cloud computing: a challenge for intrusion prevention systems

Intrusion detection and prevention systems can be difficult to implement and administer. When migrating to a cloud computing environment, the situation becomes even more complex. So why does cloud computing make things so difficult?

a technology already stirring up controversy

Any security company will tell you: setting up an intrusion detection system (IDS) or intrusion protection system (IPS) in a strategic spot on your network/servers is not complicated. The difficult part is ensuring ongoing management (updating signature bases and configurations, and above all recording and analyzing events). Companies sometimes buy the hardware, get it set up and then forget
about it because it's not the easiest equipment to use.

spotlight on Infrastructure as a Service (IaaS)

Techniques for detecting and preventing intrusions can be adapted to different layers or components of an information system: from the network layer (network IDS/IPS) to the operating system layer (host IDS), or even application or middleware layers (database IDS, firewall). You can implement IDS functions from any application-generated log/information: analyzing Apache server logs to detect intrusion or discovery attempts is a kind of IDS.

In this post, I will limit myself to IaaS cloud computing services, which offer IT resources for running virtual machines, network connectivity and data storage centers.

characteristics of cloud computing

According to the National Institute of Standards and Technology, the basic characteristics of cloud computing are: resource pooling / multi-tenancy, the ability to meet extremely high demand (massive scalability), the ability to adapt resources to needs in a simple way (elasticity), self-provisioning and pay-as-you-go billing. We’ll set the pay-as-you-go aspect aside for the moment as it doesn’t have a big impact on IDS/IPS systems.

resource pooling/multi-tenancy

Pooling resources among cloud users and simultaneously using common resources are fundamental traits of cloud computing. A cloud customer can use the same network access, machines and storage systems as other clients, with virtualization and isolation technologies making the whole process transparent.

In the physical world, setting up an IDS/IPS depends on the physical environment: a network link or access, one or more physical servers, a platform, etc. With a cloud environment, everything is virtual and immaterial. Customers looking to protect their virtual machines (VMs) have to look at the problem differently. One of the classic questions is how to monitor traffic between two localized VMs on the same hypervisor. Even if each customer activates a VM equipped with an IPS/IDS, there’s still the challenge of managing it.

ability to respond to extremely high demand (massive scalability)

In a cloud computing environment, the number of VMs running simultaneously can range from thousands to tens of thousands of machines. The number of security events generated by the IDS/IPS can be gigantic, which is perhaps the most difficult challenge.

elasticity and self-provisioning

With cloud computing, it is possible to adjust resources dynamically depending on the number of processes to be executed. You can go from 3 VMs to 10-20 VMs in a matter of seconds, or use a vastly different storage capacity from one day to the next. In this context, do you have to reconfigure your IDS/IPS each time? How do you provide it with enough resources so that it can do its job properly from the moment you launch a new VM?


Cloud computing does indeed pose some serious questions for IDS/IPS. It is not enough to simply apply techniques and practices already used in companies. New approaches must be offered both by cloud computing service providers and security solution developers. Some are still merely offering “virtual appliance” models of their physical equipment, which is clearly inadequate. Approaches that integrate core hypervisor and so-called “introspection” functions may make it possible to effectively secure cloud computing infrastructures.


image © mipan -

Jean-François Audenard

Au sein de la direction sécurité du Groupe Orange, je suis en charge de la veille sécurité et de la sensibilisation à la sécurité. Franchise, optimisme et bonne-humeur sont mes moteurs quotidiens