IDS/IPS in the Cloud: More Relevant Than Ever?

Learn why IDS/IPS is not only relevant in the cloud but required for enterprises.

As organizations moved to the cloud, many we've spoken with about securing workloads in public cloud asked an important question: Since I don't manage infrastructure anymore (well, mostly), do I still care about infrastructure-level security like intrusion detection system (IDS) and intrusion protection switching (IPS)? The short answer is yes, you should. Here is why… 

As enterprises make the leap to the public cloud (AWS, Azure, Google Cloud Platform (GCP), and Oracle Cloud Infrastructure (OCI), some security problems fade, such as infrastructure patching, defending against syn attacks, and physical security, while other challenges arise. The public cloud is a highly dynamic environment where rapid deployment of infrastructure and apps is the norm and infinitely scalable services are everywhere. Environments like these require highly scalable security to protect them against threats that target the infrastructure and applications that live within.  

Traditionally, intrusion detection and prevention systems (IDS/IPS) provide real-time protection against network attacks, exploits, and exposures in application code and operating systems that workloads run on. But is IDS/IPS still relevant in the cloud? We look at network-based IDS/IPS for enterprises in the cloud in AWS, Azure, GCP, and OCI and find it's more relevant than ever.

Considerations: shared responsibility, app variety, and the nature of threats

Here are some cloud considerations for IDS/IPS for AWS, Azure, GCP, and Oracle: 

  • Your cloud provider isn't going to protect you against network-level threats, because their security secures their cloud platform, not your apps.
  • Best practice suggests using more and more segmentation—whether VPC to VPC across accounts, cloud to cloud, or simply network-level segmentation— organizations are creating trust boundaries but need to inspect traffic more deeply than simple ports and protocols to secure access and provide containment.
  • The variety of app approaches, including containers, virtual machines, platforms as a service (PaaS), and serverless, means that many of the controls that sit closer to the app are fragmented, at best. The network is the only common ground.  Attacks like SolarWinds and other supply chain attacks, and hard to patch vulnerabilities like Log4j/Log4Shell will continue and require creative approaches to securing public cloud workloads.  
  • Basic regulatory compliance and data protection standards implemented in basic Web Application Firewall (WAFs) or compliance templates offered by some cloud providers may be insufficient to meet your specific application requirements.

The bottom line is that many of the capabilities that network-based IDS/IPS provides are still needed, but given the cloud landscape, IDS/IPS will have to take a different form.

High-level cloud IDS/IPS differences from traditional environments

The cloud landscape dictates network IDS/IPS requirements. Before looking at specific network-based IDS/IPS requirements in the cloud, let's dive a little deeper into some of the meaningful differences in public cloud networking versus traditional networking:

  • Cloud environments are dynamic and infinitely scalable
  • IP is ephemeral in the public cloud 
  • Cloud has a dynamic perimeter. It is best practice to segment workloads and encrypt all traffic.
  • Custom silicon appliances are not required. While often used in on-premises deployments, you do not need silicon-based appliances tied to the cloud to have a successful cloud IPS solution.

The dramatic differences in public cloud networking means your traditional IDS/IPS solution that relies on stable environments, stable demand/capacity planning, and defined perimeters can't keep up with the dynamic nature of the cloud. All the above IDS/IPS cloud requirements mean that traditional solutions that rely on stable environments, stable demand against capacity, strong perimeters, and internal traffic in the clear, and high-performance silicon are not going to translate to the public cloud.

In this new world, we need prevailing security knowledge, but the implementation of IDS/IPS needs to be different. Lifting and shifting existing IDS/IPS tools as virtual appliances ported from the on-premises data center results in similar inefficiencies as lifting and shifting legacy apps to the public cloud without refactoring.

Specific IDS/IPS requirements from customers, or how IDS/IPS should work in the cloud

After numerous customer conversations where we have discussed IDS/IPS, we found that most organizations are increasingly acknowledging the need for IDS/IPS in public cloud, they need it to work a bit differently than it did in data center environments. Specifically, we see the following requirements articulated by enterprises:

  • IDS/IPS must be a core cloud network service inheriting cloud attributes such as the ability to scale up and out automatically to support changes in demand, automate deployments, and be accessible from anywhere. Since we assume everything is encrypted, then the ability to decrypt everywhere, according to an organization's security policies, is a must. Fail open/fail closed is now a security discussion, not an availability discussion.
  • Capacity is elastic, unlike on-premises deployment where security and performance were carefully traded off, so the traditional rationale of what can/should be inspected can and should be revisited. In other words, in a cloud environment where capacity is elastic, organizations can inspect everything.
    • Resilience needs to be built in; it can't be overlaid with network design.
    • With the massive scale of inspection nodes for the cloud, they need highly efficient operations.
    • Pace of change is high in cloud, and IDS/IPS infrastructure must keep up.
  • For self-healing benefits across architecture, infrastructure, and ops:

    Cloud WAF is often a nice addition for app-level threats and compliance.

    The verdict: IDS/IPS is more than relevant in the cloud, it is essential IDS/IPS is more than relevant in the context of cloud environments. In fact, organizations need to protect against threats and prevent unauthorized access of workloads, making IDS/IPS both a critical and foundational component for successful cloud security strategy. Not only is it designed to protect against outside threats (ingress security), but it also stops lateral movement between clouds and VPCs and can apply inspection on outbound traffic, protecting your cloud workloads from many angles.

Easily implement IDS/IPS across clouds with Cisco Multicloud Defense IDS/IPS is one of the foundational services offered by Cisco Multicloud Defense. The Multicloud Defense single control plane allows organizations to deploy and manage IDS/IPS consistently across their cloud environments from one location. Built for the cloud, Multicloud Defense IDS/IPS capability extends the traditional appliance-centric concept to a dynamic, service-oriented, multicloud world giving organizations the protection they need to secure their workloads and infrastructure with the necessary attributes to execute successful cloud security strategies.

See how Cisco Multicloud Defense can enable IDS/IPS in AWS, Azure,  Google Cloud Platform (GCP), and Oracle Cloud Infrastructure (OCI) in minutes with a free trial or view our product tour.

To learn more about Cisco Multicloud Defense, visit our website