Migrating to the public cloud — without losing control

How to protect and control workloads in the AWS public cloud

The advantages of cloud infrastructure need no explanation. However, migrating business applications to the public cloud typically complicates the life of an information security department. Moreover, the merger of a private cloud with the public one (as a result of the transition to the hybrid cloud strategy) makes not only IS, but also IT services, nervous. Their concerns are understandable; the systems and data critical to the safety and stability of the business suddenly move somewhere outside of their direct control. But is their anxiety justified?

Most large enterprises are already, one way or another, using virtualization technologies — at least in the form of a private cloud (consolidation of resources and their distribution between virtual servers and machines). But now, companies are increasingly interested in using public clouds, which can dramatically reduce maintenance costs, optimize SLAs, and facilitate capacity scaling.

Why does using clouds to tackle data security change for IS specialists — and why would it make them nervous? Let’s look at the case of a corporate infrastructure migration to Amazon Web Services (AWS), a leader in the public cloud industry.

First, IS department employees are nervous because they feel they are ceding control. In a private cloud, they control everything from hardware, network equipment, and virtualization platforms (hypervisors) to operating systems and applications. In the public cloud, they can control only the virtual machine and the installed OS and applications. Therefore, in gaining virtually unlimited computing power, the client becomes restricted in the use of specialized security tools.

Such an approach is called a model of shared responsibility, and it should not be a cause for concern. The availability of cloud infrastructure and the implementation of its basic levels protection is the responsibility of the service provider. AWS has a variety of built-in (cloud-native) security technologies such as virtual machine disk encryption, secure VPNs, and so on. However, built-in security cannot always accurately assess the context of virtual machines’ work, and therefore it is not so effective at preventing advanced cyberthreats, including zero-day vulnerabilities. Therefore, protection of the OS and applications (and, as a consequence, the data inside the virtual machines), is the responsibility of the client.

Another thing: Information security specialists do not like change. IT practices, mechanisms for monitoring, and cybersecurity are usually deeply embedded in companies’ business processes. Therefore, it is highly undesirable to lose them in migration to the public cloud; it inevitably leads to the emergence of new security risks. In addition, because using multiple monitoring and management consoles increases the difficulty of threat detection, and makes a hybrid cloud an easy target for a serious cyberattack, the need for new security-management solutions is always a possibility.

However, this problem has a solution. Our hybrid cloud protection solution provides all of the necessary technologies to secure virtual machines, regardless of the level of access to cloud infrastructure components.

At the same time, next version of our Kaspersky Security Center console will allow for connection to the public cloud through integration protocols. It brings not only a high level of manageability and transparency of the cloud infrastructure, but also enables the automation of protection deployment to virtual machines in the public cloud. In addition, it allows the control of physical endpoints and servers through the same console.

Therefore, with Kaspersky Lab’s hybrid cloud security solution there’s no need to rethink approaches to information security, to look for new means of protection, or to lose control when migrating to a public cloud or constructing a hybrid cloud infrastructure.

Want to know more? Visit booth 1140 at the AWS re:Invent 2017 conference, where we will demonstrate the technologies we discussed in this post.