xo.com

Technology BriefDemystifying Cloud Security

Contents

Introduction 3

Definition of “the cloud” 3

Cloud security taxonomy 4

Cloud Infrastructure Security 5

Tenant- based Security 5

Security of Cloud Applications 6

Processing Security in the Cloud 6

Clean Pipes – A Critical Cloud Security Category and Its Solution Paths 7

Pros 8

Cons 8

XO® Hosted Security offerings 9

About StillSecure 10

About XO Hosted Security 10

Additional Resources 10

Technology Brief Demystifying Cloud Security

2 Solutions you want. Support you need.

3

XO Communications

Introduction

The running trend in the IT industry is that every new solution has the “cloud” label. Every

organization is either consuming or providing “cloud” services. Even the mainstream

press has latched on and is hyping “the cloud.” Unfortunately, there are nearly as many

definitions of the cloud as there are people or companies interpreting it.

Even industries that are connected to the cloud are in a fog about defining it. And if

the cloud isn’t defined, then how can downstream users that rely on secure solutions

understand the offerings? As subjective as definitions may be, our goal with this brief

is to provide a framework that demystifies cloud security and allows you, the business

decision maker, to quickly and easily map capabilities and solutions, to the unique needs

of your organization. As the market continues to evolve rapidly, taxonomy will continue to

adjust accordingly, as keeping current with technology and trends is critical.

This paper defines “the cloud”, offers an overview of how the market is structured, and

finally presents a deep dive into one specific category with a state-of-the art solution,

XO’s Hosted Security.

Definition of “the cloud”

Let’s take a very simple and broad definition of “the cloud” and start from there. Put

simply, “the cloud” encompasses any Internet-based solution that provides a computing,

platform, or application infrastructure based on a pay-for-what-you-use model that can

easily expand or contract based on an organization’s needs. At its most basic, “the

cloud” simply refers to the Internet and the millions of servers that connect to it. So a

cloud-based solution means that you are getting an application or a service through a

server you are accessing through the Internet. Generally, cloud solutions are not located

on your premises and do not require you to deploy any additional physical equipment.

There are two basic cloud delivery models: Public -- an open, multi-tenant solution

where you can be provided with computing, storage, platform, or application capabilities;

and Private -- similar to public cloud in terms of capabilities, but provided for a single

company, or tenant. In either model, a provider can deploy services to provide cloud

computing solutions that range from Infrastructure as a Solution – the provisioning of

processing, storage, network and other fundamental computing resources (IaaS) -- to

hosted applications and Software as a Solution – the provisioning of software applications

running on cloud infrastructure (SaaS).

Given that the market has not yet settled on what can be called “cloud,” we have

segmented the various types of cloud-based security solutions and offer a description of

each of them, rather than create a single, strict definition.

Every organization is either consuming or providing “cloud” services. Even the mainstream press has latched on and is hyping “the cloud.”

4 Solutions you want. Support you need.

Technology Brief

Cloud security taxonomy

Similar to the over-arching definition of the cloud, the cloud security sub-set is amorphous

and difficult to define. In this paper, we also take a broad approach to defining cloud

security as we believe it best suits the reader. While vendors are all clamoring to claim their

version of cloud security is the best, our goal is to allow you to create a comparison model

for looking at cloud security. We have broken down the cloud security category into five

major components. They revolve around two themes – security of the cloud infrastructure

itself and security accomplished within the cloud.

5

XO Communications

Cloud Infrastructure Security

Companies that provide computing and storage infrastructure – IaaS - are keenly

aware that their infrastructure operations must be secured. These providers

spend a great deal of time and resources to secure their facilities and the

computing environment to embed security into their service-delivery platform.

To accomplish this goal, an infrastructure provider can employ a variety of

security measures, from access controls, to video monitoring the physical plant,

technical controls to restrict access to the computing environment, perimeter

security that restricts internet traffic from the outside, and administrative controls

to protect each virtual machine encryption of stored data. This category of

solutions cuts across all of the providers’ customers and is macro in nature.

Individual customers of the cloud provider cannot customize their security to their

thresholds because resources are shared. Of course, the inherent advantage

of cloud computing is also the vulnerability of security; anybody can quickly

implement the computing, storage, and bandwidth that they need—all for a small

amount of money. A critical test of any provider is met in the quality of their

solution to meet the security needs of its customers.

Tenant- based Security

Another significant category of IaaS cloud security is tenant-based security. For

most user organizations, a cloud provider’s over-arching security alone will not

suffice to meet its computing environment security needs. As a result, a company

may need a category of solutions that can protect their infrastructure and data

in ways that go beyond a service provider’s standard offerings. This is known

as “tenant based security” because they can be deployed and controlled by the

customer at its option. These solutions will likely be placed within a customer’s

cloud instance by the customer in coordination with its service provider. For

example, a customer/tenant may place individual security solutions (e.g., access

controls, encryption, etc.) within their virtual environment or require that traffic to

and from their network pass through a “gateway” solution. These tenant-based

solutions customize the configuration and manage security on a per-customer

basis to meet their particular needs. It allows individual customers to benefit from

the economy of scale, and at the same time, build a security solution that fits their

unique needs.

For most user organizations, a cloud provider’s over-arching security alone will not suffice to meet its computing environment security needs.

6 Solutions you want. Support you need.

Technology Brief

Security of Cloud Applications

Cloud applications (e.g., Customer Relationship Management (CRM), file storage, and

productivity applications) in a SaaS environment often have some form of embedded

security features to help customers protect their data. Some providers encrypt all customer

data, while others offer applications that allow a customer to choose what data to encrypt

and when (e.g., at rest, in transit), to help customers avoid and minimize the negative

effects of data security breaches. Some providers have built their cloud service offerings

with security solutions at the very foundation of their service and have built their reputation

for providing safe storage of their customers’ data. With standard features and available

tools like this, enterprise customers can be more confident that their data is safe and that

only authorized users can access that data. Enterprises will continue to expand their use

of these applications, and as a result, there will be a growing need for solutions that bridge

the gap from the enterprise’s own security model to that of the SaaS application provider.

Processing Security in the Cloud

Another segment that often falls under SaaS cloud security is related to security events

that are processed in the cloud. These events are piped to a processing center in the

cloud, but traffic is not sent to the security provider in the cloud, only the security events

are sent to the provider. As an example, IDPS can identify and deflect pre-determined or

targeted attacks, and then provide notification of the event and the corresponding action

taken. The events are processed by the security provider and then made available to a

cloud customer, typically displayed in a customer-facing portal. This fits within the cloud

security category because the processing of the security events is done in the cloud and

by a third-party provider. Many of these provider companies call themselves “managed

service providers”, but might also consider themselves cloud security companies.

As an example, IDPS can identify and deflect pre-determined or targeted attacks, and then provide notification of the event and the corresponding action taken.

7

XO Communications

Clean Pipes – A Critical Cloud Security Category and Its Solution Paths

Perhaps one of the most significant benefits of the cloud is the ability to have traffic

processing done off-site and outsourced to a third-party, without consuming valuable

customer computing resources. A significant part of any security solution is focused

on providing “clean bandwidth” to organizations. The architecture of these solutions is

relatively straightforward. The enterprise pipes their inbound or outbound traffic through

a service that cleanses the traffic. This is often done with solutions such as intrusion

detection / prevention, anti-spam, content filtering, and Web-based firewalls. These

functions all lend themselves to having traffic sent to “the cloud” where it is filtered

and then sent on to its destination. The benefits of this approach minimize on-premise

equipment requirements, leverage experts to handle the security application, and employ

pay-per-use metrics. Additionally, it filters malware out before it reaches the customer’s

premise, rather than delivering it to the customer’s premise before unwanted packets can

be filtered out or discarded. This is often considered cloud security because the security

function is truly happening in the “cloud” and organizations do not have to invest in the

equipment, people, software, and processes to accomplish a large number of tasks.

“Clean pipes” is one of the most exciting innovations in the security space. By

implementing this type of solution, organizations can expect clean bandwidth as a

result. Malicious traffic can be identified and filtered out before it reaches the customer.

Customers don’t need to be saddled with the problem of trying to separate legitimate

from rogue traffic, purchasing and operating complex expensive equipment, or assigning

personnel to keep pace with identifying and stopping risks in order to protect their network.

Instead, organizations are provided with bandwidth or network traffic that is “cleaned”

when it arrives.

The architecture of the system is relatively straight forward. All traffic passes through a

cloud security solution that is set up to filter inbound and outbound traffic. Ideally, this

solution is hosted by an Internet service provider to keep latency low and reliability high.

As the traffic is routed to a customer’s cloud security solution, that service can cleanse

the traffic based on the firewall rules and security policies applied by the customer to

meet their needs. A clean pipes service can help rid the traffic of malicious packets and

inappropriate content. After the traffic is inspected and appropriate action is taken, it is

then forwarded to the enterprise or up to the Internet.

Perhaps one of the most significant benefits of the cloud is the ability to have traffic processing done off-site and outsourced to a third-party, without consuming valuable customer computing resources.

8 Solutions you want. Support you need.

Technology Brief

The clean pipes approach is growing in popularity; however, it is not for every organization.

A brief overview of the pros and cons of the approach are described below.

Pros

• Minimal customer intervention - No additional on-premise equipment and no additional personnel

required to manage the solution, in most cases

• Managed by security experts – The solution is managed by a security company that performs this

work 24x7x365 with a team of trained experts.

• Cost effective – The provider gains from economies of scale and is able to provide a solution that is

more cost-effective than doing it yourself.

• Customer control - The customer maintains control of what they want their security profile to be, and

has the ability to modify their security profile as business needs grow or change.

• Business centric - By relying on security experts, enterprises can focus on their core business rather

than the “chore business” of security.

• Bandwidth efficiency – helps ensure bandwidth is being used for valid business purposes

• Consistency – Policies are applied consistently across the enterprise, as they are defined in the cloud

Cons

• Latency - Enterprises may experience increased latency, as their traffic is hauled to the security

provider’s Unified Threat Management (UTM) platform location.

• Customer control – Actually, it’s the perception of loss of control, because multi-tenant cloud

services are an outsourced solution. A third party is managing your security and therefore,

organizations often perceive a loss of controlThis is much more of a perception than it is a reality.

Firewalls and security policies are defined by the customer, and implemented by an experienced

security engineer on their behalf.

• Existing equipment - A cloud solution may or may not leverage a customer’s existing equipment,

and thus, a significant investment may not be required. But if the on-premise solution is difficult

to manage and no longer provides the optimal levels of security and cost savings, then there isn’t

much point in staying wedded to the existing equipment. (Though odds are it still has value to your

organization for other purposes such as proprietary applications).

For all these reasons, the clean pipes category of cloud solutions is extremely promising

and will only grow over the coming years. The benefits of the approach are significant and

as it becomes more difficult and expensive for organizations to secure their networks, they

will seek different and unique ways to do so.

9

XO Communications

XO® Hosted Security offerings

XO, in partnership with StillSecure, has developed a high quality Hosted Security solution

that provides a portfolio of security features in a modular design, meaning the customer

can pick and choose only the features they need, and can easily add features as the

need arises. The XO Hosted Security solution is a fully managed suite of network-based

security products designed to protect enterprise networks, that is easy and cost effective

to deploy. The solution helps shield the network infrastructure and applications from being

compromised or disrupted by security threats.

The XO Hosted Security offering leverages the security expertise of StillSecure, a leading

managed security service provider. StillSecure Security Operations Centers (SOCs)

reviews security events and provides alerts 24x7 to help ensure that customer networks

are protected.

The benefits of the approach are significant and as it becomes more difficult and expensive for organizations to secure their networks, they will seek different and unique ways to do so.

XONSWP-0412

10 Solutions you want. Support you need.

Technology Brief

About XO Hosted Security

XO® Hosted Security is a Security-as-a-Service offering that gives companies more

flexibility to deploy and manage comprehensive network-based security.

XO® Hosted Security is a Security-as-a-Service offering that gives companies more

flexibility to deploy and manage comprehensive network-based security. The solution

provides high-speed, unified threat management capabilities and advanced technology,

and supports customers 24/7 through a certified security partner, StillSecure. XO Hosted

Security includes next-generation network-based firewalls; intrusion detection and

prevention, including Distributed Denial of Service (DDoS) protection; secure web and

content filtering; and secure remote access to the company network. Since all of the

security applications reside in the cloud, organizations with widely distributed operations

can implement robust security services without having to manage and maintain the

equipment and infrastructure at each location. XO Hosted Security is fully integrated with

the award-winning XO MPLS IP-VPN intelligent networking service. For more information,

visit www.xo.com/gethostedsecurity.

About StillSecure

For IT executives facing escalating security threats and evolving compliance requirements,

and data centers looking to cement long-term customer relationships, StillSecure designs

and delivers managed network security and certified compliance solutions so you can

focus on growing your core business.

StillSecure unites our security experts with our certified processes and innovative

technologies to provide holistic solutions that eliminate the need for dedicated resources

juggling multiple vendors, products and requirements, as opposed to vendors with

uncertified partial fixes, or worse, self-audited solutions.

Additional Resources

For more information please call 1-866-349-0134 or visit http://www.xo.com/

HostedSecurity. You can also check out more on the XO Pulse blog at http://blog.xo.com,

or the StillSecure blog at http://www.thesecuritysamurai.com. Follow us on Twitter:

http://twitter.com/XOComm or http://twitter.com/securitysamurai and

http://twitter.com/stillsecure.

13 Gartner Research, Gartner Predicts 2011: Infrastructure Protection is Becoming More Complex, More Difficult and More Business-Critical than Ever, November 16, 2010.

StillSecure Security Operations Centers (SOCs) review security events and provide alerts 24x7 to help ensure that customer networks are protected.

© Copyright 2012. XO Communications, LLC. All rights reserved. XO, the XO design logo, and all related marks are trademarks of XO Communications, LLC. XONSWP-0412

About XO Communications

XO Communications is a leading nationwide provider of advanced broadband communications

services and solutions for businesses, enterprises, government, carriers and service providers.

Its customers include more than half of the Fortune 500, in addition to leading cable companies,

carriers, content providers and mobile network operators. Utilizing its unique combination of high-

capacity nationwide and metro networks and broadband wireless capabilities, XO Communications

offers customers a broad range of managed voice, data and IP services with proven performance,

scalability and value in more than 85 metropolitan markets across the United States. For more

information, visit www.xo.com.

For XO updates, follow us on: Twitter | Facebook | Linkedin | SlideShare | YouTube | Flickr