An integrated approach is the best way to provide organizations with the tools they need to decrease the attack surface and use strong security controls.

John Grady, Analyst at Enterprise Strategy Group

October 10, 2019

5 Min Read

Cloud and mobility have been driving transformative changes in the way we work for nearly a decade and continue to rank among the top macro trends affecting the IT landscape today. In fact, many organizations have begun to build their entire business strategy around cloud capabilities. Enterprise Strategy Group research found that 39% of organizations now follow a "cloud-first" strategy when deploying new applications, up from 29% just a year ago.

By its nature, cloud computing puts distance between users and resources, creating a strain on legacy network capabilities. This is especially true of a traditional hub-and-spoke networking model that incorporates siloed security technologies. This type of approach introduces three key issues:

1. Degradation of performance and user experience: When traffic destined for cloud applications is first routed back to the campus and through the on-premises security stack, quality of service is negatively affected.

2. Limited visibility: Security tools can't control what they can't see, and without a full understanding of applications, users, devices, data, and other context, proper enforcement cannot occur.

3. Inconsistent policies: Appliance sprawl and disparate management consoles have left many organizations with a siloed rather than unified approach to security, which can limit both efficiency and efficacy.

The traditional approach is now changing as network technology becomes more dynamic and intelligently manages traffic based on users, applications, connections, and locations. The growing adoption of SD-WAN to improve network efficiency and management, especially relative to remote office/branch office (ROBO) locations, is a good example of this.

As the network evolves, security controls and how they integrate into the new architecture (including SD-WAN) must also be reevaluated. Security solutions must plug seamlessly into network technologies and shift control points to the edge with centralized management and distributed enforcement. Specifically, ESG sees a logical convergence of security tools delivered via a cloud-native, microservices-based platform beginning to coalesce as an extensible architecture called elastic cloud gateways (ECGs). ECGs are multichannel, multimode, cloud-delivered security services built on a globally distributed platform; they provide end-user access, threat prevention, and content inspection at the network edge.

Because the architecture is extensible, the technologies that make up the multichannel aspect of ECGs can vary. However, to address the SD-WAN-enabled, direct-to-internet ROBO use case, there are some logical components. These include secure web gateway (SWG), cloud access security broker (CASB), data loss prevention (DLP), and firewall functionality. Additionally, with the amount of encrypted web traffic growing by the day, SSL decryption for full visibility is important now and will quickly become a prerequisite.

Other technologies may include DNS protection and advanced threat prevention capabilities or a software-defined perimeter (SDP) for zero-trust capabilities. The integration with SD-WAN technologies enables intelligent enforcement of policy based on who the users are, what devices they're on, and what part of the network they're connecting through. It also facilitates improved coordination between security and non-security stakeholders to drive consistent policies based on business needs. Depending on the context, either part or the entirety of the ECG stack may be utilized for traffic inspection. Regardless of the specific list of technologies, by integrating multiple capabilities into a single solution, management is simplified, policy becomes more consistent, and with fewer gaps in the security posture, efficacy is improved.

Integrating SWG, CASB, DLP, firewall, and other capabilities is difficult to do at scale in an on-premises deployment. In fact, this has been one of the main drawbacks to the traditional model of using unified threat management (UTM) devices at the branch. The static nature of on-premises solutions becomes a larger problem as the number of security services increases, especially compute-intensive ones such as SSL decryption.

However, the cloud-native architecture of ECGs provides elasticity through microservices, which automatically scale up or down based on demand. This can enable traffic inspection for content control (i.e., DLP), threat prevention, and SSL decryption to occur without degrading the user experience or overprovisioning capacity. Furthermore, the cloud-native aspect of ECGs better aligns security to the cloud from a consumption perspective — not only relative to the shift from capex to opex but also by utilizing metering based on a combination of users, traffic volume, applications protected, or security services so that organizations are only charged for the resources they use while protection dynamically scales up or down based on the current need.

Finally, the multimode aspect of elastic cloud gateways builds upon CASB capabilities and is important for full control and visibility over both sanctioned and unsanctioned cloud applications. ECGs can be deployed inline as a forward or reverse proxy for better threat protection and user experience. Alternatively, ECGs can utilize an out-of-band deployment through cloud application API integrations that provide ease of use and retrospective analysis and policy enforcement for sanctioned applications. This flexibility enables organizations to meet their specific needs and priorities, be it real-time enforcement or maintaining quality of service.

Over time, ECG capabilities and SD-WAN functionality will likely collapse even further. Some vendors with stronger networking backgrounds (Cisco, for example) or that have shown themselves to be on the early side of the innovation curve (such as Palo Alto Networks) may be quicker to move down a consolidated network and security path. However, there will be a multiyear period in which technology networking and security partners integrate these solutions as a core route to market.

These innovations represent an important step in advancing network security into the cloud era. The foundation has been laid through the initial shift to cloud security services. However, a true cloud-native architecture is the only way to fully scale an ECG architecture, and an integrated approach is the best way to provide organizations with the tools they need to decrease the attack surface and use strong security controls while enabling user productivity.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Can the Girl Scouts Save the Moon from Cyberattack?"

About the Author(s)

John Grady

Analyst at Enterprise Strategy Group

John Grady is an Analyst covering network security at Enterprise Strategy Group. He leverages more than 15 years of analyst and cybersecurity vendor experience to help clients identify and quantify key market trends to facilitate data-driven business decisions. He previously held positions at Symantec and IDC, and has led research on network security, web security, email security, DDoS protection, and advanced threat prevention, among other segments over his career.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights