Cloud Security, Network Security

How cloud network security differs from legacy security in a data center

Share
Visitors attend the CeBIT 2017 Technology Trade Fair on March 20, 2017, in Hanover, Germany. Today’s columnist, Liat Hayun of Eureka Security offers five ways security teams can leverage cloud data. (Photo by Alexander Koerner/Getty Images)

Legacy network security designs leveraged data center and campus network architectures that had few well-known traffic ingress and egress points through which traffic had to flow. These points of entry and exit were the ideal locations to inspect traffic with firewalls, IDS/IPS appliances and other traffic filtering technologies. As a result, the past several decades of network security design has been based on this architecture.

Cloud network architecture has changed this paradigm. Ingress from and egress to the public internet no longer gets forced through well-known points of entry and exit, which become natural inspection points. While many security teams would like to mandate policies that would force all cloud traffic flows through well-known inspection points, it’s simply data center architectural thinking, which conflicts with the agility objectives that have driven enterprises to cloud migration strategies. Fortunately, there’s a solution: embed network security into and distribute it throughout the cloud network, not only at well-known inspection points.

Embed security into the cloud network: what?

Data center era network security design emerged because network security was not embedded into network equipment. Network devices, such as hubs, switches and routers didn’t have the extra processing capacity required to deliver high-performance switching and routing, while also performing packet inspection and filtering. So, the market for specialty appliances designed for network security, such as firewalls, emerged and was bolted onto the network at designated inspection points.

In the cloud, the network has not been built on hardware with finite processing capacity, rather it’s all software, which operates on the almost infinite compute capacity delivered by cloud services providers (CSPs). So now, the network software platform that delivers packet switching and routing can easily perform high-performance encryption, packet inspection, threat detection, firewalling and machine learning anomaly detection all at the same time on the network itself. However, not all cloud networking is the same, or has the embedded capability.

Secure cloud networking

There’s an emerging secure cloud networking market. Gartner’s Market Guide calls it Multi-Cloud Networking Software. Security architects and their networking counterparts should explore the leading solutions because it’s where vendors will embed security into the cloud network. However, understand that many vendors call their solutions “multi-cloud networking” when their solutions only “connect to” multiple clouds, stop at the cloud edge and pass network traffic on to the native cloud constructs that do not offer embedded network security.

Security-in-Depth

Secure cloud networking embeds network security into the network, and complements existing investments, such as firewalls and other single point of inspection appliances. Think of a secure cloud network as the network data plane within and across the company’s public clouds. It sees all traffic flows on the network, no matter how the flow made it onto the network. Enterprises that have deployed secure cloud networking have often found crypto mining, TOR servers, connections to bad actors, which use their cloud workloads as sources of DDoS attacks, none of which had been detected by the existing security infrastructure. It’s different in the cloud and security teams must architect accordingly.

How will this evolve?

For the past two or three decades, experts in networking and network security were configuration experts tasked with delivering network connectivity or applying complex security policies. These experts had the valuable knowledge and experience required to build the brittle infrastructure and fix it when it would inevitably break. We are quickly approaching a time when networking and network security will become more computer science than configuration. Infrastructure-as-code (IaC) will drive complex, multi-dimensional optimization of a dynamic, fully programmable, multi-cloud network and network security infrastructure in the cloud.

DevOps and applications teams have been on this path for decades, far before cloud came into the picture. Revision control systems, workflow automation, Git repos and CI/CD pipelines, all streamlined application delivery processes, but these powerful capabilities have eluded networking and network security infrastructure teams. Today, secure cloud networking has become an all software, fully-programmable infrastructure that applications can programmatically optimize for a dynamic combination of security, cost, and performance.

Where to start?

Please don’t think of secure cloud networking as similar to data center networking and security. Today, it’s all software, downloadable from public cloud marketplaces and paid for on a consumption basis through a cloud marketplace account. Therefore, find it, download it, fire it up and play with it. Talk to the organization’s networking people, and compare it to native cloud constructs. Consider a multi-cloud strategy. Is the company prepared? What if the company’s business acquires a company, and it needs to support a multi-cloud environment next week? It happens all the time, so prepare for these changes in network security.

Rod Stuhlmuller, vice president, customer relations, Aviatrix

An In-Depth Guide to Cloud Security

Get essential knowledge and practical strategies to fortify your cloud security.