How does a CloudHub or an AppHub deployment affect your security strategy? To step into the future, we must first take a step back and think about how security was enforced over the last few decades.
Centralized Security Infrastructure
Networks as a whole used to be based on a centralized infrastructure where all resources were hosted in a single or regional data center. That data center would act as the access point to the internet and subsequently to cloud resources or internet-hosted resources. Security has generally been deployed locally at that data center. You have a DMZ or you have a security parameters sitting at that data center where all of your users have to come through to go out to the internet and reach these cloud applications.
Distributed Security Infrastructure
The more recent alternative is a very different type of security architecture which is highly distributed. We commonly see this with retail companies that have a lot of different locations — smaller locations — that need to access the internet locally, so they need security environment locally. Now you have firewalls or security parameters deployed at hundreds, if not thousands, of these small locations.
Centralized vs. Distributed Security
Each has its benefits and has its drawbacks which we’ve illustrated below:
|Ease of Access||✓|
Generally, a centralized infrastructure is not very good for performance. It is something that creates extra latency and creates issues when it comes to performance, especially when going through a single security parameter to go out to the internet.
A highly distributed security infrastructure causes issues like a security policy mismatch between different locations. Managing those security environments can become a nightmare. Things like hardware refreshes become troublesome as well because now you have firewalls sitting at a thousand different locations that you have to maintain. They require a lot of resources and a lot of attention.
The More Balanced Approach
AppHubs, also referred to as CloudHubs, provide an approach that’s balanced more toward the middle. It regionalizes the security policies and distributes them across the cloud hubs. What that does is it makes every, single one of the CloudHubs or the AppHubs an internet egress point, but also a security parameter or DMZ of its own. So with every single region — all of the users within that region can reach that AppHub or that CloudHub, go out to the internet in that region, and go through that specific security environment, as opposed to go out to a centralized infrastructure.
Now you’ve brought the security parameter a lot closer to the end user. You brought the applications closer to the end user by being able to access them through that specific region, without overcomplicating your security environment by deploying it at every single one of these locations. You are simultaneously improving performance and productivity without diminishing security.