device connections as a way to track the flow of information and see the inner workings of the infrastructure.
So what happens when you take the physical devices out of the equation? What happens then?
Last year I was privileged to work with some fine folks over at the Cloud Security Alliance (CSA) on their SIEM guidance for cloud and virtual environments as part of the Telecom Working Group. This was a global undertaking, with members from different geographic and industries working together to help define some best practices around how to properly implement SIEM into complex and fragmented virtualized environments.
If you want to read the whole paper, you can find it hosted by the folks at ISE Programs at http://www.iseprograms.com/lib/NetIQ_SIEM.pdf.
So from a high level, what changes? WIthout getting into too much detail, here are some key things to be aware of:
First things first. Traditional SIEM tools by design are tasked with discovering events (user access, data movement, basically anything that you want to trigger an alert. Most cases it is a great tool for identifying intrusion attempts and undesired network traffic, and also collecting information for logging devices that can be used for forensics and other insight (most cases compliance).
So if you take away the physical network connection and consolidate several servers into a single physical server through virtualization, you’ve taken away the main point of visibility into your environment.
Second, what about IT resources that are scattered througout cyberspace and multiple data centres? How do you consolidate these into a single-view of the entire network?
The high level and easy answer is that you need to update your SIEM tools to ones that support cloud and virtual environments. Essentially these use virtual connectors (APIs) to tap into each virtual network segment and track activity that way. In many cases this might be a software API that talks back to a physical device, or it could be a virtualized SIEM (even a cloud-based/hosted/managed SIEM).
I’m not going to go over all the fine details, since these are included in the fabulous whitepaper above, but it’s definitely a point to keep in mind that with any transition of solution to a new format (hosted, cloud or virtualized) it’s a really good idea to do a review of the security controls. Especially if you are in an industry subject to regulatory and compliance fun.