IDS/IPS in the Cloud: More Relevant than Ever?

Learn why IDS/IPS is not only relevant in the cloud but required for enterprises.

As organizations moved to the cloud, many we’ve spoken with about securing workloads in public cloud asked an important question: since I don’t manage infrastructure anymore (well, mostly), do I still care about infrastructure-level security like IDS/IPS? The short answer is yes, you should. Here is why…

As enterprises make the leap to the public cloud (AWS, Azure, Google Cloud Platform, and Oracle), some security problems fade (e.g., infrastructure patching, defending against syn attacks, physical security), while other challenges arise. The public cloud is a highly dynamic environment where rapid deployment of infrastructure and apps is the norm and infinitely scalable services are everywhere. Environments like these require highly scalable security to protect them against threats that target the infrastructure and applications that live within.

Traditionally, Intrusion Detection and Prevention Systems (IDS/IPS) provide real-time protection against network attacks, exploits, and exposures in application code and operating systems that workloads run on. But is IDS/IPS still relevant in the cloud? We look at network-based IDS/IPS for enterprises in the cloud in AWS, Azure, GCP (Google Cloud), and OCI (Oracle) – and find it’s more relevant than ever.

Considerations: Shared Responsibility, App Variety, and the Nature of Threats

Some cloud considerations for Intrusion Detection and Prevention Systems (IDS/IPS) for AWS, Azure, GCP, and Oracle:

  • Your cloud provider isn’t going to protect you against network-level threats – their security secures their cloud platform, not your apps.
  • Best practice suggests using more and more segmentation – whether VPC to VPC across accounts, cloud to cloud, or simply network-level segmentation– organizations are creating trust boundaries but need to inspect traffic more deeply than simple port/protocol to secure access and provide containment.
  • The variety of app approaches (containers, VMs, PaaS, serverless) means that many of the controls that sit closer to the app are fragmented, at best. The network is the only common ground.
  • Attacks like SolarWinds and other supply chain attacks, and hard to patch vulnerabilities like Log4j/Log4Shell will continue and require creative approaches to securing public cloud workloads.
  • Basic regulatory compliance and data protection standards implemented in basic WAFs or compliance templates offered by some cloud providers may be insufficient to meet your specific application requirements.

The bottom line is that many of the capabilities that network-based IDS/IPS provides are still needed, but given the cloud landscape, IDS/IPS will have to take a different form.

High Level Cloud IDS/IPS Differences from Traditional Environments

The cloud landscape dictates network IDS/IPS requirements. Before looking at specific network-based IDS/IPS requirements in the cloud, let’s dive a little deeper into some of the meaningful differences in public cloud networking versus traditional networking:

  • Cloud environments are dynamic and infinitely scalable
  • IP is ephemeral in the public cloud
  • Cloud has a dynamic perimeter. It is best practice to segment workloads and encrypt all traffic
  • Custom silicon appliances are not required – while often used in on-premises deployments, you do not need silicon-based appliances tied to the cloud to have a successful cloud IPS solution.

The dramatic differences in public cloud networking means your traditional IDS/IPS solution that relies on stable environments, stable demand/capacity planning, and defined perimeters cannot keep up with the dynamic nature of the cloud. All the above IDS/IPS cloud requirements mean that traditional solutions that rely on stable environments, stable demand against capacity, strong perimeters, and internal traffic in the clear, and high-performance silicon are not going to translate to the public cloud.

In this new world, we need prevailing security knowledge, but the implementation of IDS/IPS needs to be different. Lifting and shifting existing IDS/IPS tools as virtual appliances ported from the on-premises datacenter results in similar inefficiencies as lifting and shifting legacy apps to the public cloud without re-factoring.

Specific IDS/IPS Requirements from Customers – Or, How IPS/IDS Should Work in Cloud

After numerous customer conversations where we have discussed IDS/IPS, we have found that most organizations are increasingly acknowledging the need for IPS/IDS in public cloud, they need it to work a bit differently than it did in data center environments. Specifically, we see the following requirements articulated by enterprises: 

  • IDS/IPS must be a cloud-native network service inheriting cloud attributes such as: the ability to scale up and out automatically to support changes in demand, automate deployments, and be accessible from anywhere. 
  • Since we assume everything is encrypted – the ability to decrypt everywhere, according to an organization’s security policies, is a must.
  • Fail open/fail closed is now a security discussion, not an availability discussion.
  • Capacity is elastic, unlike on-premises deployment where security and performance were carefully traded off, so the traditional rationale of what can/should be inspected can and should be revisited. In other words, in a cloud environment where capacity is elastic, organizations can inspect everything.
  • Self-healing – benefits across architecture/infrastructure/ops:
    • Resilience needs to be built in; it can’t be overlaid with network design.
    • With the massive scale of inspection nodes for the cloud – need highly efficient operations.
    • Pace of change is high in cloud – IDS/IPS infrastructure must keep up.
  • Cloud WAF is often a nice addition for app-level threats and compliance.

The Verdict: IDS/IPS is More Than Relevant in the Cloud – it is Essential 

IDS/IPS is more than relevant in the context of cloud environments. In fact, organizations need to protect against threats and prevent unauthorized access of workloads, making IDS/IPS both a critical and foundational component for successful cloud security strategy. Not only is it designed to protect against outside threats (ingress security), but also stops lateral movement between clouds and VPCs and can apply inspection on outbound traffic, protecting your cloud workloads from many angles.

Easily Implement IDS/IPS Across Clouds with Cisco Multicloud Defense

IDS/IPS is one of the foundational services offered by Cisco Multicloud Defense. With Multicloud Defense’s single control plane, organizations can deploy and manage IDS/IPS consistently across their cloud environments from one location. Built for the cloud, Multicloud Defense’s IDS/IPS capability extends the traditional appliance-centric concept to a dynamic, service-oriented, multicloud world giving organizations the protection they need to secure their workloads and infrastructure with the necessary attributes to execute successful cloud security strategies.

See how Cisco Multicloud Defense can enable IDS/IPS in AWS, Azure, GCP, and OCI in minutes with a free trial or view our product tour

To learn more about Cisco Multicloud Defense, visit our website cisco.com/go/multicloud-defense.

Author's Bio

Vishal Jain

Vice President, Cisco Multicloud Defense, Cisco Systems Inc.