Category Archives: Firewalls

Four Things You Need to Know About PCI Compliance in the Cloud

By Andrew Hay, Chief Evangelist, CloudPassage

Andrew HayAndrew Hay is the Chief Evangelist at CloudPassage, Inc. where he is lead advocate for its SaaS server security product portfolio. Prior to joining CloudPassage, Andrew was a a Senior Security Analyst for 451 Research, where he provided technology vendors, private equity firms, venture capitalists and end users with strategic advisory services.

Anyone who’s done it will tell you that implementing controls that will pass a PCI audit is challenging enough in a traditional data center where everything is under your complete control. Cloud-based application and server hosting makes this even more complex. Cloud teams often hit a wall when it’s time to select and deploy PCI security controls for cloud server environments. Quite simply, the approaches we’ve come to rely on just don’t work in highly dynamic, less-controlled cloud environments. Things were much easier when all computing resources were behind the firewall with layers of network-deployed security controls between critical internal resources and the bad guys on the outside.

Addressing the challenges of PCI DSS in cloud environments isn’t an insurmountable challenge. Luckily, there are ways to address some of these key challenges when operating a PCI-DSS in-scope server in a cloud environment. The first step towards embracing cloud computing, however, is admitting (or in some cases learning) that your existing tools might be not capable of getting the job done.

Traditional security strategies were created at a time when cloud infrastructures did not exist and the use of public, multi-tenant infrastructure was data communications via the Internet. Multi-tenant (and even some single-tenant) cloud hosting environments introduce many nuances, such as dynamic IP addressing of servers, cloud bursting, rapid deployment and equally rapid server decommissioning, that the vast majority of security tools cannot handle.

First Takeaway: The tools that you have relied upon for addressing PCI related concerns might not be built to handle the nuances of cloud environments.

The technical nature of cloud-hosting environments makes them more difficult to secure. A technique sometimes called “cloud-bursting” can be used to increase available compute power extremely rapidly by cloning virtual servers, typically within seconds to minutes. That’s certainly not enough time for manual security configuration or review.

Second Takeaway: Ensure that your chosen tools can be built into your cloud instance images to ensure security is part of the provisioning process.

While highly beneficial, high-speed scalability also means high-speed growth of vulnerabilities and attackable surface area. Using poorly secured images for cloud-bursting or failing to automate security in the stack means a growing threat of server compromise and nasty compliance problems during audits.

Third Takeaway: Vulnerabilities should be addressed prior to bursting or cloning your cloud servers and changes should be closely monitored to limit the expansion of your attackable surface area.

Traditional firewall technologies present another challenge in cloud environments. Network address assignment is far more dynamic in clouds, especially in public clouds. There is rarely a guarantee that your server will spin up with the same IP address every time. Current host-based firewalls can usually handle changes of this nature but what about firewall policies defined with specific source and destination IP addresses? How will you accurately keep track of cloud server assets or administer network access controls when IP addresses can change to an arbitrary address within a massive IP address space?

Fourth Takeaway: Ensure that your chosen tools can handle the dynamic nature of cloud environments without disrupting operations or administrative access.

The auditing and assessment of deployed servers is an addressable challenge presented by cloud architectures. Deploying tools purpose-built for dynamic public, private and hybrid cloud environments will also ensure that your security scales alongside your cloud server deployments. Also, if you think of cloud servers as semi-static entities deployed on a dynamic architecture, you will be better prepared to help educate internal stakeholders, partners and assessors on the aforementioned cloud nuances – and how your organization has implemented safeguards to ensure adherence to PCI-DSS.

 


Hosting.com Extends Security Offerings with Cloud Firewall Solution

Hosting.com, a leading provider of enterprise-class, cloud-based application availability and recovery solutions, today extended the security options for cloud customers with the announcement of their Cloud Firewall service. Leveraging Juniper Networks vGW Series Virtual Gateway, a comprehensive virtualization security platform, Cloud Firewall is a hypervisor-based, VMsafe-certified stateful virtual firewall with more than ten times the throughput of firewalls typically deployed in cloud environments. Cloud Firewall meets the needs of cloud customers looking for an easy, affordable way to comply with major regulatory and industry security standards and to lock down their virtual environments.

“Cloud Firewall expands protection for cloud customers who want higher levels of security and VM workload access control. We already provide the highest level of physical firewall protection and now, another option is available at a granular, VM level. This furthers our commitment to enterprise-class, Always Secure cloud solutions,” said Jim Potter, Vice President of Products at Hosting.com.

Cloud Firewall satisfies the dynamic security and compliance needs of IT managers by offering a self-managed firewall that can be deployed in minutes. Managed through rich instrumentation in the Hosting.com Customer Portal, customers view and administer their complete VM and VM group inventory, including virtual network settings, and intra/inter-network traffic monitoring and access controls. Modifications to security rules can be made quickly and enforced nearly instantaneously through the Portal.

Companies with strict compliance mandates get granular control of VM traffic, without impacting the throughput of high-performance applications. Enterprise businesses with hybrid data solutions – those running on dedicated hardware servers in conjunction with workloads on cloud-based VMs – can add granular control and scalability to their virtual environment with Cloud Firewall, extending traditional perimeter-based security to the virtualized realm.

“The vGW platform that powers Cloud Firewall delivers layers of protection without the performance tradeoffs that users typically experience when implementing sophisticated security,” said Johnnie Konstantas, director of product marketing at Juniper Networks. “The innovations inherent in the hypervisor-based Cloud Firewall offer very compelling value to cloud service providers because they are able to maximize security and cloud VM capacity.”