As companies accelerate their adoption of cloud technologies – like infrastructure as a service (IaaS) or software as a service (SaaS) – the need for solutions that provide secure access and reliable operations in the cloud increases in importance. A top area of concern is defending applications from distributed-denial-of-service (DDoS) attacks. Any plan to move to the cloud should include a plan for dealing with the pervasive and growing threat that DDoS present. In this slideshow, Bill Lowry, director of cloud services at Radware, takes a look at some of the burning issues you should look for when adopting a DDoS mitigation strategy for a cloud-based solution.
Bill Lowry is director, Cloud Services at Radware, where he leads strategic sales engagement and evangelism for Radware’s industry-leading products and services for co-location, hosting, managed service, and cloud providers. Lowry has more than 20 years of experience integrating security, network and data center technologies into solutions for service providers and Fortune 500 enterprises, with leadership roles at companies including Terremark, Verizon, Arista Networks, Brocade, and Apple.
Click through for five security issues organizations should address when moving resources to cloud infrastructure, as identified by Bill Lowry, director, Cloud Services at Radware.
Securing a new perimeter
In the past, you could focus your security efforts on guarding the front door of your data center. Using cloud technologies means distributing your data and applications to multiple data centers – effectively creating a new security perimeter – and a new set of doors to guard. How can you defend against attack in all the places your data resides?
Form of remediation: Many cloud providers have tested or even deployed technologies that detect distributed-denial-of-service attacks, but most are based on sampled network statistics. Inline deployments, examining all inbound and outbound traffic, offer the most comprehensive detection and mitigation of DDoS attacks. Knowing what tools a cloud provider uses for DDoS detection should be part of the standard checklist for evaluating any cloud services.
By definition, cloud technologies are remotely accessed. If your cloud provider suffers a crippling DDoS attack that prevents network access to their services, it is the same as your application being down. What is your cloud provider doing to insure this does not happen to you?
Form of remediation: Cloud providers should employ a combination of cloud-based and on-premise DDoS mitigation tools. This hybrid approach offers the best protection available: deploying hardware to detect and mitigate attacks locally with automated signaling to divert attack traffic to a cloud-based scrubbing center. The scrubbing center should be able to handle attacks hundreds of gigabits in size, improving the cloud provider’s ability to keep your resources up and running.
Protecting tenants from each other
Bad guys can purchase cloud just like you. Who is keeping watch inside the cloud environment to protect your data from threats?
Form of remediation: You can deploy security tools that protect your servers deployed in the cloud. Web Application Firewalls detect and prevent server-based attacks, even if they originate from within the same cloud architecture. Also, future deployments of software-defined networking (SDN) will allow providers to use the network to find attacks as well. Security technology developed to work with any SDN controller can look for suspicious traffic and redirect it for remediation while allowing clean traffic to follow the normal path through the network.
Mass customization of security tools
To create the aggressive pricing needed to compete in the cloud marketplace, most providers rely on the creation of general protection profiles that can be leveraged by many customers, reducing their costs for the solution. How can your specific security needs be met by a cloud provider with generic security protocols?
Form of remediation: Cloud providers can and should provide generic, well-established protections for their entire customer base. But they should also offer tools that allow each customer to build a unique set of protections that align with the customer’s security posture. Be sure you can customize the configuration of the security tools available from a cloud provider to fit your specific needs.
Small is the new big
Headlines come out every week talking about the latest multi-gigabit attack unleashed on a major bank or high-profile website. However, only about 25 percent of all DDoS attacks are volumetric. How can my cloud provider help me with those?
Form of remediation: Small attacks do not saturate Internet bandwidth like volumetric attacks. They work by targeting the equipment that supports your application – the firewall, load balancer, IPS/IDS and servers. These attacks require a small amount of bandwidth, so small that most operators would hardly notice the increase in traffic. These “low & slow” attacks – focused on resource starvation or application vulnerabilities – are usually not detected by tools that focus on volumetric attacks. Be sure your cloud provider has a premise-based solution to assist you in detecting and mitigating these smaller attacks.