Network Security: An Oxymoron In The Cloud Era?

Network security has always been a near-impossible task, but the cloud era is ushering in a fundamentally new model that truly renders network security an oxymoron. How so, you ask?

In the past, organizations built and controlled their own networks. Because IT could control the flow of traffic inbound and outbound, the nodes on the network, and the users, they also controlled the network security architecture. IT was responsible for where and how to place firewalls, VPNs, IDS and IPS, load balancers, web application firewalls, and other security devices. In short, when you owned the network, you also owned securing the network.

Today, with more organizations moving to the cloud, a new approach is necessary. Three fundamental differences are driving this change:

  • Cloud providers own the network
  • Traffic flows in the cloud much differently. Interdependencies between applications and services, both internal and external, are exploding
  • Network security has historically been delivered through appliances

Network ownership: Infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) solutions are flipping ownership of the network. Unlike traditional hosting, where connectivity was provided to your "rack" or "cage" and you needed to manage the inbound and outbound traffic, next-generation cloud providers are embedding that task into their services.

As a result, the customer is buying a different atomic unit. Because they are buying an individual server or a place to put their application, they no longer want to worry about the network infrastructure. Network connectivity and the infrastructure the applications ride on are viewed more as a building block, rather than a unique system the customer needs to own.

Conversely, cloud providers view their network as a core component of their service. They can abstract the networking from the customer, which allows quicker time-to-market, less operational overhead, and more cost-effective solutions. It's a win-win, but changes the game for network security, because the provider installs and maintains the network security equipment.

The best providers will expose this functionality to their customers (e.g., firewall, VPN, and VLAN controls), but not all providers give individual customers control over security elements. The cloud provider's ownership of the underlying network flat-out changes the game for network security.

Architecture: Organizations are embracing the fact that servers can be created and destroyed easily across the globe. They can spin up a server and have it talk directly to the Internet without creating a network. Many create virtual private networks where they group their servers via a VPN, but many don't.

The resulting mix of architecture types changes the way companies need to think about network security deployment. There won't always be a network "chokepoint" where security can be applied. Often, individual servers may have direct connections to the Internet and will be exposed to its threats. Placing network security gear in front of each server doesn't make economic sense, and requires significant maintenance.

The shift in architecture due to the cloud changes where organizations should place emphasis. If you can't protect your applications and data easily via the network, you must focus your attention on host, application, and data security techniques. Increased attention can be given to tight user management, hardening/patching servers, checking application code, and encrypting data. Your goals are the same -- protecting your organization -- but your approach may be completely different in a cloudy world.

Hardware-based security: Network security historically has embraced the appliance. Because the amount of traffic on the Internet continues to grow quickly, hardware or even custom ASIC-based solutions for security have been preferred. That's because processing in hardware is faster, so hardware products were able to keep up with wireline speeds.

As organizations shift their infrastructure to the cloud, traffic is running on networks that are not owned and controlled by the organization. You don't get the opportunity to place your hardware-based application firewall or IPS in the cloud provider's network. Vendors are continuing to shift to software, but cannot always retain the same performance. Also, the network architecture issues raised in the previous section exacerbate the hardware-based network security issue.

Companies utilizing the cloud will need to be creative about their architecture to shift to software-based solutions that can handle the load. They may also need to look for different approaches to the problem -- for instance, a service like CloudFlare may work better than a web application firewall. A different approach can produce a better outcome for your cloud infrastructure.

Network security as we have known it won't survive the continuing migration to the cloud. Forward thinking organizations are changing their security approach and moving from old-world appliance-based approaches to software-based services. These organizations are changing their emphasis and placing more focus on protecting the atomic unit at the cloud level, which means protecting the server. Take some time to re-think your network security approach in the cloud. Starting with a clean slate may give you the opportunity to step up your security game.