Cloud Security for IaaS: From Vision to Reality with a Trend Micro Case Study
Cloud computing a la infrastructure-as-a-service (IaaS) has this ephemeral quality. High scale, replicated, virtualized, fast. Automated orchestras of workloads and storage volumes of data moving, copying, cloning at Netflix speed. In the wrong hands, so goes your data, so goes your bill like an out of control international roaming charge. How do you get control of it? Fortunately, the cryptographic components for control and interoperability technologies are moving from vision to reality.
Providers like Trend Micro, operating in the sprawling Amazon Web Services (AWS) and other cloud service providers (CSPs’) marketplaces, can address how customers paying for it all at scale can monitor, protect and control their digital life blood. In a recent post on Firehost, I contrasted Amazon’s relatively open ecosystem with providers that take more of a turnkey, built in approach to security. Simply put, security tools can be built in, or they can be plugged in to the IaaS platforms.
This post addresses the following IaaS pattern: customers plug in, or add in, security tools using a third party solution. While this pattern requires more in-sourced IT engineering and support resources than the built-in IaaS security approach, it has the benefit of working across heterogeneous, hybrid cloud estates comprising any of AWS, Microsoft Azure and other public IaaS solutions as well as private virtual data centers based on VMware or similar deployments.
The Vision Thing
Potentially, customers can move virtual machine (VM) workloads and their storage volumes across all those virtualized IaaS and private cloud ecosystems using consistent security models, keys and policies. The diagram at the beginning of this post addresses two important elements of that: how a customer can protect data in IaaS, and how it controls the cryptographic keys.
Who is in control? That’s always an essential question with cloud computing. The diagram above depicts VM workloads obtaining keys from outside the IaaS environment using a key server in the customer environment, or a 3rd party service. Potentially, as shown in the figure, keys could be obtained from any key server supporting the OASIS standard Key Management Interoperability Protocol (KMIP) which was on display last week at RSA Conference. Being able to encrypt a VM image and the storage volumes using a key held outside of the IaaS domain mitigates some, though not all, of the risk from privileged IaaS CSP administrators.
Trend Micro Case Study
Trend Micro provides the fullest manifestation I’ve found yet for both the IaaS cryptography vision and the IaaS security add-in model pattern. At RSA Conference I interviewed Trend Micro representatives to catch up on what the company is doing.
Business model: Add-in IaaS security vendors may sell directly to the end customer, or indirectly through the platform CSP. Trend Micro says its using both models – selling direct through the AWS marketplace but indirectly to Savvis and Centurylink customers.
Brand: Within its Cloud and Data Center Security product line, Trend Micro provides two add-in solutions for the IaaS environment: SecureCloud and Deep Security. The SecureCloud product description indicates support for AWS, VMware in general and a few other CSPs; during my interview at the RSA Conference, however, Trend Micro representatives indicated Microsoft Azure will also be covered and support for additional hypervisor environments is being added.
SecureCloud Encryption Functionality: SecureCloud provides add-in encryption on the supported platforms using agent software installed in Windows Server or Linux-based VMs. It encrypts both the primary system volume and a secondary storage volume. To cover the primary volume, a pre-boot agent must be installed, however, Trend Micro says some customers only encrypt the secondary volume. In that case, the best practice is to reconfigure the OS instance to store temp files and swap files that may contain customer-specific data on the secondary rather than the primary volume.
SecureCloud Key Management Functionality: Trend Micro separates key management from the IaaS hosting environment using two alternatives: its own cloud-based key server and management console based in Germany where data protection laws are strong, or a software-based solution that the customer can deploy at the location and in the manner it chooses. Trend Micro also says it will support the OASIS Key Management Infrastructure Protocol (KMIP).
Finally, the companion brand – Trend Micro Deep Security – provides a comprehensive suite of host security tools that customers can run on virtual servers (or desktops) in public cloud IaaS environments and on physical or virtual servers in private clouds. The main security functions are anti-malware scanning, file integrity monitoring, host firewall and host intrusion prevention (HIPS), log inspection, and URL filtering. Deep Security runs as either a VMware VShield API-integrated solution or a standalone agent. It also offers some functionality for web vulnerability detection.
As we well know, information protection requires a layered defense. With some IaaS platforms such as AWS, customers start out with only a bare bones virtual server, basic OS protections and a few tools such as the Amazon firewall. To be able to plug a broad set of security features through Deep Security into the IaaS environment, and then get more control of the data itself through SecureCloud checks many of the boxes required to provide a layered defense.