Google has introduced a new Intrusion Detection Service together with “Adaptive Protection” for its cloud firewall, but such services make security a costly feature.
The Chocolate Factory’s inaugural digital security summit ran yesterday, where the company talked up its notion of “invisible security”. CEO Thomas Kurian encouraged businesses to transfer their “digital assets” to the cloud in order to benefit from “cloud-native security.” According to GM and VP of Cloud Security Sunil Potti, invisible security means “security technologies are designed in… security operations as a silo disappears.”
It was soon apparent that achieving this goal is some distance away. The big announcement at the event was a new service called Google IDS (Intrusion Detection Service), which requires security operation skills to set up and maintain.
Network security on Google Cloud prior to the introduction of IDS
Google Cloud already has a Cloud Armor firewall (controls traffic between the internet and a customer’s Virtual Private Cloud) and VPC Firewall (control traffic within a VPC). At the summit, the company introduced Cloud Armor Adaptive Protection, in preview, which detects and alerts DDoS and application-level attacks (Layer 7 or L7 in the OSI model) such as SQL injection.
Adaptive Protection can also generate a custom firewall rule to block the traffic. It uses machine learning to power its detection mechanism. Free while in preview, Adaptive Protection will require a premium Managed Protection Plus subscription when generally available. The solution also requires integration with logging and alerting to be useful. Having a SQL injection attack logged is only useful if the information is acted on, and this is where a SIEM (Security Information and Event Management) or SOAR (Security Orchestration, Automation and Response) service is needed, or at least an alert which an engineer can respond to.
Managed Protection Plus became generally available in May this year and costs $3,000 per month for up to 100 protected resources. A protected resource is the backend services behind a load balancer.
Diagram showing the role of Google IDS in securing network traffic
As for the Intrusion Detection Service, this is another threat detection analyser which works by packet mirroring of network traffic both into and within a VPC. Such a service is already available by enabling packet mirroring to a third-party service, such as one provided by ExtraHop, Cisco, Netscout or Check Point. However Google networking product manager Peter Blum said at the event that while “we always want to provide customer choice, and enabling our customers and partners to integrate with our cloud and packet mirroring is a great example… customers wanted us to provide an easier path to network threat protection built into our cloud.”
It is a common big tech pattern, providing first-party services to replace third-party services, but the twist here is that IDS is also powered by a third party, in this case Palo Alto Networks. The way it works is that admins set up a cluster running the Palo Alto detection software by creating an IDS instance within their VPC. They are then able to attach sources of network traffic which will be mirrored to the IDS instance. IDS will fire alerts to a logging service, and as with Adaptive Protection, it is for the user to decide how to handle the alerts, such as to a SIEM or SOAR service. IDS will not block traffic on its own.
A Google spokesperson told us: “For example, Cloud IDS integrates with Palo Alto Networks Cortex XSOAR to enable blocking malicious traffic.” It would also be possible to set up a Google Cloud Function to take action such as shutting down a service or taking other actions on receipt of a critical alert.
There is a snag with packet mirroring. How can IDS detect threats in encrypted traffic? According to the documentation, “Cloud IDS needs to see decrypted traffic. You can decrypt traffic at the L7 load balancer, or deploy a third-party appliance… Because external HTTP(S) load balancer require SSL certificates, SSL traffic between the load balancer and the client is encrypted. Traffic from the GFE to the backends is standard HTTP traffic, which Cloud IDS can inspect.”
This is a security quandary: encrypted traffic is generally a good thing, except when it needs to be inspected to check for malicious intent. Google told us: “Cloud IDS can detect a range of malicious attacks without needing to decrypt the traffic, for encrypted traffic, it can still protect against command and control access and provide protection against malicious IP and URL filtering.”
What will Cloud IDS cost? Google would not tell us, but said that “pricing is pay as you go and based on two metrics,” these being the number of IDS endpoints and the volume of traffic inspected. Judging by the cost of Managed Protection Plus it will not be cheap. It is free during preview, though.
Many recent security incidents such as Hafnium, SolarWinds, and PrintNightmare involve Microsoft products and Windows servers or endpoints, making it easy for Google to pitch its cloud-first services, along with its Chrome OS clients, as a more secure approach – though issues like supply chain attacks and application vulnerabilities can affect software wherever it is running.
There is perhaps some tension over the extent to which security is becoming a premium feature, on Google’s cloud and elsewhere, potentially putting it out of reach of smaller organisations. ®