I’ve spoken at length about the cloud’s impact on network security. I’ve spoken about how the mobilization of workloads decentralizes our common network choke points, and how the hybrid model pushes risk mitigation closer to the data we are trying to protect. Along these lines, what about the other security disciplines? Will Gen3 impact them as well, and if so, how? I’ll explore these questions over the next couple of blog entries, starting with host based security.
When we think about host based security, malware protection immediately springs to mind. For years now administrators have relied on tools from McAfee, Symatec and others to keep evil software off of our systems. Host-based intrusion detection and prevention has also become extremely popular. So the basic question is, can we simply move these tools into the cloud and continue to use them?
Unfortunately, the answer is no. Legacy malware protection was specifically designed for the Gen2 era. While it is designed to play nice with other applications, it assumes that it can happily consume 100% of the available CPU in order to help secure the system. In a private IaaS environment, this can have a detrimental impact on performance, as other VMs may need to use that CPU time. In a public setting, the result can be much higher utilization costs. In the cloud world we have a term called “AV storm”, which is what happens when all of your VMs kick off an AV check simultaneously and performance grinds to a halt.
So the root cause of the problem is that malware control requires a large amount of processing time, and legacy AV software assumes that 100% of the free CPU time is available for use. AV vendors have attempted to address this problem by adopting a white listing detection model which uses much less CPU time. They have also begun integrating AV functionality into the hypervisor. While on the surface, hypervisor integration seems like a good idea, the reality is it limits you to private IaaS deployments and leaves you completely unprotected if you move the workload into public space.
So in the cloud world, host based protection needs a bit of tweaking. It needs to:
- Minimize CPU impact
- Offload as much of the work off of the VM as possible
- Be hypervisor agnostic
- Be effective in both private and public space
Expect to see vendors tweaking their offerings to meet the above over the next year or so.
More cloudy goodness to come,