Network security

How cloud network security differs from legacy security in a data center

Pictured: Visitors attend the CeBIT 2017 technology fair on March 20, 2017 in Hannover, Germany. Today’s columnist, Rod Stuhlmuller of Aviatrix, explains how cloud security differs from legacy on-premises security. (Photo by Alexander Koerner/Getty Images)

Legacy network security designs leveraged data center and campus network architectures that had few well-known traffic entry and exit points through which traffic had to flow. These entry and exit points were ideal places to inspect traffic with firewalls, IDS/IPS appliances, and other traffic filtering technologies. As a result, the last decades of network security design have been based on this architecture.

Cloud network architecture has changed this paradigm. Entry and exit from the public Internet are no longer forced through well-known entry and exit points, which become natural points of inspection. While many security teams would like to impose policies that force all cloud traffic flows to pass through well-known inspection points, this is simply data center architectural thinking, which conflicts with the agility goals that have driven companies to adopt cloud migration strategies. Fortunately, there is a solution: integrate network security and distribute it across the entire cloud network, not just at well-known inspection points.

Integrating security into the cloud network: what?

The design of network security in the data center era arose because network security was not built into network equipment. Network devices, such as hubs, switches, and routers, lacked the additional processing capacity required to provide high-performance switching and routing, while also performing packet inspection and filtering. Thus, the market for specialized devices designed for network security, such as firewalls, emerged and were integrated into the network at designated inspection points.

In the cloud, the network was not built on hardware with finite computing capacity, but rather on software, which runs on the nearly infinite computing capacity provided by cloud service providers (CSPs). Now, the network software platform that provides packet switching and routing can easily perform high-performance encryption, packet inspection, threat detection, firewall, and machine learning anomaly detection simultaneously on the network itself. However, not all cloud networks are the same or have the built-in capability.

Secure cloud network

There is an emerging market for secure cloud networks. Gartner Market Guide calls it Multi-Cloud Networking Software. Security architects and their network counterparts should explore the core solutions, as this is where vendors will integrate security into the cloud network. However, understand that many vendors call their solutions “multi-cloud networking” when their solutions only “connect” to multiple clouds, stop at the edge of the cloud, and pass network traffic to cloud-native constructs that don’t do not offer built-in network security.

Security in depth

Secure Cloud Networking integrates network security into the network and complements existing investments, such as firewalls and other single-point inspection devices. Think of a secure cloud network as the data plane of the network within and between public enterprise clouds. It sees all traffic flows on the network, regardless of how the flow entered the network. Companies that have deployed secure cloud networks have often found crypto mining, TOR servers, connections to malicious actors, who use their cloud workloads as sources of DDoS attacks, none of which have been detected by the existing security infrastructure. It’s different in the cloud, and security teams need to plan accordingly.

How will this evolve?

For the past two or three decades, network and network security experts were configuration experts tasked with providing network connectivity or enforcing complex security policies. These experts had the valuable knowledge and experience needed to build the fragile infrastructure and fix it when it inevitably broke. We are rapidly approaching a time when networking and network security will become more computing than configuration. Infrastructure as Code (IaC) will drive complex, multidimensional optimization of a dynamic, fully programmable multicloud network and cloud network security infrastructure.

DevOps and application teams have been following this path for decades, long before the cloud hit the scene. Revision control systems, workflow automation, Git repositories, and CI/CD pipelines all streamlined application delivery processes, but these powerful features have eluded networking and engineering teams. network security infrastructure. Today, secure cloud networking has evolved into an all-software, all-programmable infrastructure that applications can programmatically optimize for a dynamic combination of security, cost, and performance.

Where to start?

Please do not think of secure cloud networking as similar to data center networking and security. Today it’s just software, downloadable from public cloud marketplaces and pay-as-you-go through a cloud marketplace account. So find it, download it, launch it and play with it. Talk to the networking people in the organization and compare them to cloud-native builds. Consider a multicloud strategy. Is the company prepared? What if the company’s business acquires a company and it needs to support a multi-cloud environment next week? It happens all the time, so be prepared for these changes in network security.

Rod Stuhlmuller, Vice President, Client Relations, Aviatrix

Source link