download issue 27 here - Help Net Security
download issue 27 here - Help Net Security
download issue 27 here - Help Net Security
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Monitor the connection<br />
Understanding the nature of how cloud services<br />
authenticate and connect enables you to<br />
monitor those connections appropriately. A<br />
new type of monitoring is required to enable<br />
security analysts to look inside the contents of<br />
applications in order to enforce data access<br />
and usage policies that are being mandated<br />
by SOX, PCI, HIPAA and other compliance<br />
regulations.<br />
Weʼre already looking at the cloud server logs<br />
(which should be collected locally by your enterprise<br />
SIEM), your own identity and access<br />
management (IAM) system, and – to the best<br />
of your abilities – network connections between<br />
the outside world and the cloud. The<br />
next step is to implement layer 7 application<br />
monitoring, to look inside those connections<br />
to ensure that the connection is legitimate and<br />
not spoofed; that the user is not transferring<br />
sensitive information to or from the cloud; and<br />
look for any number of other suspicious activities<br />
that occur within a session once it has<br />
been established.<br />
Again, youʼll want some heavy-lifting analytic<br />
tools in your corner to help automate this, and<br />
to correlate everything together. Youʼll also<br />
need a layer 7 monitoring device that can actually<br />
decode and inspect the contents of<br />
applications.<br />
The details<br />
While these tools are available today – in the<br />
form of application data monitors, content<br />
firewalls, DLP, other data-inspection products,<br />
and SIEMs – products alone canʼt secure the<br />
cloud. Application monitoring gives you visibility<br />
up through layer 7, but that visibility doesnʼt<br />
do you any good if you donʼt know what<br />
youʼre looking for.<br />
Are the underlying protocols legitimate? Have<br />
sessions been established correctly? Once a<br />
session is established, what is the user doing,<br />
and does that behavior indicate any type of<br />
risk?<br />
Take the time to tune your monitoring and<br />
alerting tools according to your own usage<br />
policies, and youʼll be able to monitor application<br />
use within the context of your own internal<br />
usage policies, not to mention whatever<br />
compliance requirements you are held to.<br />
The devil<br />
If you manage to control and monitor all access<br />
to your cloud service, youʼll be faced<br />
with an additional challenge: encryption.<br />
When re-directing and monitoring outside access,<br />
youʼll need to decrypt that session<br />
before it can be monitored.<br />
Internally, you have your own certificates and<br />
can simply terminate the secure connection<br />
prior to monitoring. When things arenʼt in your<br />
control – and they rarely are when dealing<br />
with virtualized, distributing computing – it<br />
means that you need to find another way to<br />
unlock those sessions.<br />
Is it appropriate to recommend implementing<br />
a man-in-the-middle within your own network?<br />
Using an SSL decoding appliance industrializes<br />
the process somewhat, making it seem<br />
more legitimate, but the truth is that you have<br />
to act a bit like the devil in order to get the<br />
details.<br />
The good news is that t<strong>here</strong>ʼs hope. With a<br />
little effort to control how cloud services are<br />
accessed, and by correctly monitoring that<br />
access, itʼs possible to regain a clear picture<br />
of how your applications and information are<br />
being used, in order to truly defend against<br />
data loss and theft.<br />
• Collect logs from your cloud server(s), especially<br />
those involving user access and activity<br />
• Establish a whitelist of authorized users and<br />
privileges from your own authentication system<br />
• Monitor traffic aggressively so that you have<br />
as much data as possible about cloud activity<br />
• Centralize everything, correlating network-,<br />
user- and application-level activity together.<br />
Michael Leland serves the office of the CTO at Nitro<strong>Security</strong> (www.nitrosecurity.com). He is responsible for<br />
developing and implementing the companyʼs overall technology vision and roadmap including next-generation<br />
network and security management solutions.<br />
www.insecuremag.com 14