As corporate network security makes the leap to the public cloud, some problems disappear, but organizations also need to solve some new ones. So let's assess where we've been and where we're going.
Where we were
First, when it comes to securing the network in the data center, we have a few basic things:
- Application deployment is under control - specifically, change control.
- The network infrastructure is static.
- Network security architecture, tightly controlled administrator access and change control ensure that all traffic is channeled through network security control points - usually firewalls - to enforce security and usage policies. This means that security teams can focus on this control point to secure the network.
Where we're going
Network security in the public cloud follows a few directions:
- Deploying the application is fast, which is what the company wants, and chaotic compared to the legacy data center environment:
- Applications are deployed more quickly.
- Many people can affect the change and developers can add their own infrastructure.
- There are no limits to the rate of change and few limits to the types of change.
- Applications are built using a variety of techniques and architectures, so the network is even more the best/only place to do security than it was before.
- Network infrastructure is almost equally dynamic. Network changes occur frequently, driven by various parties. From a business point of view, this is generally a good thing, as these changes are usually to facilitate application deployments.
- For more than a year, spending in the cloud has far exceeded spending in data centers and, unlike data centers, there is a new set of security problems yet to be solved in the cloud. Attacks go where the money is, so the big security front open to companies is the cloud.
The bottom line is that, with dynamic network infrastructure and many changes, it is difficult to get a clear view of security just by looking inside the control points.
How do you know if you're still on track everywhere, for all types of traffic? The short answer is that you don't know. The answer is not for security personnel to say or try to control everything, but to become more adaptable. And, remarkably, this problem has not been solved and is getting bigger all the time.
What do security personnel need to do?
The industry has evolved in network security solutions:
- For the data center, network security is the same as the firewall box. It can be physical or virtual. Network architecture and network security capacity requirements are stable and relatively predictable. And there are mature solutions.
- In the cloud, the first thought was that provisioning and maintaining virtual boxes was tedious, challenging to scale dynamically and an inappropriate fit for the cloud and the service-based model. And automation - in the form of scripts wrapped around virtual boxes - was a stopgap at best.
Thus, firewall as a service (FWaaS) was born, eliminating the need to manage individual boxes and the need to take care of scaling solutions.
- But FWaaS addressed the operational problems with appliances. FWaaS did not address the new set of network security needs that the cloud presented.
First of all, it's important to have an end-to-end solution - a single TLS session in functions such as the firewall, intrusion prevention system and web application firewall.
But there's a bigger problem: limiting visibility to traffic passing through the control point, regardless of how cloud-like that control point is, when the application and network landscape are dynamic, creates a false sense of security.
In other words, if several parties are deploying all kinds of new applications and creating new routes in a relatively uncontrolled way, visibility limited to the firewall / control point is not enough. Network security needs to be expanded from FWaaS to a global view, something like network security as a service.
Network security as a service needs to see all application and network changes - and their impact - identify the gaps these changes open up and deploy control points accordingly and automatically. This is the next wave of network security.
About Conversys
Conversys IT Solutions is a provider of Information and Communication Technology services and solutions operating throughout Brazil.
With a highly qualified technical and commercial team and a network of partners that includes the main global technology manufacturers, Conversys IT Solutions is able to deliver customized IT and Telecom Infrastructure solutions to clients.
We invest in our employees and partners and strive for a long-lasting relationship with our clients, because we believe that this is how we gain the skills and knowledge we need to innovate and generate value for the businesses in which we operate.
