Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Larry Alston, General Manager of Cloud, Tufin
Larry Alston, General Manager of Cloud, Tufin
Sponsored Article

Centralized Security Policy Management Across Hybrid Cloud Environments Should be an Obvious Strategy

If cloud adoption continues to grow at the anticipated rate over the next few years, the mandate to deploy a strategy that includes a centralized security policy management will also grow. Comprehensive visibility and the ability to quickly apply policies at the most granular levels will allow enterprises to embrace the agility of a more secure cloud with confidence.

When it comes to an access security strategy, too many of today's enterprises are focusing only on enforcement points such as firewalls or access brokers. This leaves a significant gap — and an increased attack surface — for hybrid environments that do not include centralized management for their security policies.

As cloud adoption continued to grow year-over-year, it was assumed that the de facto approach to on-prem security policy management of "rinse and repeat" would just work in this new environment. Instead, the rate of migration to the cloud opened up vulnerabilities that required an increasing amount of manual intervention and configuration. Managing security policies in the cloud using the same approach as on-prem was a flawed strategy.

The complexity of cloud and hybrid management has brought new challenges to the enterprise as cloud deployments can range from small, project-based virtual deployments to cloud-native solutions to full "lift-and-shift" environments.

The need to comprehensively manage security policies across cloud and hybrid environments has become critical and comes with the following mandates. Organizations must:

a) retain the agility and speed of cloud deployment,  

b) accurately project and control costs,

c) reduce risk due to misconfigurations and compliance requirements.

Like other evolving technology challenges, enterprises have tried to address these complexities in multiple ways. Many are learning the hard way as they struggle to successfully integrate and secure disparate networks.

A Flawed Approach

Most firewall vendors offer solutions to the enterprise that provide centralized policy management. These tools, however, are built with only one vendor in mind and assume that whenever you add more workloads — on-prem or in the cloud — you will continue to purchase their firewall. At the periphery it looks fine, but as many enterprises have realized, this approach is counter to a true cloud-native approach. A true cloud-native approach fosters ideals of speed, efficiency and scale, allowing organizations to reap the key benefits of cloud agility. Obscured visibility and vendor lock-in (with inadequate tooling) only limits the potential of the enterprise.

The additional control planes and multiple firewalls that define hybrid environments can open up significant risk due to misconfiguration and human error. This becomes especially true as organizations introduce additional vendors for different areas of the network, each managing policies based on their own underlying infrastructure.

The unexpected overhead costs are another issue as organizations struggle to accurately forecast cloud growth. Almost every enterprise has underestimated the speed and scale at which their cloud footprint grows. This growth has blindsided many IT budget holders when overhead costs increase exponentially with each additional agent and control plane introduced by firewall vendors—all intended to centralize security policy management.

A Simpler Approach

There is a way to manage the cost and complexity. Security policy management across entire hybrid cloud environments can be simplified using a single vendor-agnostic solution. Cloud-mature enterprises often state that their path to the cloud started with the intention to save costs. Quickly, however, the inherent agility of cloud adoption surpassed the economic drivers. The most sophisticated enterprises recognized that a vendor-locked network does not aid agility and adds overhead, diminishing the goal of reduced operational costs.

A vendor-agnostic solution that centralizes security policy management enables an enterprise through:

Visibility: End-to-end visibility of the entire network allows the enterprises to understand "who is talking to whom" and eliminate blind spots. It does not limit the visibility to only those aspects of the network under a certain control plane but provides a clear view across on-prem, public and private cloud environments from multiple vendors.

Security Guardrails: Comprehensive visibility of the network ensures newly created policies address security gaps and reduce risk while simultaneously granting more granular control.

Compliance Control: Central policy management addresses the issues caused by siloes, a major issue in the cloud as the environment is micro-segmented. Compliance requirements can be met across all environments in the enterprise network, easing the ongoing challenge for security teams.

Automation: A major avenue for agility in cloud is the continuous integration and continuous delivery (CI/CD) pipeline. With automation at the core of cloud deployments, centralized security policy management assists the CI/CD pipeline by introducing security earlier in the cycle, avoiding delays down the road due to non-adherence to policy.

The goal of a centralized security policy management strategy should be to ensure agility is unimpeded, economic efficiency is maintained, and complexity due to misconfiguration is eliminated.

The second part of the "Security Policy Management in the Cloud" series is available here. 

About the Author: 

Larry Alston, General Manager of Cloud, Tufin: Prior to joining Tufin in 2019, Larry Alston previously held senior and executive management roles at Teradata, Altisource, FuseSource, IONA, and Excelon. As Tufin champions the adoption of security policy management in the cloud, Alston is responsible for all aspects of Tufin's cloud-native business.


Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
Use of hard-coded credentials vulnerability in php component in Synology Calendar before 2.4.0-0761 allows remote attackers to obtain sensitive information via unspecified vectors.
PUBLISHED: 2021-06-18
Server-Side Request Forgery (SSRF) vulnerability in cgi component in Synology Media Server before 1.8.3-2881 allows remote attackers to access intranet resources via unspecified vectors.
PUBLISHED: 2021-06-18
Improper neutralization of special elements used in a command ('Command Injection') vulnerability in task management component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to execute arbitrary code via unspecified vectors.
PUBLISHED: 2021-06-18
Improper privilege management vulnerability in cgi component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to execute arbitrary code via unspecified vectors.
PUBLISHED: 2021-06-18
Server-Side Request Forgery (SSRF) vulnerability in task management component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to access intranet resources via unspecified vectors.