July 15, 2010, 2:48 PM — Security practitioners diving into cloud computing must make older security tools like IDS work in this new world. In a CSO podcast last week, Stu Wilson, CTO of IDS provider Endace, sought to explain how this older technology is still relevant in enterprise cloud security strategies.
CSO also reached out to IT security practitioners through various LinkedIn security forums for an informal, unscientific poll. Here are views from four additional perspectives.
Tommy Ward, senior manager, engineering compliance at Google
IDS is just like many other security tools, it may be useful as part of a security program, but the deployment details are critical. IDS deployment in the context of cloud computing starts with the questions of what assets you are trying to protect, where are those assets, where are the attacks likely to originate from and can you effectively monitor for such attacks with an appropriate signal-to-noise ratio?
Cloud consumers are still likely to face the threat of intrusion into their own enterprise networks and systems. IDS may be appropriate at the boundaries between those enterprise networks and other networks, including the Internet.
Cloud providers are also likely to face intrusion threats, and once again IDS may be useful. Here the threat vectors may be from arbitrary Internet hosts or from customers. This makes topographic decisions about IDS deployment more complex. If the cloud provider is using virtualization for hosting PaaS or IaaS, then intrusion monitoring may need to be at the hypervisor level, and I doubt that many IDS appliance vendors have a compelling story for that.
Both consumers and providers face internal attack threats. How well any IDS can function to detect misuse or abuse by insiders is a good topic for debate, but the common practice is to rely much more on analysis of various types of audit logs to detect such attacks than on intrusion detection. Certainly pattern-based IDS could be used to detect some categories of internal attacks, but it would not be useful for detecting misuse of privileged credentials to extract sensitive data. Anomaly-based detection might be able to detect such internal threats, but once again the number of organizations that use this for internal attack detection is probably insignificant.
John Kinsella, founder of Protected Industries
I work with the cloud as both a user, consultant, and, in the interest of full disclosure, I'm working on a secure cloud offering. A few thoughts while wearing those different hats: The old security problems didn't go away when people "moved to the cloud." They just get distracted by all the new problems.