Cloud Solutions

All about cloud services
Menu
  • Cloud Native
  • Cloud Security
  • Cloud Storage
    • Cloud Migration
    • Cloud Backup
  • About Us
    • Contact Us
    • Terms and Conditions
    • Disclaimer
  • Privacy Policy
Home
Cloud Native
Cloud security challenges and solutions
Cloud Native

Cloud security challenges and solutions

Jola Heart 11/22/2022

When transferring a workload to a public cloud or deploying it there, IT and network security face numerous challenges of Cloud security. Each side must comprehend how the current difficulties came about in order to solve them in today’s complex environments. As someone who has lived on both sides, I share stories and advice for cloud security professionals today from both sides.

The IT and network security DMZ has always been difficult to reconcile. It has always been difficult to strike a balance between budget, cost, app performance, app time-to-market, system stability, and other factors. Not to mention the ever-evolving threat landscape, in which criminal activity pays off and the bad guys acquire all the latest weapons first. In addition, for many, a significant setback can serve as a “resume generating event.”

However, despite all of these obstacles, the industry had stabilized into a mature and effective space by the beginning of the 2010s thanks to factors like virtualization, vendor maturity, Moore’s law, and enterprise-grade cryptography. The DMZ was the king back then. Access to the internet was simple to control, critical applications and infrastructure were tightly secured, uniform policy had a solid foundation, and centralized visibility was almost always guaranteed.

The industry flourished under the DMZ’s iron shield, and people finally trusted the internet as the best way to conduct business. E-commerce and mobile commerce also exploded. The internet entered its golden age. While cybercrime was on the rise and hackers were present, a well-designed DMZ was able to withstand all but the most sophisticated attacks.IT security was one of the most popular careers, and the future was bright.

Another revolution was brewing, unnoticed by the euphoria and digital gold rush of the early 2000s.Soon, people in my inner IT circles started talking about how the influx of investment, talent, and technology that seemed to be everywhere was changing and growing service delivery. They referred to it as “the cloud.” On-request figure, driven by code and charge cards. storage on a day-by-day basis. services that are complete and work in your browser or on your smartphone.

I was working at F5 Networks at the time, and many people were skeptical. Not at all. At the time, Microsoft was a devoted client of mine, and their unique fleet of load balancers was utilized by a brand-new business unit called Azure. The Azure control plane kept tipping over our boxes, as I recall. Management CPU is pinned, and management interface is flapping.

We had never seen something like this; Through change control, it appeared as though they were committing self-inflicted denial of service. Microsoft was clearly on to something here. It was revolutionary to automate the entire platform as well as the network. Additionally, it was unfortunate that they were tipping our boxes. Very poor. It indicated that we were not prepared for this kind of thing.

I recall a team member saying, “No, man, look how many calls are coming in, this is insane. “There is no need to implement so many changes so quickly. Are they not capable of managing a data center?

The thing was there. The jarring paradigm shift that occurred between the new revolution of infrastructure as code, which would eventually shape the entire industry, and a decade of networking best practices.

Is this the first public disagreement regarding infra-as-code versus traditional networking?Although unlikely, it was definitely a sign of a much bigger problem that many people would face when they moved to the cloud years later.

In 2010, the majority of industry professionals were unable to comprehend why anyone would want to switch networks so frequently. At the time, networks were meant to last forever and never change.

Additionally, your network security model was dependent on this solid foundation. The DMZ would be constantly in danger if the structure of the network were altered on a daily or even hourly basis. Twice a year, in the middle of the night, everyone sweating while dressed in surgical gear, the production firewall was changed. Changing the firewall consistently? It seemed impossible.

The central idea of our first lesson on network security is as follows: In the cloud, the DMZ’s outdated model is a failure.

Networks in the cloud are always evolving. Occasionally, daily Traditional cloud management of your virtual firewall results in a high-touch environment, the possibility of configuration errors, and legacy rule bloat.

ACLs for the firewall network do not always correspond to actual or active actors; compartments, PaaS, and SaaS jobs are named-based. Cloud apps and workloads can be categorized and controlled with the help of cloud-native tags.

When at all possible, cloud-native security stacks or, even better, an effective orchestrator for them are preferable. This is because they are distributed, free, close to each VM, programmable, and agile with the right approach.

Concentrate on cloud-native stacks for traffic within a VPC or VNet. Avoid putting traffic from within a VPC or VNet into a virtual firewall. Keep in mind that VPCs and VNets are logical structures. Distance physical (read: availability zones and proximity placement groups, not membership in a VPC or VNet, influence latency between VMs. Use only interspoke East-West and/or North-South traffic through your virtual firewall. If designed correctly, the VPC/VNet spoke, where the majority of network changes occur, can shield your firewall from constant configuration changes.

Build only a few VPC/VNet spokes. Make an effort to make them big enough to handle a whole LOB or application. Between application tiers, make use of subnets and security groups at the subnet level. Break an application tier off to its own VPC/VNet only if you need to inspect firewalls between the tiers, which is against cloud practice.

Avoid impulsively forcing your default internet route back to your on-premises DMZ. This adds latency, can make VM-to-PaaS/SaaS architectures more difficult, and can overflow private pipes. The world’s largest private network is now cloud networks. Apply them.

In order to construct a virtual DMZ, flawless route control is required. In the cloud, routes are your VLANs. Look for cloud-based platforms that automate routing to your firewalls and offer comprehensive route control. If you have to make static route changes each time a VPC or VNet is created, you will never be able to keep up with the cloud or the industry.
Up until your first IP overlap with a B2B partner, your first M&A event, or your first multi-cloud deployment, static route summarization to the virtual DMZ will work well. Look for cloud-based platforms that scale Enterprise NAT support. Your cloud security design may suffer from IP overlap.

Best-practice design in the cloud is not well-prepared for the majority of IT security professionals. They’re doing what works best for them and has worked well for years: They are making things up. This results in design-driven hit-or-miss situations that may come back to haunt them.

There is precious little talent available in cloud network design, and even the existing courses and certifications for cloud networking are time-consuming, expensive, and do not cover all cases. The typical experience will be a “trial by fire” situation until skill gaps are filled.

At Microsoft Azure in the late 2010s, I witnessed this firsthand. On a large global client’s virtual firewalls, there were always rolling outages. Their firewall CPUs were fine, hovering around 40%.However, the virtual NICs’ flow tables were full and dropping packets, leaving the customer confused and frustrated.

It turned out that the customer was unaware that all virtual NICs in Azure run the same code, which meant that Azure flow tables—the NIC’s connection tracking mechanism—share the same flow limits. The behavior of flow tables is uniform worldwide.

Because the control plane cannot tolerate stack variations at hyperscale, it must be. All of the native security, routing, and connection processing is carried out by cloud NICs, which are intelligent. However, the hypervisor beneath each NIC has limitations.

What then do we do? The customer inquired, We tried creating larger virtual machines, but it didn’t work!

The issue lay therein. Building more VMs rather than larger ones was the solution. Dainty and wide. Flows must be distributed across numerous virtual instances of a medium size. The issue here is that their vendor provides support for VM scale sets. Each firewall had to be built individually.

This is a time-consuming and unsustainable model. The severe incongruity that one of the bosses of modern computerization doesn’t robotize their cloud security struck me first as entertaining, then as a significant disclosure that has stayed with me until the end of time.

This is how cloud scales, but that customer had a hard time accepting it. Rarely do the right thing and the easy thing coexist. The fact that cloud was supposed to be simple was frustrating for that customer and many others.

Securing the cloud: beyond the design of older firewalls, and the underlying principle of our second and third IT network security lessons is as follows: In the cloud, the legacy firewall design model is a failure, and few people know how to do it right.

Your cloud-based virtual firewalls are completely unaware of this. They have the impression that they are linked to wires. Not at all. They are associated with a SDN stack which may be nearly just about as brilliant as your firewall.
The tier of your firewall needs to be coordinated. Make sure you build a pipeline around a platform that lets you orchestrate firewalls. A few stages will do both for you in the engine.

Accept being thin and wide. Prepare to scale horizontally and resist the temptation to scale vertically unless you are attempting to solve for fat flows, which are massive data streams that are hostile to cloud VMs.

You may hear from some vendors that the cloud necessitates the use of multiple firewalls for various functions. You do not, technically speaking:

As long as they are of the same type, there is no difference in performance between one set of four virtual machines and two sets of two virtual machines. With programmatic routing control in the cloud, your firewall can be both North/South and East/West simultaneously. Keep in mind the preceding points. Wide and thin. Vertical scale. Cores are cores. Now everything is software.

Be sure to have a good plan in place for policy management and Day 2 operations if you decide to create multiple firewall instances to address various use cases or locations.

In the cloud, you’ll be creating a lot of network data; will your firewall see everything? Should it see everything? This is difficult. So that your firewall does not become a data hog and a single point of failure for your network’s eyes and ears, look for platforms that collect data both within and across the entire network.

Consider the possibility that the network itself, with its distributed, programmatic, low-cost, and ever-expanding capabilities, will eventually become the best cloud firewall. However, a few significant obstacles remain:

App-layer security is not very secure on cloud networks.
Orchestrating cloud networks on a medium to large scale is difficult.
The major vendors offer vastly different cloud networks and security groups.
Because they are part of a large multi-tenant platform, cloud networks have some limitations.

To get the best of both worlds, look for solutions that assist in overcoming these shortcomings by incorporating native SDN security stacks. App-layer awareness, effective multicloud orchestration, and a straightforward policy model that abstracts CSP differences should be included in these solutions.

A story can gain new meaning when placed in its historical context. I hope these backstories can set the stage for your organization and offer a fresh point of view to get you started on your cloud security journey. Good luck and have fun hunting!

Prev Article
Next Article

Related Articles

cloud-native
Cloud-native security is a natural follow-on to cloud-native technology in …

Cloud-Native Security Benefits

Cloud-Native Security Platform
Cloud-native structures are comprised of cloud administrations, like compartments, serverless …

Cloud-Native Security Platform 1

About The Author

Jola Heart

Jola Heart is a beautiful and young famous Model & Social Media Influencer who was born in London and currently she is living in Los Angeles. Her age is 24 years old. Her real name is Jola Heart but people also know she by the name Jola. She is one of the beautiful and fitness freak Model of the Modeling industry and her slim waistline is so so attractive that anyone can be her crazy. Jola Heart is an famous Facebook star who gained a lot of fame by posting photos with inspirational captions on her account. Mainly she posts her modeling shoots in bikinis and fabulous clothes with unique poses and she was Famous for her great performance on Facebook. As of November 2021 she has more than 750K Followers on her Facebook (/jolaheart).

4 Comments

  1. Akrem

    Tttt

    12/25/2022
  2. Beauty Tips

    You’ve been great to me. Thank you!

    03/02/2023
  3. Beauty Tips

    I’d like to find out more? I’d love to find out more details.

    03/03/2023
  4. Beauty Fashion

    May I request that you elaborate on that? Your posts have been extremely helpful to me. Thank you!

    03/17/2023

Leave a Reply

Latest Posts

  • Cloud Native Security in 2023
  • Threats to cloud-native security
  • Cloud Security Solutions: Protect Your Cloud Environment
  • Hybrid Cloud Security: Protect Your Data and Business
  • Why Choose IBM QRadar Cloud for Your Security Operations?
  1. Yousuf on Learn how AWS cloud computing infrastructure works03/26/2023

    I like you

  2. cathleen on Cloud Security Solutions: Protect Your Cloud Environment03/25/2023

    I’m here to seduce you [OC]

  3. Beauty Fashion on Cloud security challenges and solutions03/17/2023

    May I request that you elaborate on that? Your posts have been extremely helpful to me. Thank you!

  4. Fashion Styles on Building Cloud-Native Applications03/15/2023

    How can I find out more about it?

  5. Beauty Fashion on Great power of Amazon Web Services (AWS)03/14/2023

    I’m so in love with this. You did a great job!!

Tags

APIs application apps aws cloud native development aws cloud-native architecture cloud Cloud-Native Application Security Cloud-Native Security Cloud-Native Security Platform Cloud Attacks cloud backup cloud computing cloud data cloud financial cloud host cloud migration cloud native Cloud Native Application Protection Platforms cloud native devops with kubernetes cloud native gartner cloud native security architecture cloud native security companies cloud native devops cloud native security platform gartner cloud native security tools cloud native workloads cloud provider cloud security cloud server cloud solution cloud storage cloud native tools data data center Development DevSecOps google cloud hybrid cloud ibm qradar documentation ibm qradar features ibm qradar soar native public cloud security the cloud what is cloud native

Cloud Solutions

All about cloud services

If you have any query regrading Site, Advertisement and any other issue, please feel free to contact at info@earnadmob.com

  • Cloud Native Security in 202306/06/2023
  • Threats to cloud-native security05/20/2023
  • Cloud Security Solutions: Protect Your Cloud Environment03/21/2023
  • Cloud Backup
  • Cloud Migration
  • Cloud Native
  • Cloud Security
  • Cloud Storage

Useful links

  • About Us
  • Contact Us
  • Disclaimer
  • Privacy Policy
  • Terms and Conditions

Cloud Solutions

All about cloud services
Copyright © 2023 Cloud Solutions

Ad Blocker Detected

Our website is made possible by displaying online advertisements to our visitors. Please consider supporting us by disabling your ad blocker.

Refresh
← Cloud-Native Apps Security ← Challenge of securing cloud-native apps