Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

10/10/2019
10:00 AM
John Grady
John Grady
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Network Security Must Transition into the Cloud Era

An integrated approach is the best way to provide organizations with the tools they need to decrease the attack surface and use strong security controls.

Cloud and mobility have been driving transformative changes in the way we work for nearly a decade and continue to rank among the top macro trends affecting the IT landscape today. In fact, many organizations have begun to build their entire business strategy around cloud capabilities. Enterprise Strategy Group research found that 39% of organizations now follow a "cloud-first" strategy when deploying new applications, up from 29% just a year ago.

By its nature, cloud computing puts distance between users and resources, creating a strain on legacy network capabilities. This is especially true of a traditional hub-and-spoke networking model that incorporates siloed security technologies. This type of approach introduces three key issues:

1. Degradation of performance and user experience: When traffic destined for cloud applications is first routed back to the campus and through the on-premises security stack, quality of service is negatively affected.

2. Limited visibility: Security tools can't control what they can't see, and without a full understanding of applications, users, devices, data, and other context, proper enforcement cannot occur.

3. Inconsistent policies: Appliance sprawl and disparate management consoles have left many organizations with a siloed rather than unified approach to security, which can limit both efficiency and efficacy.

The traditional approach is now changing as network technology becomes more dynamic and intelligently manages traffic based on users, applications, connections, and locations. The growing adoption of SD-WAN to improve network efficiency and management, especially relative to remote office/branch office (ROBO) locations, is a good example of this.

As the network evolves, security controls and how they integrate into the new architecture (including SD-WAN) must also be reevaluated. Security solutions must plug seamlessly into network technologies and shift control points to the edge with centralized management and distributed enforcement. Specifically, ESG sees a logical convergence of security tools delivered via a cloud-native, microservices-based platform beginning to coalesce as an extensible architecture called elastic cloud gateways (ECGs). ECGs are multichannel, multimode, cloud-delivered security services built on a globally distributed platform; they provide end-user access, threat prevention, and content inspection at the network edge.

Because the architecture is extensible, the technologies that make up the multichannel aspect of ECGs can vary. However, to address the SD-WAN-enabled, direct-to-internet ROBO use case, there are some logical components. These include secure web gateway (SWG), cloud access security broker (CASB), data loss prevention (DLP), and firewall functionality. Additionally, with the amount of encrypted web traffic growing by the day, SSL decryption for full visibility is important now and will quickly become a prerequisite.

Other technologies may include DNS protection and advanced threat prevention capabilities or a software-defined perimeter (SDP) for zero-trust capabilities. The integration with SD-WAN technologies enables intelligent enforcement of policy based on who the users are, what devices they're on, and what part of the network they're connecting through. It also facilitates improved coordination between security and non-security stakeholders to drive consistent policies based on business needs. Depending on the context, either part or the entirety of the ECG stack may be utilized for traffic inspection. Regardless of the specific list of technologies, by integrating multiple capabilities into a single solution, management is simplified, policy becomes more consistent, and with fewer gaps in the security posture, efficacy is improved.

Integrating SWG, CASB, DLP, firewall, and other capabilities is difficult to do at scale in an on-premises deployment. In fact, this has been one of the main drawbacks to the traditional model of using unified threat management (UTM) devices at the branch. The static nature of on-premises solutions becomes a larger problem as the number of security services increases, especially compute-intensive ones such as SSL decryption.

However, the cloud-native architecture of ECGs provides elasticity through microservices, which automatically scale up or down based on demand. This can enable traffic inspection for content control (i.e., DLP), threat prevention, and SSL decryption to occur without degrading the user experience or overprovisioning capacity. Furthermore, the cloud-native aspect of ECGs better aligns security to the cloud from a consumption perspective — not only relative to the shift from capex to opex but also by utilizing metering based on a combination of users, traffic volume, applications protected, or security services so that organizations are only charged for the resources they use while protection dynamically scales up or down based on the current need.

Finally, the multimode aspect of elastic cloud gateways builds upon CASB capabilities and is important for full control and visibility over both sanctioned and unsanctioned cloud applications. ECGs can be deployed inline as a forward or reverse proxy for better threat protection and user experience. Alternatively, ECGs can utilize an out-of-band deployment through cloud application API integrations that provide ease of use and retrospective analysis and policy enforcement for sanctioned applications. This flexibility enables organizations to meet their specific needs and priorities, be it real-time enforcement or maintaining quality of service.

Over time, ECG capabilities and SD-WAN functionality will likely collapse even further. Some vendors with stronger networking backgrounds (Cisco, for example) or that have shown themselves to be on the early side of the innovation curve (such as Palo Alto Networks) may be quicker to move down a consolidated network and security path. However, there will be a multiyear period in which technology networking and security partners integrate these solutions as a core route to market.

These innovations represent an important step in advancing network security into the cloud era. The foundation has been laid through the initial shift to cloud security services. However, a true cloud-native architecture is the only way to fully scale an ECG architecture, and an integrated approach is the best way to provide organizations with the tools they need to decrease the attack surface and use strong security controls while enabling user productivity.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Can the Girl Scouts Save the Moon from Cyberattack?"

John Grady is an Analyst covering network security at Enterprise Strategy Group. He leverages more than 15 years of analyst and cybersecurity vendor experience to help clients identify and quantify key market trends to facilitate data-driven business decisions. He previously ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "The security team seem to be taking SiegeWare seriously" 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16770
PUBLISHED: 2019-12-05
A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.
CVE-2019-19609
PUBLISHED: 2019-12-05
The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.
CVE-2019-16768
PUBLISHED: 2019-12-05
Exception messages from internal exceptions (like database exception) are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may leak and be visible to the customer. A validation m...
CVE-2012-1105
PUBLISHED: 2019-12-05
An Information Disclosure vulnerability exists in the Jasig Project php-pear-CAS 1.2.2 package in the /tmp directory. The Central Authentication Service client library archives the debug logging file in an insecure manner.
CVE-2019-16769
PUBLISHED: 2019-12-05
Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash...