016
ENFORCEMENT LAYER
01
ENTERPRISE SECURITY BLUEPRINT
Offloading Security Processing to the Cloud
Security processing can be offloaded from network and host-based enforcement points to
dedicated resources within private and public cloud configurations. Instead of performing security
decisions based on locally available information, enforcement points can query the cloud. Cloud-
based enforcement points then become an extension of the SDP Enforcement Layer.
Offloading to the cloud provides the following benefits:
When security decisions depend on complex and rapidly changing information
such as threat indicators, the distribution of such information to all relevant
enforcement points becomes challenging quickly. Offloading allows this data
to be aggregated and used in the cloud
By collecting and analyzing security event logs in a centralized location, a
Security Incident Event Management (SIEM) system can provide big data
storage and perform retrospective security analysis. It can highlight potential
indications of compromise and generate global baselines for authorized
interactions. Baselines can be used to provide enforcement points with an
indication of behavioral anomalies
For store-and-forward systems such as email, the added latency involved
in uploading data content and attachments to the cloud for analysis is not
excessive. In fact, attachments can be examined in sandboxed environments to
determine if they are malicious before being forwarded to the receiving host
Mobile users connecting over the Internet to a cloud-based portal can receive
security services that are geographically located close to them, thereby
benefiting from more reliable and faster security processing compared to
routing their network traffic through centralized enforcement points
Cloud-based security controls shift the security challenge from the enterprise network to the
cloud. Enterprises should obtain sufficient assurances and monitoring capabilities from external
cloud providers to ensure that required security controls are in place. In addition, trusted channels
should be used to authenticate and protect all communications to and from the cloud. Cloud and
network availability profiles should also be considered with regard to potential DDoS attacks.
An example of cloud-based security enforcement is given in Appendix A - Design Pattern: Mobile.
