Cisco : Security in the Age of Cloud

Not to state the overly obvious, but companies have substantially accelerated their migration to the cloud over the last eighteen months. The pandemic forced them to get more done, faster, and often with less. And they found the cloud was the ultimate enabler.

The move to the cloud, even with all of its promise, isn't without challenges. The cloud makes it easier for users to access their applications and information from anywhere-just click and go. But, for IT departments, it's not so simple. More clouds, more users, more locations and more applications-often built with application mesh-leads to more complexity. And complexity is rarely easy to master.

This is where Cisco can help.

Due to the breadth of our portfolio, we're uniquely positioned to help you harness the power of your clouds. We do so with a cloud-neutral, full-stack observability, governance and automation that ensures you can deploy and manage the clouds you choose.

The Cisco solutions don't exist in a vacuum. They align with the way you actually use the cloud to deliver consistent experience to all users, connect multiple clouds, support the future of work, secure your cloud workloads and simplify cloud operations.

In this blog, the second in a series of five, we'll take a look at how companies in the cloud need to think about security differently. We'll talk about what that looks like, the challenges involved and how Cisco can help.

Over the next few weeks, we'll roll out more blogs to highlight other ways you use the cloud.

A Cyber Pandemic?

The COVID-19 pandemic has had a seismic and far-reaching impact on the world we know. From a personal health perspective, it has forever changed how we view hygiene and social interaction to minimize risk. More of the first, less of the later. On a technology level, many cybersecurity experts tell us we're facing a similar shift in security-an increased awareness of security hygiene to minimize risk.

According to Nexusguard Research, cyberattacks increased 341 percent during the COVID pandemic. These attacks are becoming more sophisticated with previously unseen malware jumping from 20% to 35% of intrusions. And, now, they often use machine learning to adapt and remain undetected.

This increase in cyberattacks comes at a real cost. It's been estimated that if cybercrime were measured in GDP, it would be the third largest economy in the world-after the United States and China.

Increased Threat Demands Increased Vigilance

As more companies move their workloads to the cloud, the old way of protecting digital assets is no longer enough. Traditional security relies on a strong perimeter defense. But the perimeter really doesn't matter in the cloud. Add the distributed workforce necessitated by COVID and the number of potential attack surfaces has ballooned.

Today's cloud requires security that is simple to deploy, use and maintain and builds intelligence into every control point. And Cisco can help. We focus on security with a systemic approach that spans the cloud and network from user to workload-putting security everywhere.

Policy-The Rules of Access

The cloud stack consists of multiple technologies-from the enterprise network to the individual users and cloud providers. The protocols connecting each of these technologies varies greatly between each of these components, making it difficult to enforce access controls across silos. However, policy applied to the entire stack can create a consistent gatekeeper for all users, devices and workloads-regardless of where they are in the stack. For instance, you may establish a policy that states only verified finance users can access accounting databases. All of the components of your cloud stack can then monitor attempts to access the affected databases. Verified users get in, regardless of their location while un-verified users are excluded-even if they're within the same silo in the cloud stack.

The challenge is to establish a single system that can define and monitor policies and compliance across the entire stack. While no vendor currently has such a solution, Cisco has made huge strides in that direction with our recent launch of Identity Services Engine (ISE) 3.1. This cloud-based solution, available on AWS or Azure (and soon Google Cloud), can be used to easily establish access policies in the cloud. Similarly, Cisco Cloud ACI also establishes policies that emanate from the private cloud and extend into the public cloud space.

Micro-segmentation-Fence Me In

Micro-segmentation is the process of using policy to create zones that can be virtually segmented to block threats and contain intrusions. Essentially, the policy defines what assets, workloads and users can gain access to any of the assets in the zone.

Let's circle back to that accounting database in the policy example above. You can create a zone or VLAN that contains your IoT devices such as smart lights or security cameras. You can then use policy to segment that zone from your accounting zoner. Because there's no reason for a security camera to access the accounting database, your cloud stack can apply your policy and shut down any attempt to access the accounting zone from any devices on the IoT zone. And should there be a breach, micro-segmentation can keep the threat from spreading laterally throughout the organization. Think of it as a series of gates between zones. Only users and devices with the right key get in.

Cisco supports micro-segmentation with Cisco ISE 3.1 and Cisco Cloud ACI-two solutions used to establish the policies and define the zones or VLANs. Then Cisco Secure Access and Cloud ACI use these policies to segment and safeguard your cloud tech stack virtual zones.

Zero Trust-Trust and Verify

With a traditional perimeter defense, a security solution would assume all the devices on the network can be trusted. However, that's not a credible way to protect the cloud and modern networks. The better approach is to not trust any users or devices until they've been authenticated and authorized. This is a zero trust model. While there are several elements of a zero trust model for security, we'll focus on two for simplicity-protected hardware and multi-factor authentication.

Protected hardware, such as that used in Cisco SD-WAN routers, is built into the device at the chip level to verify that the device is what it says it is. Router X is router X. Server Y is server Y. That chip-level protection cannot be altered.

Multi-factor authentication, such as that supported by Cisco Secure Access by Duo, requires a second verification step upon initial access request to ensure that users are who they say they are. When a user inputs their login credentials to complete primary authentication to an application, a push notification will then be sent over their mobile network for approval as an example of out-of-band authentication. Duo supports a large array of authentication methods to enable secure access to applications.

This combination of hardware protection and multi-factor authentication ensures that a user or device is who or what it says it is.

Malicious Sites-The Bad Neighborhood

According to Deloitte, 47% of at home employees have fallen victim to a phishing attack. Often, these attacks provide a link to a malicious site where, once the user clicks, the malware or ransomware is automatically downloaded. Given that nearly half of users will click that link, it's critically important that your cloud security automatically blocks access to the bad actors.

Cisco Umbrella is easy to use and provides this invaluable service. It evaluates all such DNS inquiries. When a malicious site is detected, the user request is terminated before it connects to the site, thereby stopping the associated malware from being downloaded.

Malicious Code-The Bad Stuff

Even with highly effective access control, malware can slip into your cloud stack. Forensically examining every packet to uncover this intrusion would impose huge penalties on latency and performance. And, with new malware variations now accounting for more than 35% of infections, the approach wouldn't even catch all intrusions.

Instead, it can be more effective to analyze the behavior of packets as they move across the cloud stack. Typically packets behave in highly predictable ways. When a packet starts to misbehave-say a packet from a video camera suddenly shows interest in the human resources database-the offending packet can be quarantined and more closely examined.

Cisco Secure Cloud Analytics can provide this function for your cloud stack. The solution automatically detects behavioral anomalies, quarantines the suspected packet, and alerts your security team. Because it's examining behavior rather than content, the solution can even detect issues when the malware is embedded in encrypted files.

Intelligence at Your Command

The common thread running through all of these cloud security solutions is intelligence. It's easier to guard against and detect threats when you know what you're looking for. And, if there is a breach, intelligence is needed to detect the threat and scope the potential damage and impacted assets.

All Cisco cloud security solutions are informed and supported through our Talos security intelligence experts. These pros-consisting of leading researchers, analysts and engineers-research vulnerabilities to deliver rapid detection, actionable sights and protection from new and emerging threats throughout the internet.

Every major transition in technology, business and society generates opportunity and challenge. Partnering with Cisco is the best way to ensure the opportunity provided by the cloud isn't consumed by the challenge of cloud security.

Resources

Cisco Cloud

Cisco Security

Share: