When it comes to an access security strategy, too many of today's enterprises are focusing only on enforcement points such as firewalls or access brokers. This leaves a significant gap — and an increased attack surface — for hybrid environments that do not include centralized management for their security policies.
As cloud adoption continued to grow year-over-year, it was assumed that the de facto approach to on-prem security policy management of "rinse and repeat" would just work in this new environment. Instead, the rate of migration to the cloud opened up vulnerabilities that required an increasing amount of manual intervention and configuration. Managing security policies in the cloud using the same approach as on-prem was a flawed strategy.
The complexity of cloud and hybrid management has brought new challenges to the enterprise as cloud deployments can range from small, project-based virtual deployments to cloud-native solutions to full "lift-and-shift" environments.
The need to comprehensively manage security policies across cloud and hybrid environments has become critical and comes with the following mandates. Organizations must:
a) retain the agility and speed of cloud deployment,
b) accurately project and control costs,
c) reduce risk due to misconfigurations and compliance requirements.
Like other evolving technology challenges, enterprises have tried to address these complexities in multiple ways. Many are learning the hard way as they struggle to successfully integrate and secure disparate networks.
A Flawed Approach
Most firewall vendors offer solutions to the enterprise that provide centralized policy management. These tools, however, are built with only one vendor in mind and assume that whenever you add more workloads — on-prem or in the cloud — you will continue to purchase their firewall. At the periphery it looks fine, but as many enterprises have realized, this approach is counter to a true cloud-native approach. A true cloud-native approach fosters ideals of speed, efficiency and scale, allowing organizations to reap the key benefits of cloud agility. Obscured visibility and vendor lock-in (with inadequate tooling) only limits the potential of the enterprise.
The additional control planes and multiple firewalls that define hybrid environments can open up significant risk due to misconfiguration and human error. This becomes especially true as organizations introduce additional vendors for different areas of the network, each managing policies based on their own underlying infrastructure.
The unexpected overhead costs are another issue as organizations struggle to accurately forecast cloud growth. Almost every enterprise has underestimated the speed and scale at which their cloud footprint grows. This growth has blindsided many IT budget holders when overhead costs increase exponentially with each additional agent and control plane introduced by firewall vendors—all intended to centralize security policy management.
A Simpler Approach
There is a way to manage the cost and complexity. Security policy management across entire hybrid cloud environments can be simplified using a single vendor-agnostic solution. Cloud-mature enterprises often state that their path to the cloud started with the intention to save costs. Quickly, however, the inherent agility of cloud adoption surpassed the economic drivers. The most sophisticated enterprises recognized that a vendor-locked network does not aid agility and adds overhead, diminishing the goal of reduced operational costs.
A vendor-agnostic solution that centralizes security policy management enables an enterprise through:
Visibility: End-to-end visibility of the entire network allows the enterprises to understand "who is talking to whom" and eliminate blind spots. It does not limit the visibility to only those aspects of the network under a certain control plane but provides a clear view across on-prem, public and private cloud environments from multiple vendors.
Security Guardrails: Comprehensive visibility of the network ensures newly created policies address security gaps and reduce risk while simultaneously granting more granular control.
Compliance Control: Central policy management addresses the issues caused by siloes, a major issue in the cloud as the environment is micro-segmented. Compliance requirements can be met across all environments in the enterprise network, easing the ongoing challenge for security teams.
Automation: A major avenue for agility in cloud is the continuous integration and continuous delivery (CI/CD) pipeline. With automation at the core of cloud deployments, centralized security policy management assists the CI/CD pipeline by introducing security earlier in the cycle, avoiding delays down the road due to non-adherence to policy.
The goal of a centralized security policy management strategy should be to ensure agility is unimpeded, economic efficiency is maintained, and complexity due to misconfiguration is eliminated.
The second part of the "Security Policy Management in the Cloud" series is available here.
About the Author:
Larry Alston, General Manager of Cloud, Tufin: Prior to joining Tufin in 2019, Larry Alston previously held senior and executive management roles at Teradata, Altisource, FuseSource, IONA, and Excelon. As Tufin champions the adoption of security policy management in the cloud, Alston is responsible for all aspects of Tufin's cloud-native business.