Many companies who completed our recent survey on security practices in hybrid cloud environments have already migrated at least some of their business applications to the cloud or planned to do so in the near future. While a third of those companies stated that they rely on commercial firewalls to manage and secure network access in the cloud, an equal number of companies who are planning to deploy business applications in the cloud within the next 12-24 months had not yet determined which network security controls they would use for their cloud deployments.
Hybrid environments create a complex security challenge that neither cloud-based security controls nor traditional firewalls manage all that well on their own. While both offer some real advantages, each has some significant disadvantages when utilized in a hybrid environment. I’d like to explore this issue a little further in this blog post.
Enterprises typically deploy multiple firewalls and routers to control access and protect their traditional data centers. They layer components to build a topology that can support a defense in depth strategy. They may have a web application from one vendor, a firewall from another and a router from a third. And by using tools from multiple vendors, companies believe they can reduce the risk that a breach through one security control will bring down the entire defense.
Cloud security controls on the other hand generally don’t have the ability to create a layered security architecture in the same way. More often, since they strive to offer more functionality in a single tool, they tend to be simpler, and often lack application or user awareness. They also generally don’t offer advanced policy or backup capabilities and are usually built for a specific IaaS platform.
The simplicity of cloud-based security tools keeps costs down and streamlines security management, and makes it easier to scale up very quickly, giving the businesses greater agility. This approach is great for a ‘born in the cloud’ company. This same simplicity and all-in-one structure, however, means that the application and perhaps the network are protected by a tool that is a “jack of all trades and master of none.” Not where you want to be.
Furthermore, cloud controls cannot be utilized in your existing enterprise deployment due to the many reasons, most critically, the lack of connectivity and the lack of compatibility with your existing controls. So if you decide to go for a cloud–based control, you will have trouble running a coherent policy across the two disparate sets of controls, using two separate and non-compatible interfaces.
Today’s enterprise security tools can typically deploy on hardware or on an appliance. They can operate across both traditional and IaaS platforms, but they often require additional hardware to accommodate the additional bandwidth needed, which is not ideal. Having many appliances that use classical licenses (known as BYOL – Bring Your Own License) are a good technical solution, but current pricing often makes this prohibitive.
So, currently, the best option is a management solution that can bridge cloud-based controls with enterprise-based controls and apply a consistent policy across both of them.
Furthermore, in the near future, as legacy vendors adapt their offering to cloud parameters (per bandwidth billing, per hour billing) an additional option will emerge – one that allows an organization to cost effectively manage a fleet of legacy vendor devices both in the cloud and in the on-premises data center.
On a separate but related topic, my colleague and the CTO of AlgoSec, Professor Avishai Wool is presenting a technical webinar on Amazon Web Services (AWS) Fundamentals: the dos and the don’t, on Tuesday February, 24 at 12 pm ET. He’ll cover some best practices for AWS including:
You can sign up here.
Receive notifications of new posts by email.