Layered security in the cloud
by Ran Rothschild - Director of Operations at Orbograph - Tuesday, 29 July 2014.
When designing your cloud architecture you may notice several differences between the cloud-computing environment and the “old world” of physical infrastructure. Two of the main differences are elasticity and dynamism, which are part of the cloud’s DNA.

The fact that security-related components can be easily tested, evaluated and deployed allow many companies - both existing and newly established start-ups - to launch their solutions also or solely in the public cloud. Moreover, I argue that by combining the tools supplied by a cloud provider with external third party solutions, higher levels of security - not to mention peace of mind - are achieved.


By thoroughly evaluating your architecture, you can highlight the main areas of concern that are derived from either a business need or regulatory requirement, so that you can find the optimal security solution to fit that specific need. The optimal solution is a very personal matter as each company has their own unique sets of requirements, financial capabilities and technical expertise.

An example for this can be Amazon’s EC2 Security Group. No one can argue that the personalized per component firewall is not a good solution. However, there are better ones that work just as good on AWS’s platform whilst giving improved functionality - for example, Dome9. Not only do these guys do what AWS does, but they have taken it a step further. They actively scan your security groups’ ports and email you alerts (configured easily via SNS) if any changes are made.

Additionally, they maintain a full comprehensive historical log of everything that occurred in your environment, which helps with regulation. However, the main highlight is Clarity, a visual tool showing all relationships between security groups.

Let’s say you have a small-to-medium environment that consists of 50 instances and about 35 different security groups. Are you 100 percent positive the relationships between all the security groups are correct? With this tool you don’t have to think about it or even review one security group after another: it’s all there, out-of-the-box. It’s like street-view for your AWS security:

Another example is disk encryption. AWS only rolled out their solution in May 2014, while other third party solutions have been around for longer. However, if you really think about it, what’s so special about volume encryption? I mean, everyone is doing it and everyone is somewhere in the area of AES-256 cryptographic algorithm. What’s your added value?

Take Porticor for example. There’s encryption and there’s smart encryption that can give you some advantage and added value as a business. In Porticor’s case, they basically teleported the “Swiss banker” approach to the cloud and offered patented split key encryption and homomorphic key management.

“Split key encryption acts like a Swiss banker and splits encryption keys to two parts,” explained Ariel Dan, Vice President at Porticor. “The first part is common to all data objects in the application, remains the sole possession of the company, and is unknown to Porticor or the cloud provider. The second part is different for each data object and is stored by the Porticor Key Management Service.”


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th