arthead - stock.adobe.com
As enterprise network security makes the leap to the public cloud, some problems disappear, but organizations need to solve some new ones, too. So, let's assess where we've been and where we're going.
Where we've been
First, doing network security in the data center, we counted on a few things:
- App deployment is under control -- specifically, change control.
- Network infrastructure is static.
- Network security architecture, tightly controlled admin access and change control ensure all traffic is funneled through network security control points -- typically, firewalls -- for security/policy enforcement. That means security teams can focus on that control point to do network security. This problem is well understood and usually solved by your favorite Magic Quadrant crop of next-generation firewalls.
Where we are going
Network security in the public cloud is headed in a few directions:
- App deployment is rapid, which is what the business wants, and chaotic relative to the legacy data center environment:
- Apps deploy faster.
- Many people can affect change; developers can add their own infrastructure.
- There are no limits on rate of change and few limits on types of changes.
- Apps are built using a dizzying array of techniques and architectures, so the network is even more the lingua franca and the best/only place to do security than it was before.
- Network infrastructure is almost as equally dynamic. Networking changes occur often, driven by multiple parties -- lots of cooks in the kitchen. From a business perspective, this is often a good thing as these changes are typically to facilitate app deployments.
- For more than a year now, spend on the cloud vastly exceeded spend on data centers, and unlike data centers, there is a new set of security problems still to be solved in the cloud. Attacks go where the money is, so the big, open security front for enterprises is the cloud.
The bottom line is that, with dynamic network infrastructure and lots of change, it is difficult to have a clear security picture by only looking inside control points. How do you know if you're still in the path everywhere, for all kinds of traffic? The short answer is that you don't. The answer is not for security folks to say no or attempt to control everything, but to become more adaptable. And, notably, this problem is not solved and is getting bigger.
What do security folks need to do?
The industry has evolved on the network security solution:
- For the data center, network security equals firewall box. It can be physical or virtual. Network architecture and network security capacity requirements are stable and relatively predictable. And mature solutions exist.
- In the cloud, the first thought was that provisioning and maintaining virtual boxes was tedious, challenging to scale dynamically, and a poor fit for cloud and the service-based model. And automation -- in the form of scripts wrapped around virtual boxes -- was a stopgap at best. So, firewall as a service (FWaaS) was born, removing the need to manage individual boxes and the need to tend to scaling solutions.
- But FWaaS addressed the ops issues with appliances. FWaaS didn't address the new set of network security needs that cloud presented. First, having a solution that is end-to-end-oriented -- single TLS session across functions like firewall, intrusion prevention system and web application firewall -- is important. But there is a bigger problem: Limiting visibility to the traffic passing through the control point, regardless of how cloudlike that control point is, when the app and network landscape is dynamic, creates a false sense of security. In other words, if multiple parties are deploying all sorts of new apps and creating new routes in a relatively uncontrolled fashion, visibility limited to the firewall/control point isn't enough. Network security needs to expand from FWaaS to a global view, something like network security as a service. Network security as a service needs to see all of the app and networking changes -- and their impact -- identify the gaps those changes open up and deploy control points accordingly and automatically. This is the next wave of network security.
About the author
Vishal Jain is the co-founder and CTO of Valtix. Jain is a seasoned executive and has held engineering leadership roles across many successful startups and big companies in the networking and security space.