DDOS Protection for Public Cloud Customers
Public Cloud Adaption
The rate of adaptation of cloud services by organizations over the recent years has been significant. Some of these organizations decided to migrate at least part of their IT systems to a public cloud for one or many of the better-known benefits. Such benefits could be the easier to manage cost model, the nearly unlimited flexibility in hardware and software or the guaranteed uptime locked into Service Level Agreements. Not very often, however, has security been at the forefront of the decision-making process. That is a shame because most public cloud providers offer some very solid security options such as security monitoring and Distributed Denial of Service (DDoS) protection. Arguably, these options not only benefit their customers but their own cloud platforms as well.
Distributed Denial of Service
The literally exponential growth of DDoS attacks, up to fifty times larger now than ten years ago, has many organizations worried about when they will be next. It is only a matter of time and when their number does come up, how prepared are they and how prepared could they actually be? A well organized and targeted DDoS attack could easily fire a sustained 100 Gbps of traffic at its victim. For example, an attack against a BBC website in 2016 reached a peak of 602 Gbps, so far the largest DDoS attack in history. Even though the average connection bandwidth for organizations has grown at almost the same pace, the sophistication and specifically targeted characteristics of these attacks mean they are becoming harder to deal with every day. A business will need to decide on either investing a huge amount in dedicated hardware, software and specialist skills, or outsourcing these DDoS protection services to a third party. Because these third parties can spread out the costs of their high-capacity infrastructure over many customers that are unlikely to be all under attack at the same time, this is usually the most viable option for small, medium and even some larger enterprises.
Learn Cloud Security
DDoS Service Add-ons
Public Cloud Service Providers (CSP) such as Amazon WS, Microsoft Azure, and Rackspace have been ideally placed to pick up this growing demand. They are competing with specialized DDoS protection providers such as CloudFlare, but with one main benefit; the customer already has an agreement for one or more products such as IaaS or SaaS with that CSP. That means the DDoS protection service is just another add-on to that existing contract. Most of the technical side, routing traffic, for instance, can all be handled by the Public Cloud Service Provider as well, without the need for another party to be involved. Even if the CSP decides in turn, to outsource that entire DDoS protection service to a specialized provider such a CloudFlare, the Public Cloud customer still does not need to worry. Their agreement is simply with their CSP and the responsibilities and complexities behind that are not of their own concern.
Potential Benefits
The main benefit for an organization to choose DDoS protection from their Public Cloud Service Provider over a 3rd party is the simplicity in both technical and organizational processes. The customer only deals with one party and escalations between the different CSP teams should, in theory, be faster and without much customer interaction. Another benefit is the fact that the CSP better knows their network, indirectly monitors it for potential DDoS attacks and has more control over any available mitigation actions. In the case of a sustained attack over many days, weeks or even months, there will be some options such as a quick relocation to another virtual network or to another actual data center as well. An also very important factor to keep in mind is who will foot the bill for the potentially enormous increase in data due to a DDoS attack. This issue is more complex. Although many CSP's will allow for unexpectedly high charges to be dropped in the case of a DDoS attack, this is likely much easier to manage (and proof) when the CSP itself is handling the DDoS attack and its potential mitigation. This will require the customer to do some further provider-specific research. For example, some CSP's don't charge for inbound traffic (anymore), which could be a very important consideration.
Available Options
Every cloud provider will have some level of DDoS protection services in use for their own cloud infrastructure. This will cover lower layer DDoS attack methods such as SYN floods. It will protect their own business from an attack that could bring down many or all of their cloud customers simultaneously. The legal, financial and reputational ramifications to the CSP would be enormous in such a case, which is simply a risk they cannot accept. This platform-wide protection does not cover individual customers however and their own specific configurations, requirements, and priorities. The customers will need to deal further with for instance application-based DDoS attacks, which are more customized and targeted towards their publicly hosted services. Imagine a low to medium bandwidth DDoS attack specifically targeted at a customers' website using the HTTP protocol. Not knowing the website specifics, the CSP might not notice the attack. How would the CSP security team know this is an attack and not a very popular online sale, without having an in-depth knowledge of the service? If they actually do detect an attack, they might not be authorized or knowledgeable enough to take custom mitigation actions. This means a customized DDoS protection service is required. Most of the larger Public Cloud Service providers have optional per-customer DDoS protections available, usually for an additional fee. This will provide the customer with bespoke DDoS protection profiles, in-depth analysis and alerting capabilities which match the customers' own organizational structure and requirements.
Learn Cloud Security
Conclusion
It is not hard to see that it is well worth researching DDoS protection offerings by the Public Cloud Service Providers, especially if they already manage most of the existing Cloud services. Of course, not all organizations will have their main online services hosted within a public cloud infrastructure. Think for instance of a private cloud configuration, or a customer-managed data centre. In that case, other benefits of a 3rd party or a self-managed DDoS protection could stand out. As always in the world of ICT: there are enough options out there, it is just a matter of weighing them all up against each other.
Learn Cloud Security
Build your cloud security skills and get hands-on experience in Infosec Skills. What you'll learn:- Cloud architecture
- Cloud management
- Cloud pentesting
- CSP security features
- And more
In this Series
- DDOS Protection for Public Cloud Customers
- The rise of cloud computing: Trends and predictions
- Understanding the basics of cloud infrastructure: What you need to know
- How cloud security, data privacy, and cybersecurity convergence drives successful careers
- Secure cloud computing: What you need to know
- Working across multiple cloud service providers: CSP security learning path
- Securing cloud-based applications training: What you need to know
- Security risks of cloud migration
- DevSecOps in the Azure Cloud
- Amazon Athena Security: 6 essential tips
- Securing cloud endpoints: What you should know
- AWS security and compliance overview
- CloudGoat walkthrough series: IAM privilege escalation by attachment
- CloudGoat walkthrough series: EC2 server-side request forgery (SSRF)
- CloudGoat walkthrough series: Remote code execution
- CloudGoat walkthrough series: Lambda Privilege Escalation
- Information security strategy for the hybrid and multi-cloud
- CloudGoat walkthrough series: Cloud Breach S3
- CloudGoat walkthrough series: IAM privilege escalation by rollback
- Working with CloudGoat: The “vulnerable by design” AWS environment
- Malicious Amazon Machine Images (AMIs)
- Key findings from Ponemon’s State of Vulnerability Management in the Cloud and On-Premises report
- Cloud Pentesting Certification Boot Camp: The ultimate guide
- Cloud Based IDS and IPS Solutions [Updated 2019]
- AWS Security Monitoring Checklist [Updated 2019]
- Amazon Inspector: A cloud-based vulnerability assessment tool
- System administrator vs. cloud administrator
- 5 key cloud security use cases
- Deep Packet Inspection in the Cloud
- Honeypots in the Cloud
- Biometrics in the Cloud
- Open-Source Intelligence Collection in Cloud Platforms
- How to Safeguard Against the Privacy Implications of Cloud Computing
- AWS Cloud Security for Beginners — Part 2
- AWS Cloud Security for Beginners — Part 1
- AWS Security Monitoring Checklist — Part 2
- Rise of the Rogue Cloud: The Fundamental Security Mistake Enterprises Make and How to Correct It
- Controlling the Risks of Cloud-Enabled End-Point Security Products
- The Ultimate Guide to CCSP Certification
- Five Reasons Why Security Professionals Need the Cloud
- Amazon S3 Buckets-Hardening
- Cloud Service Reconnaissance
- Cloud Computing Security: Be Secure Before Moving to Cloud
- Cloud Technology Bringing New Possibilities in Threat Management
- Attacking the Cloud
- Man in the Cloud Attacks: Prevention and Containment
- Cloud originated DDoS attacks
- Where Is Your Data Safer? In the Cloud Or On Premise?
- Security Barriers in the Adaptation of Cloud Technology
- SIEM as a Service
- Cloud Security Incident Compensation
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Cloud security
Cloud security