Dome9, the leader in cloud security management, automates and centralizes cloud firewall management across all servers and clouds. Available for both enterprises and hosting providers, and as a free offering, Dome9 supports clouds, VPS, dedicated servers, and Amazon’s EC2 Security Groups, across all major operating systems and service providers. Dome9 is headquartered in Tel Aviv, Israel, with U.S. offices in San Mateo, Calif., and is venture backed by Opus Capital Ventures.

In the following interview, David Meizlik, VP of Marketing and Business Development of Dome9 Security discusses with Rake Narang, editor-in-chief of Network Products Guide, misperceptions about the risk of mitigating cloud servers.

Rake Narang: What are the risks of open ports in a cloud environment?

David Meizlik: Open ports expose cloud servers to hackers and exploits that target applications, the operating system, and open source and other tools. Cloud servers operate outside the corporate perimeter and users are forced to leave administrative ports such as SSH and RDP open so they can connect to and manage their machines. But this practice typically leaves only a username and password for a hacker to defeat, either through a brute force attack or an exploit.

The recent Microsoft RDP vulnerability which exposed so many Windows cloud servers is a great example. Employed across millions of cloud and virtual private servers, RDP is a widely used service to control remote Windows servers. The recently announced vulnerability allows hackers to gain full access of any Windows server running RDP and execute remote code without needing any authentication to the server. The exploit affects all versions of Windows Server for any public, private, or hybrid cloud, as well as traditional datacenters, but Windows cloud servers are at the greatest risk because most have public-facing, open RDP ports that are not protected by a corporate perimeter.

Rake Narang: As companies work to migrate their business to the cloud, what are some misperceptions about the risk of mitigating cloud servers?

David Meizlik:‘Cloud’ is one of the most used and least understood words in technology, so it’s little surprise that there are misperceptions about its risks. Here are a few:

Misconception #1) The cloud provider is securing your server
In a recent security study, 39% of IT security professionals think their provider will let them know if their cloud server was hacked. I call these folks wishful thinkers. In fact, most providers have SLAs and monitor only for issues involving infrastructure availability, not server security.  Providers are responsible for the infrastructure, not how you use it.

Misconception #2) Cloud is like any other infrastructure I have today
Maybe, but how you use and secure that infrastructure is tremendously different. If you think what you’ve done for years in your network can be replicated in the cloud…think again. Remember that you don’t own the infrastructure and you can’t just walk down the hall to resolve a problem. What’s more, very few of your controls extend to the cloud. Fundamentally, as you re-architect you infrastructure for the cloud, you need to think about how you re-architect your security to match.

Misconception #3) I know what I’m doing
Um, no you don’t.  But don’t feel bad – few really do. The cloud is new and different, and comes in so many flavors that it’s virtually impossible for anyone to have an exact fix on things. But start with the basic lines of defense like firewalling, encryption, and malware protection, and rethink their applications (see misconception #2).

Rake Narang: What are the barriers to efficiently managing security in a cloud server, and what are the necessary requirements to securing the cloud server?

David Meizlik: The greatest barrier to managing security in the cloud is elasticity. Traditional security has never been designed to scale efficiently. Sure – it’s been designed to support large infrastructure; but it hasn’t been built to scale on-demand. Hence, traditional controls are not nearly as elastic as the cloud infrastructure, which presents a nightmare scenario for IT security professionals. Take the firewall, for example. In a traditional datacenter you might have 100 servers behind a single, perimeter firewall. In the cloud, however, there is no perimeter, so instead of managing a single perimeter firewall you’re managing the firewalls for all 100 servers. So your management just scaled up 100X, but your headcount remained the same. And while you might have 100 server firewalls at 10 am, by noon you might double you server count.

What’s more, most traditional security has been designed to secure within the corporate perimeter, not outside it or across multiple clouds. So, very few tools typically used (e.g., IDM, Firewall, Encryption, etc.) can extend from the corporate network to the cloud, or across multiple cloud providers. This leaves IT with the challenge of having to rethink and rebuild security for the cloud, duplicating controls and processes for a much more elastic environment where most are not designed to protect.

Rake Narang: Who is responsible for managing cloud security risks?

David Meizlik: The provider is responsible for delivering a secure infrastructure; however, it’s the responsibility of each user to ensure they’re using it safely. In particular, the operating system and application stack are the responsibility of the cloud user. I liken this to automobile manufacturers – they’re responsible to build a safe and dependable car, but it’s up to you to drive it defensively and follow the rules of the road. The same is true in the cloud.

Ultimately, only the cloud user can decide how they’re going to use the cloud and settle on an acceptable level of risk. So, while both the provider and user share a responsibility for managing cloud security, the onus is on the user to determine what specific technologies and processes to apply to ensure security.

Company: Dome9 Security
433 Airport Boulevard Suite 303
San Mateo, CA 94010 U.S.A.

Founded in: 2010
CEO: Bradley Rotter
Products and Services: Dome9 Security Service
Company’s Goals: Secure every cloud and virtual private server