Cloud security

Is your security vendor ready for the cloud? 10 questions to ask

cliff turner / 03.02.17

Cloud security vendors occupy a major role in organizations as both trusted advisor and protector. Because this role has the potential to affect every aspect of your organization, it’s critical to carefully vet your vendor and their platform. To guide your research, use these 10 questions to help you evaluate their compatibility with your needs.

Is the cloud security solution dependent on static IPs?

A security vendor dependent on static IPs is a significant roadblock for use in the cloud. In the cloud, servers are transitory – created and killed with varying frequency depending on the use case. IP addressing simply can’t keep pace with that rate of change so the proper focus for security has to be on the workload itself. Any cloud security vendor using IP addressing as the basis for their service should not be considered for deployment cloud workload environments.

Can it work on bare metal servers?

Cloud security solutions are purpose-built for the cloud and should have capabilities for both public and private clouds. However for the highest levels of visibility, coverage, and utility, your cloud security vendor should also protect bare-metal data centers. Servers hosted in a bare-metal data center include physical servers installed on hardware server machines or virtual servers that have software – such as VMware, Citrix Xen, or Windows Server Hyper-V.

Does it work the same on AWS, Azure, and GCP?

Each member of the cloud service provider trifecta (Amazon Web Services, Google Cloud Platform, and Microsoft’s Azure) offer a range of integrated cloud services to help you build and manage business applications. Your organization may already use one of these service providers or a combination of the three. (In fact, according to EMG Research most large enterprises are using at least 2 different cloud service providers.) If your security vendor doesn’t function equally with each of these providers, you’re losing the ability to secure your critical infrastructures and uncover threats across all of them.

While reviewing the capacity of your vendor to support AWS, GCP, and Azure, be sure to ask if they also meet any compliance standards needed to support your business.

Is there a different deployment model in public cloud vs. on-premise data center?

Your security vendor must be on-demand and easy to deploy. If you’re working with multiple cloud infrastructure environments, you may face multiple deployment models as well. Get the information upfront on the deployment models used in each type of cloud and any non-vendor associated costs implementation may entail.

Does it scale?

Part of the reason most organizations have adopted cloud infrastructures is the cloud’s ability to automatically and dynamically scale capacity. Are your security tools just as automatic, dynamic, and flexible? Traditional legacy tools were developed for fixed perimeters, meaning they don’t function well in the agile and malleable environments of today. The right solution should be able to provide your organization with full functionality in any cloud infrastructure environment at a large scale without degrading performance.

Are there any hidden costs for appliances?

Some security tools require appliances. In a private data center where you buy a physical appliance the cost of the software and the appliance it typically provided as a single fee. In the cloud these costs are split up. There is a software cost for the virtual appliance from the security tool provider and a separate cost from the cloud provider for the infrastructure used by the appliance. Often the cloud security provider will try to hide the total cost of the tool by not including the infrastructure cost in their price to you for the cloud version of the product. Buyer beware!

Additionally, in cloud architectures there is typically a “virtual private data center” per application. If you have a 1000 applications, this would be 1000 security appliances. Contrast this with a single private data center running 1000 apps. You would only need a single appliance for the entire data center. Security appliances in the cloud do not scale and incur significant administration and financial burden.

Is it cloud-platform and hypervisor agnostic?

Dealing with technology lock-in can slow the pace of innovation when the business needs to pivot fast. A hypervisor agnostic security vendor will allow for changing the hypervisor or cloud provider quickly and without adverse effects thus preventing cloud provider lock-in. An agnostic security vendor will give you the same risk mitigation for any servers you have running in a public cloud  as well as on-premise servers.

Migration and movement between clouds is critical to the ever-changing nature of the business world. You may arrive to the office one day and learn your CEO has secured a better deal from Microsoft than with AWS and wants to move everything to Azure as soon as possible. Finance may run an audit on AWS spend and determine AWS is costing you more than your private DC. These scenarios and others like them require changes to the underlying infrastructure. Unless you’re looking to redo the work you’ve done to configure your security tool, pick a hypervisor agnostic vendor that can and will move with you from cloud to cloud.

Is billing consumption-based and does it match how you pay for cloud?

There are ranges of pricing models offered by cloud service providers including consumption-based and subscription-based. It’s important to understand the difference between these models so you can select the one that best suits your organization.

With a subscription-based plan, you are generally charged on a monthly basis and commit to the service provided for a contracted period of time. Finally, consumption-based models may charge a flat fee based on the amount of time resources are used or use different rates for various aspects of the service.

Ideally you can contract your cloud security services in the same way that you pay for your hosting. Keeping your financial commitments aligned makes it vastly simpler to better manage your budgets and forecast your future infrastructure need. Visibility matters. You should always inquire if the security vendor’s licensing model can conform to whatever cloud service provider model you’re using.

How easy is it to install and configure the security tool on 1000+ servers at the same time?

Your visibility and security should start at the same time as your your server. It’s simple enough to install a security tool on a single server, but what about installing and configuring it on over 1000 servers all at the same time? For your cloud security tool to truly operate effectively, it must be able to automatically deploy, configure, and run at any scale.

By that same token, you’ll need to have automation in place to turn on security tools as soon as a new environment comes online, say in the case of a DDoS attack or malware. The lack of automatic deployments is a particular concern as businesses are left scrambling to determine which servers have security tools running and which ones don’t. The servers that have not yet received the full security toolstack are hyper vulnerable to attack; the only way around this scenario is to put all teams on constant watch and invest hundreds of hours in manual labor.

To prevent cloud server attacks and the loss of critical IT infrastructure, select a cloud security vendor that prioritizes automation during deployment, configuration, and runtime of cloud servers and applications.

What features don’t work in public cloud?

As we discussed earlier, the ideal security solution will work in any cloud infrastructure environment. This includes everything from public clouds to bare-metal servers. However, your vendor may have some limitations for public cloud environments, and it’s wise to be aware of them up front. Otherwise, you risk being sold a bill of goods that sound great but only function in certain environments.

Bottom line: Make sure the solution brings you the critical functions you need in any and all environments.

Be sure to keep a look out for our upcoming article, which highlights how CloudPassage Halo answers these questions and more.