While Amazon Web Services is known for its robust security, Unisys believes some customers may desire an additional layer of protection. To that end, it has put up its Stealth security technology up for sale and use on AWS. From the release:
Unisys Stealth software uses identity-based micro-segmentation techniques and encryption to protect data and applications on the AWS Cloud. Stealth protection makes data and applications invisible to hackers and unauthorized users by encrypting traffic between all Stealth-protected endpoints.
With Stealth on AWS, users can quickly and easily micro-segment their own portions of the cloud from other users while keeping their own encryption keys. They can unify their internal security protections with those on the cloud, enforce virtual machine-to-machine encryption in the cloud, and reduce attack surfaces.
In addition, Stealth on AWS allows organisations to extend entire workloads securely from data centers to the cloud; manage access via existing identity systems including Active Directory or LDAP; and easily add integrated supply chain partners to micro-segments without giving them broad access – at the packet level without any new hardware, firewall rules, or application changes.
For customers who might find Stealth's concept intriguing but unfamiliar, Unisys is offering the ability to test it out at no charge through a private AWS sandbox.
Segmentation Vs. Micro-segmentation
Stealth is implemented through software, versus traditional data center segmentation, which focuses on physical topology.
"In regular network security, when you're running your own data center or LAN, segmentation means dividing up, or zoning, your infrastructure, putting internal firewalls between sub-systems, so that in the event one of them is compromised, the problem can be contained," says Constellation Research VP and principal analyst Steve Wilson. "So different databases are segmented. Your HR system and payroll are not on the same network segment as the web servers. Typically, production systems would not be directly web-facing, but instead separated by multiple firewalls. And different logons apply to different machines in different segments. Segmentation protects against the rampant propagation of malware, hackers and rogue insiders."
"How all this works in the cloud is often a mess," Wilson adds. "When you outsource your corporate IT to a cloud or Infrastructure-as-a-Server IaaS provider, security details remain as important as ever. More so, because you need your assets segmented apart from all other tenants, of course. More and more enterprises are going to the cloud, but enterprises need to retain their CISOs. They need to make their own independent risk assessments and think critically about how their assets in the cloud are being managed."
As for products such as Stealth, "software security is very hard to certify," Wilson notes. "It's only as good as the hardware it runs on, and it's fragile like any software. Serious network segmentation is always done with hardware appliances. So enterprise buyers of segmentation services in the cloud need to ask the tough questions."
The Bottom Line
Cloud security is continuously evolving with the market and customer demand, so in short, watch this space. "There is a spectrum of control and robustness emerging in the cloud services," Wilson says. "Some are offering dedicated hardware security modules. That's very 'uncloud' and more like old school outsourcing, but warranted for many apps. I wouldn't be surprised to see segmentation go the same way."
Reprints
Reprints can be purchased through Constellation Research, Inc. To request official reprints in PDF format, please contact Sales.
