Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

// // //
12:43 PM
Michael Wood
Michael Wood
News Analysis-Security Now

Where Should Security Live?

Security can sit in many locations. Where is the best spot for your organization's security center?

How do you protect your family in dangerous times?

In the pioneering days -- in a lonely ranch with no neighbours in sight -– the answer was obvious: You ring fence the estate, keep watch on who is coming and going, securely lock all buildings and keep tabs on family members.

A hundred years on, and all had changed. Most things now happen in the social "cloud." Home schooling gives way to public school. Instead of chickens, a kitchen garden and the family goat, food mostly comes from local shops. The parents go out to work, and family protection is no longer so clear-cut. You still lock the door at night and keep valuables in a safe, but you rely more on the social cloud's own services -- police and ambulance. Then there are questions about family safety as you all travel between home and public spaces...

In the business networking sector, a similar change is happening, but a whole lot faster. Even ten years ago data protection was mostly about firewalls and in-house anti-virus -- and intruder detection systems were hot news. Now we have two growing challenges to cope with:

  1. The perimeter is getting bigger and fuzzier. No longer bound by the ranch fence, the family are scattered across the neighborhood and beyond. Similarly, the office network is stretching to include wireless zones, home and mobile workers, bring your own device (BYOD) connectivity and the Internet.
  2. Much more is happening in the cloud. This is still a matter of choice, but economics and the demand for efficiency and agility are driving a lot of routine work and applications into the cloud space.

So, where should security now be placed?

The pioneering instinct to keep everything locked away in a well-guarded private datacentre is understandable, but no longer makes good business sense. Few organizations have the skills and resources to protect their data as securely as the best cloud services, where economies of scale allow more to be invested in state-of-the-art security than most organizations could ever afford.

Cloud-based security solutions often share a platform with a content delivery network designed to accelerate access to web applications, so they can actually improve performance while protecting applications. As specialists, cloud security providers are not only more experienced but also more up-to-date with latest on-going malware trends. They are also qualified experts on legal compliance and government regulations. Finally, there is the attraction of paying a smaller recurring fee instead of a massive upfront capital outlay for enhanced security.

So, do we put all security in the cloud? No, there are still applications and content best kept close to hand for reasons that could include legal responsibility, reliability, reduced latency or sheer protective instincts. So the first question when making decisions should be: "Is there any reason NOT to put this data or application in the cloud?" If the answer is "yes," you maintain a smaller, tightly managed private datacentre to host those exceptions.

Then there is that tricky question of how best to protect data and applications in transit between the office and the cloud. The gap between initial forecasts and actual data suggests that even the cloud’s early champions have been surprised by the uptake of cloud services, so that many large organizations are already advocating a "cloud first" policy on the strength of the savings, scalability and reliability of cloud applications at headquarters.

But when it comes to rolling out those services to the more remote branch offices, it can lead to a backlash. Unless the remote office justifies the cost of a dedicated private line, it may well have to rely on one or more public Internet links such as best-effort ADSL, wireless or LTE connectivity, and the resulting loss of reliability, slower speeds and latency problems can make cloud performance a lot worse than when applications were hosted in-house. The workers are not happy: not because of the actual cloud service, but because of what happens between the cloud and the office -- and this is also a security issue.

A recent development that addresses the problem has been the long awaited extension of software-defined networking (SDN) to the wide area network (WAN). SDN has already revolutionised local area networks and datacentre connectivity, but extending it to the wide area was a far bigger problem. Building predictable service quality over less predictable "best effort" links was one challenge. Another was to reduce delays between nodes often separated by hundreds of kilometres.

Above all, there was the challenge of far less standardisation across a geographically dispersed WAN. Since last October, however, there has been a spate of SD-WAN offerings from carriers including Sprint, AT&T, Telstra, MetTel, Windstream, TelePacific and others across the globe.

What are they offering? The SD-WAN can seamlessly integrate any number of private or "best effort" Internet connections to deliver better bandwidth and reliability, while managing appropriate security. Even if the WAN extends across thousands of kilometres, the SD-WAN will make local forwarding decisions based on observed local conditions, such as link quality and throughput.

The central controller implements software forwarding based not only on centralised business policy objectives and security policy requirements but also real-time network quality. So the routing, priority and security for any application data flow is independent of the underlying link structure or types of connectivity used.

Automated cloud-based management allows business policy decisions to be changed in-house for maximum performance, lowest cost and optimal security that is tailored to specific types of data, user or circumstance. The result is a practical, cost-effective way to extend the full benefits of cloud computing to the very edges of an organization.

All traffic between the office and the carrier’s edge is encrypted by the system but, if the users are still not convinced that it is safe to entrust critical data on a public link, they can always add a private MPLS line so that the SD-WAN can route mission-critical or real-time services via MPLS, while offloading other traffic to alternative routes.

So, to return to the headline question: where should security lie on the network? The answer now is that cloud security is extremely good, and can be entrusted with the bulk of everyday applications and data. The simple question "Why should we not put this on the cloud?" will identify a smaller number of critical exceptions where security is best entrusted to the private data center. And between the two extremes there is no longer a dangerous gap, but the growing opportunity to install an SD-WAN to bring cloud security to the very edge of the organization.

Your family is probably a lot safer now than it ever was in "them pioneering days."

Related posts:

— Michael Wood is Vice President of Marketing for VeloCloud Networks, responsible for worldwide marketing, revenue generation, channel and sales enablement and communications.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file