Hannah Swanson, Product Manager, Apcela
Cloud computing is transforming how we work, live and play. There is no debate. But it is disrupting so much more. As we embark on National Cybersecurity Awareness Month, we felt it was appropriate to take a longer look at how digital enterprise transformation has disrupted the network security model we have known for the past 20 years.
The traditional hub and spoke architecture of the last few decades is too inefficient to support modern applications such as Office 365, Workday, and ServiceNow. Organizations with remote offices and mobile workers need the flexibility of secure Internet breakout at the branch.
Consequently, many organizations have deployed or are considering deployment of Software Defined Wide Area Networks (SD-WAN). Security must be a key consideration of any networking architecture. Companies have several options for deploying security, all of which have trade-offs in terms of cost, performance, ease of management, maturity of the technology, and the ability to position the company for future needs.
Let’s take a quick look at the Pros and Cons of each:
Centralized Security in the Data Center
PROS: Easy to Manage
CONS: No longer a recommended WAN architecture in the face of modern cloud-based applications.
Because security is centralized and all company policies are maintained in one place, this approach is easy to manage. The primary downside is that it can result in poor network performance when traffic is brought to the central data center from all remote locations. When the data packets are screened through security tools such as firewall and DLP, the packets go out to the internet or cloud applications, and return traffic takes the reverse path and screenings.
This infrastructure approach pre-dates SD-WAN, and in fact, many enterprises adopt SD-WAN specifically to escape the need to backhaul data to a centralized data center and security model.
Security at the Edge
PROS: Reduces latency and improves application performance
CONS: Expensive and difficult to scale
In legacy implementations, security is heavily distributed by deploying physical firewalls at the network boundary of each branch location. This allows these locations to exchange secure Internet traffic at the edge without backhauling it to a centralized data center. This approach reduces traffic latency and improves application performance by allowing security screening where the data and application traffic is generated. However, the process of replicating the security appliances – firewall, IDS/IPS, DLP, etc. – at each edge location is costly and hard to manage. Moreover, it could introduce security risks and vulnerabilities due to inconsistent security configurations.
PROS: Ease of management, easy to install
CONS: Limited security capabilities
This is a modern approach to security where little to no security infrastructure is deployed on-premises. Internet traffic is routed through a cloud-based security perimeter placed between an organization’s edge locations and the Internet destination such as SaaS application or AWS platform. Examples of cloud security providers are ZScaler and Netskope. One of the main benefits of this approach is its ease of management, considering there is no equipment to install or maintain. The organization would simply route its traffic to/through the cloud-based security service. The downside is that this approach adds latency and lowers performance when all traffic is sent to the cloud for inspection and application of policies. Moreover, some of the cloud-based security services have limited capabilities in what they can do with the traffic. For example, a service might not be able to inspect traffic that has been encrypted prior to leaving the organization.
Software-defined Edge Security
PROS: Reduced hardware costs, centralized policy management
CONS: Immature technology not ready for primetime
This is a modernized version of traditional edge security, and it’s essentially the interoperability of SD-WAN and security platforms. In modern architectures utilizing SD-WAN, security functions can be delivered at the edge as software (i.e. virtual networks functions, or VNFs) rather than hardware. What’s more, the virtual security services can be linked together through service chaining in order to support multiple layers of security. Thus, security services can be distributed at the edges of the network without the need for costly hardware appliances, and with centralized policy management either from the organization’s data center or from a managed services provider. This improves security consistency and integrity from all branch locations and provides a good balance between high performance and ease of management.
The drawback of deploying security in this model is that VNF technology is still maturing, and there is limited interoperability of security services that enterprises need to work together, with the notable exceptions of Palo Alto and Fortinet security platforms.
PROS: Fully distributed enterprise security, scalability, reduced hardware investments
CONS: Not for those unwilling to adapt
This approach is achieved by deploying security parameters and firewalls at regional communication hubs, which consist of networking equipment deployed in carrier-neutral colocation data centers dispersed around the world. These data centers are interconnected with high capacity, low latency circuits to create a high-performance core network. At the edge of this network, an enterprise can connect its own core data, as well as its branch offices, remote, and mobile users, using its existing carrier services.
Each of these communication hubs gets a security stack as needed by the enterprise; for example, firewall, security border control, email gateway, web gateway, DLP, SIEM, and so on. It can be a deep suite of security similar to what the enterprise would have in its corporate data center. With security now fully distributed close to the enterprise locations and the egress points to the Internet and cloud, there is no longer a need to backhaul traffic to the corporate data center to pass through the enterprise security stack; those same capabilities are now in each communication hub.
Across the Board Change
The digital transformation to the cloud presents tremendous opportunities to deploy new security technologies that bolster defenses, reduce hardware costs and maximize application performance.
In our everyday life, you no longer see “The Club” used as a security solution for today’s automobiles armed with complex security systems. As products and services become more complex, the old way of doing things need to be re-evaluated. For that same reason, the archaic network security approach focused on labor-, hardware- and cost-intensive walled data centers is no longer viable today.
Moving to the cloud requires full-scale changes to all aspects of your enterprise in order to maximize performance and cost advantages. During this month of October, ask yourself if your security infrastructure is propelling your move to the cloud or keeping you grounded.