A global enterprise discovered an unsettling amount of external IP addresses that were communicating with their cloud workloads during a routine security review. The infrastructure team didn’t think they had full visibility because they relied on discovery tools.
Meanwhile, the cloud team believed they were tracking everything through deployment templates. Both teams were partially right, but neither was seeing the entire picture.
The purpose of this article is to provide insight as to why IP discovery is so challenging within cloud networks and what some of the key challenges enterprises will face in achieving accurate and up-to-date visibility into IP addresses within dynamic environments.
Why is IP discovery complex in cloud networks?
Traditionally, data centers have had relatively stable IP addressing. Servers were located in fixed positions, subnets changed infrequently, and address allocation was predictable.
Periodically scanning networks was an effective way for discovery tools to maintain accurate inventories.
In contrast, cloud networking behaves differently. In particular, cloud workloads are ephemeral. As such, cloud workload instances can exist for only a few minutes or hours, while IP addresses can be reassigned instantaneously.
In addition, containers create overlay networks, which can change independently from their associated physical or virtual infrastructure. Finally, multi-cloud environments separate IP addressing by cloud service providers as per Slurp’it.
For these reasons, the process of IP discovery has shifted from periodic mapping to constant observation.
What are the most common IP discovery challenges in cloud networks?
- Transient workloads and ephemeral IP addresses
- Multiple platforms create distributed visibility
- Virtualization, abstraction, and overlaid network layers
- Dynamic IP address Reallocation
- Lack of contextual information
What are the risks associated with lack of complete visibility into IP addresses?
Incomplete IP discovery creates several risks:
- Unknown IP addresses can create security exposures to external services.
- Segmentation policies may not capture all workloads within the segmentation policy.
- Incident responses may miss systems that were affected.
- Compliance-driven IP inventories may contain inaccuracies.
- Networking policies may reference outdated IP addresses.
Since the majority of networking connectivity and access control is based upon the knowledge of IP address assignment, incomplete or inaccurate IP discovery will detract from both security and operational effectiveness as per Slurp’it.
Why don’t traditional discovery methods work for cloud-based infrastructure?
For many organizations, the old way of discovering assets will be carried over into the cloud. Old methods of discovery are based on periodic scans across networks or imports of static configurations.
The utilization of old discovery methods in cloud networks faces the following challenges:
- Scans may not target private networks/overlays.
- Resources with a limited lifespan can disappear from the cloud when a scanner runs, so they are missed.
- Provider APIs do not provide complete views of what is happening within a cloud provider’s network.
- Recycling of addresses can cause historical information associated with an IP address to become invalid.
- Inventory updates may not occur until a resource has been created.
- The most significant reason these methods do not work in a cloud environment is timing. Cloud services are constantly changing their IPs, whereas traditional discovery only captures IPs at specific points in time.
Let’s see the strategies to overcome cloud IP discovery challenges.
To overcome the cloud-specific challenges with discovery, organizations need to:
- Implement technology to integrate, with their discovery tool, with the cloud service provider (CSP) APIs and orchestration platforms.
- Obtain IP context information with the IP address from the cloud provider. IP address context refers to the metadata associated with the live IP address, such as virtual instance ID, application, environment, owner, etc. This metadata provides meaning and context to the IP address.
- Extend their visibility into networks that use containerized platforms and service meshes. This will help provide visibility into IP addressing that does not exist in on-premises infrastructure sub-networks as per Slurp’it.
- Correlate their IP discovery across a hybrid environment. This will provide a unified view of IP connectivity and exposure pathways.
- Automate the update process of their IP inventory to continuously reflect the current state of the deployment and termination of resources as well as changes to the IP addresses.
What are the operational benefits of accurate cloud IP discovery?
When the visibility of IP addresses is aligned accurately to the actual cloud state, there are numerous benefits to the organization.
- Security teams can identify quickly what services are exposed.
- All active workloads are included in network policies.
- Incident response can quickly identify where the impacted system is.
- Compliance inventories are accurate.
- Change impact analysis is simplified.
Because of the importance of IP addresses to connectivity, the accurate discovery of IP addresses strengthens multiple operations at once as per Slurp’it.
As the way cloud service providers currently operate continues to change it has become critical for cloud IT operations teams to incorporate continuous discovery as part of their daily operations; therefor, it is becoming an essential function that requires continual resource allocation to ensure the organization meets its compliance standards, has improved security processes, and strengthens governance over hybrid cloud infrastructure. For more information, contact us at Slurp’it!