Cloud computing is on the rise. Over 90 percent of recently surveyed companies expect to be using cloud computing in the next three years. Still, securing access to the cloud poses significant challenges for IT departments. Mission-critical, cloud-based business applications such as Salesforce.com, SharePoint and SAP are often prime targets for continuous, persistent criminal attack from sophisticated, profit-driven and even politically motivated hackers.
Today’s workers also go far beyond traditional applications in their cloud-based computing. They routinely transfer information via personal e-mail accounts such as Yahoo or Gmail, use peer to peer applications such as LimeWire and BitTorrent, download files from Web 2.0 social networking sites such as Facebook and stream rich media from YouTube.
While these cloud-based Web applications can offer business benefits in certain scenarios, they have the potential to rob companies of bandwidth, productivity and confidential data-and subsequently put them at risk of regulatory noncompliance.
Finally, traditional approaches to network security become less effective in the public cloud. WiFi-enabled laptops, third-generation/fourth-generation cellular smartphones, dynamic port selection and traffic encryption have undermined traditional, perimeter-based network controls over application access. Moreover, it is critical to prioritize and manage bandwidth for all of these applications to ensure network throughput and business productivity.
Five Common Problems in Cloud Computing
Five common problems in cloud computing
These emerging cloud computing trends present a host of new security concerns for IT. I have seen that five of the most common problems are:
Problem No. 1: P2P traffic
P2P applications can steal bandwidth and introduce malware. These applications can be particularly difficult to control, as developers frequently update new builds specifically designed to evade firewall defenses by alternating port usage.
Problem No. 2: Streaming media
Streaming music and video traffic can place a heavy burden on network performance and overwhelm mission-critical application traffic. For example, one IT administrator was perplexed about why it took over an hour and a half to download a patch file that should have taken only a few minutes. He could not figure out what was bottlenecking his recently expanded Internet pipe. He then realized that it was the first day of a NCAA tournament and a large number of employees had tuned in to online streaming video and audio commentary, killing network throughput and company productivity.
Problem No. 3: Confidential data transmittal
Confidential, sensitive and proprietary information can be maliciously or unintentionally transmitted over FTP uploads or as e-mail attachments. Job insecurity, whether actual or rumored, can cause employees to download customer, order and payment histories. One study found that over half of employees anticipating rumored layoffs had downloaded competitive corporate data.
Problem No. 4: Third-party e-mail
Third-party e-mail presents another channel for potential malware infection and data leakage. Not only can employees and contractors transfer confidential information over corporate SMTP and POP3 e-mail but also personal Web mail services such as Hotmail and Gmail.
Problem No. 5: Large file transfers
Without effective control, large file transfers-whether over FTP or P2P applications-can bog down network bandwidth.
Applying Application Intelligence to Cloud Computing Scenarios
Applying application intelligence to cloud computing scenarios
To resolve these common problems in cloud computing, IT requires a new approach to security: application intelligence. Utilizing application intelligence goes beyond the port and address-blocking of traditional firewalls to intelligently detect, categorize and control application traffic. With application detection, categorization and control, IT can block, restrict or prioritize any specific application-whether it is SAP, YouTube or LimeWire. IT can then effectively apply application intelligence solutions to each of the five aforementioned problems. Let’s take a look:
1. Solving the P2P traffic problem
Because it can detect and categorize traffic by specific application signatures rather than by port or address, an application intelligence gateway is especially useful in controlling variable-port P2P applications. For example, a university IT department could have the flexibility and granular control to restrict student access to LimeWire to only 10 percent of available bandwidth, thereby protecting throughput while discouraging unproductive behavior.
2. Solving the streaming media problem
An application intelligence gateway can provide IT with granular control over streaming media and social networking applications. For instance, an administrator might permit members of a predefined Active Directory group for marketing staff to have access to YouTube sites for promotional activities, while restricting access to all others.
3. Solving the confidential data transmittal problem
IT could create and enforce application intelligence policy to detect and block e-mail attachments carrying a watermark indicating sensitive or proprietary information.
4. Solving the third-party e-mail problem
Filling a security gap left by most firewalls and e-mail security solutions, IT could use application intelligence to identify, scan and control any third-party Web mail traffic traversing the gateway (such as Hotmail and Gmail).
5. Solving the large file transfers problem
To restrict excessive-size file transfers, IT could configure application intelligence policy to identify and restrict FTP and P2P file transfers based upon predetermined size limitations.
Application Intelligence and Traditional Firewalls
Application intelligence and traditional firewalls
Used in combination with traditional firewall features, application intelligence can provide greater protection against new and evolving channels for emerging threats. For example, a compromised Facebook page might suggest that a “friend” click a link to launch a YouTube video-which is actually a link to a malware file.
Because application intelligence can detect this link and file over the application traffic, it could enable an antimalware and content filtering policy to prevent the malicious file from downloading, thereby protecting both the user and the corporate network.
The growth of cloud-based application traffic has exceeded the security capabilities of traditional firewalls. Fortunately, new application intelligence technology can address the most common problems that come with these emerging trends. When deployed effectively on high-performance platforms, application intelligence gateways offer IT a viable solution for cloud-based application security.
David Buckwald is Director of Systems Engineering at SonicWALL. Prior to SonicWALL, David spent seven years at Aventail as the director of systems engineering for the United States. David has over 20 years of experience in networking, security, and systems management technologies. Prior to Aventail, David was a principal systems engineer at Tivoli Systems and a Certified Networking Specialist at IBM. David holds a Bachelor’s degree in Computer Science from SUNY Potsdam and a Master’s degree in Information Management from Polytechnic University. He can be reached at [email protected]sonicwall.com.