Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
John Grady
John Grady
Connect Directly
E-Mail vvv

Network Security Must Transition into the Cloud Era

An integrated approach is the best way to provide organizations with the tools they need to decrease the attack surface and use strong security controls.

Cloud and mobility have been driving transformative changes in the way we work for nearly a decade and continue to rank among the top macro trends affecting the IT landscape today. In fact, many organizations have begun to build their entire business strategy around cloud capabilities. Enterprise Strategy Group research found that 39% of organizations now follow a "cloud-first" strategy when deploying new applications, up from 29% just a year ago.

By its nature, cloud computing puts distance between users and resources, creating a strain on legacy network capabilities. This is especially true of a traditional hub-and-spoke networking model that incorporates siloed security technologies. This type of approach introduces three key issues:

1. Degradation of performance and user experience: When traffic destined for cloud applications is first routed back to the campus and through the on-premises security stack, quality of service is negatively affected.

2. Limited visibility: Security tools can't control what they can't see, and without a full understanding of applications, users, devices, data, and other context, proper enforcement cannot occur.

3. Inconsistent policies: Appliance sprawl and disparate management consoles have left many organizations with a siloed rather than unified approach to security, which can limit both efficiency and efficacy.

The traditional approach is now changing as network technology becomes more dynamic and intelligently manages traffic based on users, applications, connections, and locations. The growing adoption of SD-WAN to improve network efficiency and management, especially relative to remote office/branch office (ROBO) locations, is a good example of this.

As the network evolves, security controls and how they integrate into the new architecture (including SD-WAN) must also be reevaluated. Security solutions must plug seamlessly into network technologies and shift control points to the edge with centralized management and distributed enforcement. Specifically, ESG sees a logical convergence of security tools delivered via a cloud-native, microservices-based platform beginning to coalesce as an extensible architecture called elastic cloud gateways (ECGs). ECGs are multichannel, multimode, cloud-delivered security services built on a globally distributed platform; they provide end-user access, threat prevention, and content inspection at the network edge.

Because the architecture is extensible, the technologies that make up the multichannel aspect of ECGs can vary. However, to address the SD-WAN-enabled, direct-to-internet ROBO use case, there are some logical components. These include secure web gateway (SWG), cloud access security broker (CASB), data loss prevention (DLP), and firewall functionality. Additionally, with the amount of encrypted web traffic growing by the day, SSL decryption for full visibility is important now and will quickly become a prerequisite.

Other technologies may include DNS protection and advanced threat prevention capabilities or a software-defined perimeter (SDP) for zero-trust capabilities. The integration with SD-WAN technologies enables intelligent enforcement of policy based on who the users are, what devices they're on, and what part of the network they're connecting through. It also facilitates improved coordination between security and non-security stakeholders to drive consistent policies based on business needs. Depending on the context, either part or the entirety of the ECG stack may be utilized for traffic inspection. Regardless of the specific list of technologies, by integrating multiple capabilities into a single solution, management is simplified, policy becomes more consistent, and with fewer gaps in the security posture, efficacy is improved.

Integrating SWG, CASB, DLP, firewall, and other capabilities is difficult to do at scale in an on-premises deployment. In fact, this has been one of the main drawbacks to the traditional model of using unified threat management (UTM) devices at the branch. The static nature of on-premises solutions becomes a larger problem as the number of security services increases, especially compute-intensive ones such as SSL decryption.

However, the cloud-native architecture of ECGs provides elasticity through microservices, which automatically scale up or down based on demand. This can enable traffic inspection for content control (i.e., DLP), threat prevention, and SSL decryption to occur without degrading the user experience or overprovisioning capacity. Furthermore, the cloud-native aspect of ECGs better aligns security to the cloud from a consumption perspective — not only relative to the shift from capex to opex but also by utilizing metering based on a combination of users, traffic volume, applications protected, or security services so that organizations are only charged for the resources they use while protection dynamically scales up or down based on the current need.

Finally, the multimode aspect of elastic cloud gateways builds upon CASB capabilities and is important for full control and visibility over both sanctioned and unsanctioned cloud applications. ECGs can be deployed inline as a forward or reverse proxy for better threat protection and user experience. Alternatively, ECGs can utilize an out-of-band deployment through cloud application API integrations that provide ease of use and retrospective analysis and policy enforcement for sanctioned applications. This flexibility enables organizations to meet their specific needs and priorities, be it real-time enforcement or maintaining quality of service.

Over time, ECG capabilities and SD-WAN functionality will likely collapse even further. Some vendors with stronger networking backgrounds (Cisco, for example) or that have shown themselves to be on the early side of the innovation curve (such as Palo Alto Networks) may be quicker to move down a consolidated network and security path. However, there will be a multiyear period in which technology networking and security partners integrate these solutions as a core route to market.

These innovations represent an important step in advancing network security into the cloud era. The foundation has been laid through the initial shift to cloud security services. However, a true cloud-native architecture is the only way to fully scale an ECG architecture, and an integrated approach is the best way to provide organizations with the tools they need to decrease the attack surface and use strong security controls while enabling user productivity.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Can the Girl Scouts Save the Moon from Cyberattack?"

John Grady is an Analyst covering network security at Enterprise Strategy Group. He leverages more than 15 years of analyst and cybersecurity vendor experience to help clients identify and quantify key market trends to facilitate data-driven business decisions. He previously ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
PUBLISHED: 2020-08-08
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
PUBLISHED: 2020-08-08
In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
PUBLISHED: 2020-08-08
In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges.