• 07/22/2014
    7:00 AM
  • Rating: 
    0 votes
    Vote up!
    Vote down!

Network Security: An Oxymoron In The Cloud Era?

Network security as we know it won't survive the migration to the cloud. New approaches are needed.

Network security has always been a near-impossible task, but the cloud era is ushering in a fundamentally new model that truly renders network security an oxymoron. How so, you ask?

In the past, organizations built and controlled their own networks. Because IT could control the flow of traffic inbound and outbound, the nodes on the network, and the users, they also controlled the network security architecture. IT was responsible for where and how to place firewalls, VPNs, IDS and IPS, load balancers, web application firewalls, and other security devices. In short, when you owned the network, you also owned securing the network.

Today, with more organizations moving to the cloud, a new approach is necessary. Three fundamental differences are driving this change:

  • Cloud providers own the network
  • Traffic flows in the cloud much differently. Interdependencies between applications and services, both internal and external, are exploding
  • Network security has historically been delivered through appliances

Network ownership: Infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) solutions are flipping ownership of the network. Unlike traditional hosting, where connectivity was provided to your "rack" or "cage" and you needed to manage the inbound and outbound traffic, next-generation cloud providers are embedding that task into their services.

As a result, the customer is buying a different atomic unit. Because they are buying an individual server or a place to put their application, they no longer want to worry about the network infrastructure. Network connectivity and the infrastructure the applications ride on are viewed more as a building block, rather than a unique system the customer needs to own.

Conversely, cloud providers view their network as a core component of their service. They can abstract the networking from the customer, which allows quicker time-to-market, less operational overhead, and more cost-effective solutions. It's a win-win, but changes the game for network security, because the provider installs and maintains the network security equipment.

The best providers will expose this functionality to their customers (e.g., firewall, VPN, and VLAN controls), but not all providers give individual customers control over security elements. The cloud provider's ownership of the underlying network flat-out changes the game for network security.

Architecture: Organizations are embracing the fact that servers can be created and destroyed easily across the globe. They can spin up a server and have it talk directly to the Internet without creating a network. Many create virtual private networks where they group their servers via a VPN, but many don't.

The resulting mix of architecture types changes the way companies need to think about network security deployment. There won't always be a network "chokepoint" where security can be applied. Often, individual servers may have direct connections to the Internet and will be exposed to its threats. Placing network security gear in front of each server doesn't make economic sense, and requires significant maintenance.

The shift in architecture due to the cloud changes where organizations should place emphasis. If you can't protect your applications and data easily via the network, you must focus your attention on host, application, and data security techniques. Increased attention can be given to tight user management, hardening/patching servers, checking application code, and encrypting data. Your goals are the same -- protecting your organization -- but your approach may be completely different in a cloudy world.

Hardware-based security: Network security historically has embraced the appliance. Because the amount of traffic on the Internet continues to grow quickly, hardware or even custom ASIC-based solutions for security have been preferred. That's because processing in hardware is faster, so hardware products were able to keep up with wireline speeds.

As organizations shift their infrastructure to the cloud, traffic is running on networks that are not owned and controlled by the organization. You don't get the opportunity to place your hardware-based application firewall or IPS in the cloud provider's network. Vendors are continuing to shift to software, but cannot always retain the same performance. Also, the network architecture issues raised in the previous section exacerbate the hardware-based network security issue.

Companies utilizing the cloud will need to be creative about their architecture to shift to software-based solutions that can handle the load. They may also need to look for different approaches to the problem -- for instance, a service like CloudFlare may work better than a web application firewall. A different approach can produce a better outcome for your cloud infrastructure.

Network security as we have known it won't survive the continuing migration to the cloud. Forward thinking organizations are changing their security approach and moving from old-world appliance-based approaches to software-based services. These organizations are changing their emphasis and placing more focus on protecting the atomic unit at the cloud level, which means protecting the server. Take some time to re-think your network security approach in the cloud. Starting with a clean slate may give you the opportunity to step up your security game.


Network Security is Evolving- not Going Away

I am a Nework Security Engineer and have realized that evolution comes to all things. I dislike cloud networking- not because of the technology but because I dislike not being able to control the devices and have to cede control to a vendor. However, packets still need paths - cloud computing is not all packet fairies and virtual love. We do a lot of virtualization and M & M monitoring. We still have firewalls and IDS because remote connections need filtering. We still have enterprise anitvirus dished out. Our data center may be in Timbuktu but the meat and potatoes reside locally. People will still trip over a fiber, spill coffee on their keyboard on on their laptop, try to introduce crazy vulnerabilties into the network- and yes the network on site. Granted- the care and feeding of the big arrays will be off-site- but what passes in and out of home base still needs to be monitored and regulated.

Re: Network Security is Evolving- not Going Away

Thanks for your comment @Kimberly, you make a really important point (and I enjoyed your colorful metaphors!). An organization using the cloud still has a lot of network security responsibilities, including providing secure connectivity to cloud applications. 

Re: Network Security is Evolving- not Going Away

Agreed and new techniques have increased the level of security standards, for example, monitoring network traffic using analytics and machine learning. The security team has also increased in size and specialization, first there used to be the in-house IT security team and employees from different departments, working to ensure that everything is secure. Now post-Cloud, the provider's security team has joint the in-house IT department -- creating strength.

Re: Network Security is Evolving- not Going Away

Right Brian, I think if anything, organizations are increasing their focus on security due to all the massive data breaches. I can't imagine them abdicating that responsibility to cloud providers.