Virtualization continues to play a key part in organizations’ move to the cloud
According to Cisco, 94 percent of workloads and compute instances will be processed by cloud data centers by 2021.* Organizations are pursuing public cloud, private cloud, and hybrid cloud configurations as they modernize legacy applications and infrastructure.
VM technologies, like VMware vSphere, Microsoft Hyper-V, and the instances provided by virtually every IaaS cloud provider, such as Amazon EC2, have allowed today’s enterprises to embrace the cloud better than ever before and are still a critical deployment model. As we look at the Continuum of Cloud Native Topologies, VMs are placed on the far left because they provide the greatest levels of isolation, compatibility, and control suitable for running nearly any type of workload.
What about Thin VMs and VM-Integrated Containers
Thin VMs differ from pure VMs in their intentional focus on data separation, automation, and disposability of any given instance. Additionally, they do not have a container runtime. Thin VMs have apps installed directly on their OS file system and executed directly by the host OS kernel without any intermediary runtime. Thin VMs represent an operating methodology, rather than a distinct technology. They allow infrastructure teams to to deploy VMs in a more stateless manner, leverage automation without human involvement, and operate them as fleets rather than individual entities, while prioritizing separation of OS, app and data.
For some organizations, especially large enterprises, containers provide an attractive app deployment and operational approach but lack sufficient isolation to mix workloads of varying sensitivity levels. VM-integrated containers are explicitly designed to solely run containers and tightly integrate VM provisioning with container runtime actions.
Defining requirements for Cloud Workload Protection Platforms (CWPPs)
Leading industry research groups like Gartner continue to define the core requirements for securing cloud workloads with tools they call Cloud Workload Protection Platforms. In the March 2018 Market Guide for Cloud Workload Protection Platforms, Gartner identifies trends in cloud security, recommendations for securing cloud workloads, and details about specific vendors addressing the needs around containers, cloud native applications, and serverless applications.
In the Market Guide for Cloud Workload Protection Platforms, Gartner states:
“Server workloads in hybrid data centers spanning private and public clouds require a protection strategy different from end-user-facing devices. Security and risk management leaders should evaluate and deploy offerings specifically designed for cloud workload protection.”*
Core security requirements to protect cloud workloads
Hardening the host OS: The OS that hosts your workloads is perhaps the most important layer of the stack because an attack that compromises the host environment could provide intruders with access to everything else in your stack — that’s why hosts need to be scanned for vulnerabilities, hardened based on specific CIS Benchmarks, and protected to prevent improper access control or file tampering.
Application control, whitelisting, and intrusion detection systems (IDS): Cloud workloads present incredible opportunities for automation and machine learning to model behavior across process, network, file system, and system call sensors. As development and devops teams race to deploy applications more quickly, behavioral whitelisting scales security by preventing anomalous behavior and next generation attacks, a capability the industry refers to as intrusion detection / intrusion prevention systems (IDS/IPS). By incorporating additional runtime rule actions, security teams can specify exact conditions to watch for and the exact actions to take when they’re encountered.
Forensics: Security teams are responsible for protecting cloud workloads and working with incident responders to diagnose potential compromises. IR teams need to be able to gather attack telemetry to quickly diagnose and remediate modern threats by automating forensic collection and correlating host and application metrics.
File Integrity Monitoring (FIM): File integrity monitoring is a central control in many organizations’ security and compliance policy. FIM enables monitoring of host file systems for specific changes to directories and files by specific users.
For example, your security policy may require that only certain users are able to access /var/customer-data and that you will be alerted on any unauthorized access attempts. Organizations need to be able to set policies to monitor for any access to a path and get alerts any time an unauthorized user attempts to access it.
Network protection: Infrastructure and security teams need to be able to visualize network connections, prevent unwanted network access, and block other modern network attacks — a significant challenge at scale. Border firewalls are part of the strategy but aren’t alone sufficient, particularly as organizations adopt more virtual and cloud networks.
Internal and external compliance: Emerging laws and compliance regulations like GDPR require organizations to audit how data is accessed across different regions and environments with the ability to continuously monitor any changes and identify issues for remediation. Whether you’re looking to stay compliant with external regimes like HIPAA and PCI-DSS or other internal requirements, cloud native workloads need be monitored and audited based on each organization’s requirements.
*Gartner, Inc., Market Guide for Cloud Workload Protection Platforms, Neil MacDonald, 26 March 2018.