This post was written by Loretta Nierat.
So you made the jump into the public cloud, and you chose to go with AWS. So far, so good. But, what about security? Is AWS sufficient when it comes to keeping your data secure, or being able to accurately monitor your network? Or do you need additional protection?
As AWS points out, it’s important to understand the Shared Responsibility model. Depending on which AWS services you are embracing, AWS will provide security up to a certain level, and then it’s up to you to add further protection to ensure you are safe with the workloads you are running in the public cloud.
To understand the impact the public cloud (AWS) has on managing your infrastructure, and therefore what additional measures you need to take to ensure total security, let’s take a closer look at the Shared Responsibility model for Infrastructure Services, which includes AWS services such as EC2, Amazon EBC, and Amazon VPC. AWS will secure their global infrastructure that you are running on and provide physical and virtualization security. But you are responsible for protecting the operating systems that you are using inside the virtual servers, as well as your application and your network. In short, you would want to secure your servers and network as if they were in your own data center.
Now, the question is: even though you recognize the need for additional security in AWS, will the tools used in your on-premise data center or private cloud data center work well in the AWS environment? Oftentimes, the answer is no. To start, there are additional vulnerabilities within the public cloud, such as east-west exposure, that may require additional context or new techniques that are not needed in other data center environments. In addition, one of the prime reasons that AWS is so scalable and affordable is their dynamic and massively scalable network architecture. It allows them to spin up or retire new workloads for you with ease, but it comes at a cost of not controlling the infrastructure and underlying network. Traditional security controls allowing deeper traffic inspection assume you have control over traffic coming and going from your workloads – the obfuscated nature of the infrastructure and network makes this assumption invalid and requires a new approach to offer the same kind of protection.
First of all, you should leverage AWS VPC which is another layer of network security. It provides you with a private, non-routable subnet, as well as allows you to also create IPSEC tunnels between your home network and your AWS VPC.
Additionally, you will need network protection for your east-west traffic, which will inspect network traffic between even your own virtual machines. After all, if malware gets into your VPC, it can travel fast laterally without being detected and infect all of your workloads. You must have access to see all inter-workload traffic (east-west vulnerabilities). To accomplish this, a process must be in place to reroute your workload traffic to virtual IPS sensors on an individual basis. This requires a different approach or a different architecture.
McAfee’s technology that will provide that protection is McAfee Virtual Network Security Platform (vNSP), and it is architected for AWS. vNSP delivers east-west network visibility with cutting-edge inspection techniques. It also discovers and blocks sophisticated threats in cloud architectures with accuracy and simplicity, enabling organizations to restore compliance and embrace cloud security with confidence. Advanced technologies include signature-less detection, in-line emulation, signature-based vulnerability patching, and support for Amazon Web Services (AWS) and network virtualization. With streamlined workflows, multiple integration options, and simplified licensing, organizations can easily manage and scale their security in the most complex cloud architectures.
One additional advantage is that vNSP provides dedicated threat protection across virtualized infrastructure and data centers and as such, you can use the same solution for not only the public cloud but also your own data center. vNSP enables you to have a single policy across environments, and it is designed to discover and block sophisticated threats in virtualized environments, from private clouds to software-defined data centers (SDDCs) to public clouds.