download issue 27 here - Help Net Security

Monitor the connection
Understanding the nature of how cloud services
authenticate and connect enables you to
monitor those connections appropriately. A
new type of monitoring is required to enable
security analysts to look inside the contents of
applications in order to enforce data access
and usage policies that are being mandated
by SOX, PCI, HIPAA and other compliance
regulations.
Weʼre already looking at the cloud server logs
(which should be collected locally by your enterprise
SIEM), your own identity and access
management (IAM) system, and – to the best
of your abilities – network connections between
the outside world and the cloud. The
next step is to implement layer 7 application
monitoring, to look inside those connections
to ensure that the connection is legitimate and
not spoofed; that the user is not transferring
sensitive information to or from the cloud; and
look for any number of other suspicious activities
that occur within a session once it has
been established.
Again, youʼll want some heavy-lifting analytic
tools in your corner to help automate this, and
to correlate everything together. Youʼll also
need a layer 7 monitoring device that can actually
decode and inspect the contents of
applications.
The details
While these tools are available today – in the
form of application data monitors, content
firewalls, DLP, other data-inspection products,
and SIEMs – products alone canʼt secure the
cloud. Application monitoring gives you visibility
up through layer 7, but that visibility doesnʼt
do you any good if you donʼt know what
youʼre looking for.
Are the underlying protocols legitimate? Have
sessions been established correctly? Once a
session is established, what is the user doing,
and does that behavior indicate any type of
risk?
Take the time to tune your monitoring and
alerting tools according to your own usage
policies, and youʼll be able to monitor application
use within the context of your own internal
usage policies, not to mention whatever
compliance requirements you are held to.
The devil
If you manage to control and monitor all access
to your cloud service, youʼll be faced
with an additional challenge: encryption.
When re-directing and monitoring outside access,
youʼll need to decrypt that session
before it can be monitored.
Internally, you have your own certificates and
can simply terminate the secure connection
prior to monitoring. When things arenʼt in your
control – and they rarely are when dealing
with virtualized, distributing computing – it
means that you need to find another way to
unlock those sessions.
Is it appropriate to recommend implementing
a man-in-the-middle within your own network?
Using an SSL decoding appliance industrializes
the process somewhat, making it seem
more legitimate, but the truth is that you have
to act a bit like the devil in order to get the
details.
The good news is that thereʼs hope. With a
little effort to control how cloud services are
accessed, and by correctly monitoring that
access, itʼs possible to regain a clear picture
of how your applications and information are
being used, in order to truly defend against
data loss and theft.
• Collect logs from your cloud server(s), especially
those involving user access and activity
• Establish a whitelist of authorized users and
privileges from your own authentication system
• Monitor traffic aggressively so that you have
as much data as possible about cloud activity
• Centralize everything, correlating network-,
user- and application-level activity together.
Michael Leland serves the office of the CTO at NitroSecurity (www.nitrosecurity.com). He is responsible for
developing and implementing the companyʼs overall technology vision and roadmap including next-generation
network and security management solutions.
www.insecuremag.com 14