Business decision-makers today are constantly looking for the most efficient way possible to leverage new applications to grow revenue. Seems like business basics, right? The applied version of this is that most businesses today are looking for this benefit without having to deal with the cost of building an infrastructure to support those applications. Nevertheless, at last, a solution has been provided, and now with the public cloud, businesses can do exactly that - deploy apps immediately without building datacenters, planning resiliency, racking hardware, and more. Essentially, these businesses are getting the benefit, with a lot less cost attached. This mentality and structure are rapidly becoming the normal expectation with regard to how businesses are adopting new technology.
One would assume this means security would also be keeping up with the rest of business adoption strategies. However, for one reason or another, many organizations cling to an outdated model where they still use a box-based model - even in the cloud. There are many steps an organization hurdles before laying out the framework for their security strategy, such as the tremendous amount of work to deploy, maintain and use. However, once racked and plugged in, hardware really isn't that different than a software appliance.
Let’s take a step back to understand this picture a little clearer.
- First, businesses will go through the consumption, design, and build process where they design the reliability, availability, scalability (RAS) approaches. Organizations install boxes, integrate their RAS approaches into the infrastructure build, and specify apps and infrastructure to protect, defining specific policies.
- Next, they process the operation stage. They must monitor capacity, usage, any change, and identify the health of the boxes. This leads to potentially adding boxes, patching, or updating boxes and integrating when appropriate. The team would then review the logs using the preferred tools.
- Lastly, the organization will automate all these steps using scripts or 3rd party tools. It doesn’t make a box-based approach fit for purpose, and perhaps more importantly, that often brittle automation must be maintained.
This particular roadmap suggests a 70/30 cost/benefit of maintaining infrastructure/security benefit, which is antithetical to cloud in that the process treats cloud like a datacenter eliminates much of the business benefit. This puts in conflict with both current staffing models and business expectations.
Instead, businesses should consider a cloud-first approach to be consumed and managed as a service. In this model, the service manages itself, so the team focuses on apps and policies and eliminates steps such as integrating RAS approaches for the build, adding and patching boxes, or monitoring any boxes. The roadmap is simplified to a very straightforward process of adding accounts / VPCs, defining policies, and operating by reviewing logs in the preferred tools.
With this adjustment to the cloud-first approach as a managed service, the cost/benefit changes significantly to more like 10/90 (maintaining infrastructure/security benefit). This shift creates a massive reduction in the overhead of having network security. This, in line with cloud principles and business expectations, using technology and actually benefiting from it rather than maintaining it.
Let’s zoom out to a larger high-level view again. While much of the network security discipline is the same, the implementation must change. In particular, this means businesses should address cloud-specific security problems and need to get network security in line with the cloud model - furthermore in line with business expectations.
So now that businesses understand what the ideal network security service looks like for their organization, the important question to ask next is - “how to move forward?”
The transition from network security boxes to a network security service will likely be a gradual approach. Ideally, start with one aspect and, in turn, adopt others. In many cases, organizations will lead with a purely ops-oriented transition, only later following with cloud-centric policies, adoption of cloud constructs, and a cloud-native app architecture. In other cases, it might be led by architecture. The difference really depends on particular skill sets and the training available.
The second approach to the transition is when an organization wants to go native from the start. In this case, the architecture, security policies, adoption of dynamic cloud constructs and ops are all modern. This second approach is a much steeper learning curve. However, with it, organizations will certainly see immediate benefits.
So, while the rest of the business world has already been fast-tracking their processes through leveraging applications in every which way - now is the time for security to get up to speed. There is no reason for security to lag behind and stick to old models when there are the capabilities and infrastructure to enable cloud-first network security. Use these tools to your advantage and let a cloud-first structure do the heavy lifting. After all, it truly is finding the benefit without the cost.
Vishal Jain is CTO and Co-Founder of Valtix.