Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Larry Alston, General Manager of Cloud, Tufin
Larry Alston, General Manager of Cloud, Tufin
Sponsored Article

Centralized Security Policy Management Across Hybrid Cloud Environments Should be an Obvious Strategy

If cloud adoption continues to grow at the anticipated rate over the next few years, the mandate to deploy a strategy that includes a centralized security policy management will also grow. Comprehensive visibility and the ability to quickly apply policies at the most granular levels will allow enterprises to embrace the agility of a more secure cloud with confidence.

When it comes to an access security strategy, too many of today's enterprises are focusing only on enforcement points such as firewalls or access brokers. This leaves a significant gap — and an increased attack surface — for hybrid environments that do not include centralized management for their security policies.

As cloud adoption continued to grow year-over-year, it was assumed that the de facto approach to on-prem security policy management of "rinse and repeat" would just work in this new environment. Instead, the rate of migration to the cloud opened up vulnerabilities that required an increasing amount of manual intervention and configuration. Managing security policies in the cloud using the same approach as on-prem was a flawed strategy.

The complexity of cloud and hybrid management has brought new challenges to the enterprise as cloud deployments can range from small, project-based virtual deployments to cloud-native solutions to full "lift-and-shift" environments.

The need to comprehensively manage security policies across cloud and hybrid environments has become critical and comes with the following mandates. Organizations must:

a) retain the agility and speed of cloud deployment,  

b) accurately project and control costs,

c) reduce risk due to misconfigurations and compliance requirements.

Like other evolving technology challenges, enterprises have tried to address these complexities in multiple ways. Many are learning the hard way as they struggle to successfully integrate and secure disparate networks.

A Flawed Approach

Most firewall vendors offer solutions to the enterprise that provide centralized policy management. These tools, however, are built with only one vendor in mind and assume that whenever you add more workloads — on-prem or in the cloud — you will continue to purchase their firewall. At the periphery it looks fine, but as many enterprises have realized, this approach is counter to a true cloud-native approach. A true cloud-native approach fosters ideals of speed, efficiency and scale, allowing organizations to reap the key benefits of cloud agility. Obscured visibility and vendor lock-in (with inadequate tooling) only limits the potential of the enterprise.

The additional control planes and multiple firewalls that define hybrid environments can open up significant risk due to misconfiguration and human error. This becomes especially true as organizations introduce additional vendors for different areas of the network, each managing policies based on their own underlying infrastructure.

The unexpected overhead costs are another issue as organizations struggle to accurately forecast cloud growth. Almost every enterprise has underestimated the speed and scale at which their cloud footprint grows. This growth has blindsided many IT budget holders when overhead costs increase exponentially with each additional agent and control plane introduced by firewall vendors—all intended to centralize security policy management.

A Simpler Approach

There is a way to manage the cost and complexity. Security policy management across entire hybrid cloud environments can be simplified using a single vendor-agnostic solution. Cloud-mature enterprises often state that their path to the cloud started with the intention to save costs. Quickly, however, the inherent agility of cloud adoption surpassed the economic drivers. The most sophisticated enterprises recognized that a vendor-locked network does not aid agility and adds overhead, diminishing the goal of reduced operational costs.

A vendor-agnostic solution that centralizes security policy management enables an enterprise through:

Visibility: End-to-end visibility of the entire network allows the enterprises to understand "who is talking to whom" and eliminate blind spots. It does not limit the visibility to only those aspects of the network under a certain control plane but provides a clear view across on-prem, public and private cloud environments from multiple vendors.

Security Guardrails: Comprehensive visibility of the network ensures newly created policies address security gaps and reduce risk while simultaneously granting more granular control.

Compliance Control: Central policy management addresses the issues caused by siloes, a major issue in the cloud as the environment is micro-segmented. Compliance requirements can be met across all environments in the enterprise network, easing the ongoing challenge for security teams.

Automation: A major avenue for agility in cloud is the continuous integration and continuous delivery (CI/CD) pipeline. With automation at the core of cloud deployments, centralized security policy management assists the CI/CD pipeline by introducing security earlier in the cycle, avoiding delays down the road due to non-adherence to policy.

The goal of a centralized security policy management strategy should be to ensure agility is unimpeded, economic efficiency is maintained, and complexity due to misconfiguration is eliminated.

About the Author: 

Larry Alston, General Manager of Cloud, Tufin: Prior to joining Tufin in 2019, Larry Alston previously held senior and executive management roles at Teradata, Altisource, FuseSource, IONA, and Excelon. As Tufin champions the adoption of security policy management in the cloud, Alston is responsible for all aspects of Tufin's cloud-native business.


Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-20
A vulnerability of Helpcom could allow an unauthenticated attacker to execute arbitrary command. This vulnerability exists due to insufficient authentication validation.
PUBLISHED: 2021-04-20
vscode-restructuredtext before 146.0.0 contains an incorrect access control vulnerability, where a crafted project folder could execute arbitrary binaries via crafted workspace configuration.
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to an authenticated stored cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed....
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to multiple reflected cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only...
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** AdTran Personal Phone Manager 10.8.1 software is vulnerable to an issue that allows for exfiltration of data over DNS. This could allow for exposed AdTran Personal Phone Manager web servers to be used as DNS redirectors to tunnel arbitrary data over DNS. NOTE: The aff...