Cloudified_Security

As the IT&C Companies and their Customers keep migrating from independent, standalone, own hardware and software infrastructure to virtualized environment several other issues, problems and risk arise. Most of these new threats, risk are related to security.

Everything changes once the It Infrastructure has been cloudified.

For once, you don’t store your own data in your own facility. You used to know exactly where your data is, and, moreover, what protection and security your system implement starting from the physical premises security to securing the hardware and software applications. Of course, this means that YOU have to design, implement, manage, maintain your own:

–        Premises physical security system

–        Resilient and redundant hardware infrastructure

–        Resilient and redundant storage systems

–        Resilient and redundant network infrastructure

–        Resilient and redundant applications and software

which require investment, personnel. And not only once! You will have upgrade cost, recurrent cost, subscription costs forever. Relax, all of your IT&C Infrastructure and all your data is safe and secure… or are they?

Implementing and maintaining a robust, reliable, secure environment is an effort, even for IT&C companies where the focus of the business is exactly the IT&C systems. What about if you are not an IT&C company, but you are running an IT&C Infrastructure. All of these items are just Cost and Effort for you. And you probably are not so safe anyway, as cyber risk evolve, sometimes faster than cyber defence.

So… should you move your IT&C environment in Cloud? It seems TCO is less after all, and you can know focus your own business.! You are actually taking your precious information, your intelligence, your assets in a Cloud, and it will be taken care of by your CSP. But is it safe? Is it secure?

Yes, it is! In a professional CSP environment everything you needed to do on your own on a smaller scale, it’s now performed as a business focus and at a larger scale.

[easy-tweet tweet=”AdNet Telecom’s data centre provides all the physical premises security” hashtags=”Security,DataCentre”]

How do they (CSPs) do it?

First, usually, your environment is hosted in a dedicated DataCenter which normally complies with at least Tier III specifications (<<link to uptime institute or a similar definition of the 4 tiers>>). AdNet Telecom’s data centre provides all the physical premises security (resilient and redundant power supplies, cooling, network connectivity, surveillance, firefighting and a totally automated DataCenter Infrastructure Management).

Second, your servers and storage infrastructure will be most likely virtualized. Believe it or not, this actually makes your data more secure, as most of the virtualization Hyper-Visors such as (VMWare) address several security issues:

–        Your data is not running on an actual specific hardware platform (like a server with any number of CPUs, RAM, and storage disks) that in a case of any failure or malfunction will result in information loss or reduced availability until some technician will replace or repair the unit. Your data is stored in complex resilient, redundant multi-access storage platforms with hundreds of thousands of disk arrays. If one disk fails, the next on is a spare one, if a second disk fails, RAID mechanics in place will instantly recover your data. If an access path to the storage unit fails, there are at least 2-3 more on active standby taking over. If one whole storage unit fails, backup, replication, disaster recovery and business continuity plans will ensure that your data is safe and secure in another usually remote site.

–        Your applications run in a virtualized environment hosted on clusters of blade servers, your entire server can and will be migrated instantly from any faulty unit to another one without any disruption

–        The storage that contains your data is connected to the virtualized servers that run the application over Virtualized Network Infrastructure (NFV/SDN). This means that switching and routeing software actually run as virtual entities on the virtualized cluster of blade servers, and besides being redundant by network architecture they benefit from all of the redundancy and migrations mechanics that protect your data and application. Usually, for a customer that is running a complex virtualized infrastructure in a CSP environment, AdNet Telecom provides dedicated virtual network infrastructure (Cisco Nexus1000V switches, Cisco CSR1000V routers, VMWare vSwitches) implemented to the specific customer’s requirements and design.

Up to this point, it’s clear that your assets are safe from data loss caused by any type of hardware malfunction of servers, storage units, network devices, and because of regular backups, and replications you are also safe from damaging the data yourself (by mistake or sabotage). If your data was totally disconnected from outside networks and the internet that would be enough – but this is not the case.

–        Q: How does AdNet Telecom as a CSP protect your network from outside networks, Internet and external threats?

–        A: By using a wide range of security appliances that address specific risks, threats and attacks!

–        Q: Ok, but how is this different from what you would do to protect your locally hosted infrastructure?r9

  1. Same as the other virtualized network elements (switches, routers), security appliances can and are virtualized as well benefiting from all the advantages already described.
  2. If you want to implement a hardware security appliance of any sort, your trusted hardware provider will ask the right questions in order to identify the exact model you required, based on functions and performance. The issue here is, that if now you need some functions, and later you will need others, most likely you will need to change the old device with a new one or, start with all the functions from the start to avoid missing one – both solutions are very costly and require effort and cause downtime. What about performance? If initially you need your firewall to serve 1Gbps of traffic but expect your business to grow, what performance level should you choose? This changes with the virtualized flavour of security appliances. Their performance is directly related to the resource that has been configured to the underlying virtual appliance. If you need to CPU Cores and 4GB of RAM to server 1Gbps of traffic, to server 2Gbps of traffic you just need to add two more CPU Cores and 4GB of RAM to the virtual appliance and increase (if needed) the performance license. Needless to say this is a very simple task using hypervisors as VMWare Suite. You have also the option of clustering your firewalls. If you need a cluster of two virtual firewalls to serve 2Gbps of traffic, you will just need three for 3Gbps of traffic and minor changes to your network configuration. No downtime!
  3. CSPs usually benefit of special packages from security appliances providers that enable them to easily increase of decrease license packages depending on load. For example: if this month overall summarised customer traffic through the firewall is 20Gbps, and trends show a growth in customer traffic patterns to 30Gbps, CSP will simply order for the next month an extended capacity license and either increase the performance of the virtual appliances or add new firewall nodes in an existing cluster. No hardware change. No CAPEX!

Cyber security is usually layered.

The first layer of defence in AdNet Telecom’s security infrastructure is the so-called “IP Firewall”. This element is responsible for protecting the inside systems against IP, TCP and other OSI L3-L4 threats, risks and attacks (such as Spoofing, SYN Attacks, and others that are attempting to alter IP/TCP Headers in order to “trick” the network that traffic is clean). IP Firewall functionality is accomplished by implementing Cisco ASA-V security appliances and Fortinet Fortigate-VM versions. These are deployed on customer’s dedicated virtual environment external exposed borders (for complex implementations) or as main IP Firewall for simpler configurations.

The second layer of defence concerns DDoS related attacks. These types of attacks are focused in overloading the network and/or application infrastructure by generating at very high rates from multiple geographically distributed sources requests that appear to be healthy. Unprotected systems will keep working, but the useful traffic cannot be delivered because of overloading. Sources are plain users’ terminals which are infected with malware that allows the attacker to control and coordinate many hosts over the Internet (all victims of that malware). AdNet Telecom protects their data centres against DDoS Type Attacks using Arbor Network SP/TMS Solution. The flow collector, Arbor Networks SP, will be constantly monitoring all border routers and identify surges/spikes in traffic. In such a case, it will analyse the traffic and decide if it’s a normal traffic increase or an attack. The system has two methods of resolving DDoS attacks:

–        Just deny all traffic matching the attack pattern and protect the network and applications against overload. This is achieved by automatically manipulating the border routers’ routeing tables in order to ignore the traffic from infected sources. It is very efficient and Arbor can deny DDoS attacks up to tens of Gbps. The downside of this solution is that it usually more users share via NAT Mechanics the same public IP; if one of the users behind a specific public IP is infected, Arbor will set the border routers to reject all traffic from that public IP, and all the other non-infected users will not be able to access your applications.

–        The improved version includes a cleaning system – Arbor System TMS. The flow collector works the same, it detects the attack, but instead of setting the border routers to deny traffic from the sources, it redirect the traffic to TMS which will inspect all traffic and will surgically remove only the attack packets and thus allow all traffic from clean terminals using same public IPs with infected terminals. Because TMS needs to inspect each and every packet, usually It does not have the same capacity as the detection/rejection engine. If cleaning capacity is reached – system will revert to the basic functionality.

Are all these systems enough to protect your codified infrastructure? Unfortunately, no!

According to SDX Central’s “2016 Next-gen Infrastructure Security Report,type” the highest occurrence attack techniques is SQL Injection. SQL Injection techniques consist of some attacker using common input forms on your application interface (like input fields in registration forms or contact forms) to insert data in your database. Sometimes this enables the attacker to destroy, or gain access to your data. This type of attack will never be identified and filtered by an IP Firewall (the packet headers are perfectly normal), nor by DDoS detection and cleaning (it is not an attack pattern), as this is just a normal web request on your application interface.

There are sevetypesof attack techniques which try to use some vulnerability of your application architecture. Developers will know and prepare your systems against such vulnerability attacks when deploying the application and databases but this is not enough. The solution here is to insert on the path of the request between the attacker and the application server itself an intermediate system which will appear to the attacker as being the application itself. Besides optimization, acceleration of application traffic, SSL offload, load balancing, these intermediate systems generically known as Application Firewalls/Web Firewalls/Application Delivery Controllers will inspect each request, match it against an attack signature database, sometimes perform its action and check the result without forwarding it to the protected application server behind it. AdNet Telecom deploys A10 Networks Thunder ADC System as application delivery controller which can be customize to a specific customer application, with knowhow from the application developers, to understand how your application works and what requests should it allow, should it quarantine, or deny.