In Blog 1 of this 3-part series, I covered some key drivers for why service providers (SPs) offer Security Software as a Service (SaaS) including to be able to extend security for tenants of the cloud and to monetize these services. In Blog2, I described where and how SPs place security controls.
In the final blog, I’ll focus on the importance of isolating customer data in the public cloud, as well as potential solutions for doing so.
In a public cloud, multiple tenants share a common set of resources (e.g., data-driven applications and services) that they access over a network. From a security perspective, the first requirement is that the entry point into the cloud must be protected using a Policy Enforcement Point (PEP), such as a perimeter/edge firewall for infrastructure protection. This may be a dedicated/purpose-built hardware device. A second requirement is that policies for different tenants should not overlap. For instance, a change in a security policy for one tenant shouldn’t affect another tenant. It is critical that these tenants’ policies are isolated from one another. To achieve the latter multi-tenant segmentation requirement, SPs have a choice of methods:
1) Virtual LANs (VLANs) - While many cloud deployments are using L2 networks, since they offer VLANs for multi-tenant isolation, the shortcoming of L2 networks is that VLANs have an upper limit of ~4096 (according to IEEE Std 802.1Q 2011), which many large deployments exceed. Also, beyond the scaling limitation, VLANs can be unruly to manage in a hosted/cloud environment.
2) Dedicated hardware firewall platform that supports multiple “logical” systems (independent firewalls with completely separate security policies and logs) - As with VLANs, there is a scaling limitation with this approach.
3) Software-based security virtual machine (VM) running on an x86-based VM host – A key advantage of this method over the other two is that the SP can scale security VMs on demand. Furthermore, the SP can also easily offer customizable firewall controls to customers as an additional managed service, providing new potential revenue sources built on existing infrastructure.
Software-based security VMs could offer SPs a scalable and flexible method for implementing multi-tenant segmentation, a key requirement for securing customers’ resources hosted in the public cloud.Read more...
Discussing a wide range of topics impacting enterprises and data center security.