What challenges does the usage of traditional, on-premise security tools [monitoring tools, like SIEM or DLP, in particular] creates in the cloud [SaaS, PaaS, IaaS models]?
Here are some I’ve come across:
• IP address means less for tracking all the transient and replaceable instances
• Rapid provisioning makes assets to appear and disappear, go up and down, in and out of scope, etc
• Auto-scaling busts tool licensing limits (!) and disrupts node-based asset tracking (“we have 400 assets…ooops…3000..ooops 200 now!”), creates large volumes of monitoring data for some periods of time
• Remote cloud environments are sometimes accessed via links of limited bandwidth, making it harder to move monitoring data from the cloud to the data centre
• Different models for network security monitoring (only at instances, not in between “on the network”)
PaaS and SaaS
• There are layers of the computing stack that are not under enterprise control; no network monitoring, no host monitoring (SaaS)
• No concept of “asset IP” or, in fact, of a computer as an IT asset
• For both SaaS and PaaS, lack of any traditional “IT infrastructure” such as OS
• No OS logs – “apps all the way down” (SaaS)
• No perimeter monitoring.
On top of this, many cloud environments run under a very “alien” (aka DevOps) IT operations model, often dissimilar from traditional data center management models, that further breaks down the effectiveness of on-premise security tools.
What others examples of traditional, on-premise security tools not working in the cloud have you seen?
By Anton Chuvakin - Research Analyst, Gartner