Ensuring Security When You No Longer Own the Network

By Special Guest
August 24, 2015

The popularity, agility and cost benefits of the cloud have enticed many companies – even some large enterprises like Time and Yamaha – to ditch their data centers and move their corporate networks entirely to cloud providers like AWS, Google or Microsoft. And it’s a trend that has strong momentum. IDC predicts that cloud IT infrastructure spending will grow to $32 billion by the end of this year, accounting for 33 percent of all IT infrastructure spending, and reach $52 billion in just four years, when it will be almost half of all spending. 

But as companies of all sizes migrate their infrastructure to the cloud, they face a significant challenge: How to maintain control over their applications when they no longer own the network and ensure complete visibility? 

That lack of control and visibility can result in significant security repercussions when moving the entire corporate network to the cloud. The cloud presents a much greater challenge for ensuring that individuals get access to only the data and apps they need, and that your entire network isn’t left wide open for just anyone to wander the virtual halls.

The Cloud Security Alliance is a great resource, providing comprehensive guidance on how to establish a secure baseline for cloud operations, with details on the current recommended practices and potential pitfalls to avoid. Whether you’re planning to move to the cloud or already have, here are five important things to consider when company’s security posture in the cloud:

  • Shared Responsibility. Your cloud provider may deliver some security, such as firewalls and encryption, through its PaaS or IaaS offering. But having these features does not eliminate the need for your company to apply its own mature practices for identity and access management, application and data security, hardened configuration and other aspects of the IT environment to ensure an even higher level of security.
  • Ill-Equipped Legacy Solutions. Your traditional static security controls, such as signature-based firewalls and intrusion prevention systems, cannot keep pace with the dynamic nature of cloud services, so a one-for-one migration of physical controls into a virtual environment simply won’t work. The cloud is redrawing the network perimeter and blurring the trust models used in conventional on-premise networks, which necessitates a new cloud-centric approach to effectively maintain security and visibility.
  • Data Privacy. You’ll need to have a clear understanding of how and where your cloud provider stores data. In a cloud-based, distributed model, the geographic location of where the data resides, and whether is it commingled with data of other companies, could potentially result in the violation international privacy laws.
  • Service Level Agreements (SLAs). There are a number of facets of today’s security SLAs that could be impacted with limited or no visibility into your cloud environment. You’ll need to ensure that the services are available and that incident handling and reporting are managed on a close to real-time basis. You’ll also need to look closely at your contract regarding the limitations of liability and the operational and monetary risks you assume in the event of a breach. And you’ll want to make sure you are able to maintain compliance relevant to your specific industry, whether through direct assertion or as part of an assertion of compliant cloud services, such as database- or storage-as-a-service.
  • Training. A migration to the cloud introduces new operational requirements. IT staff who are familiar with on-premise operations may not have the expertise to manage and secure the cloud environment. As a result, you may have to invest in training current employees, consider hiring new employees with that expertise or engage consultants who specialize in the cloud.

Visibility is Cloudy

The key to effectively securing a cloud-based network is to ensure there is complete visibility and understanding of the operating environment in which your applications reside. To gain greater control of cloud resources, many companies are experimenting with overlay software defined networks (SDN), visibility tools and native provider solutions with varying degrees of success.

Companies testing the SDN waters have discovered a number of challenges in deploying these types of overlay networks. Perhaps the biggest roadblock is the complexity and additional time and effort to set them up and to keep them running efficiently. Virtual networks are being designed to be just as elastic as compute resources. But physical networks do not scale as rapidly and certainly not with the type of agility of virtual networks. Care must be taken to ensure the risk of the SDN operating within an oversubscribed physical underlay network does not result in failures and service outages.

Companies are also using tools and incorporating technologies such as netflow, virtual taps and agent-based solutions to improve visibility into the cloud infrastructure. But, similar to SDNs, visibility tools often require you to maintain additional systems (and possibly infrastructure). Many are limited in scope, focusing typically on only a subset of data points for the required overall visibility. Additionally, these tools are not necessarily compatible with hosting and virtualization environments. As a result, you’ll need multiple tools to achieve the proper amount of visibility into a single cloud environment, and have to figure out how to correlate all the disparate information to achieve the full visibility you need. If your company operates a hybrid cloud or multicloud environment, correlating across all environments and with a variety of different tools becomes an even greater undertaking.

Companies also may rely on native tools offered by their cloud providers. But these tools are often not robust enough, missing key elements, such as detailed logging, granular access control and interoperability, to support the entire technology stack. Often, these tools are designed only for use in that particular cloud provider environment, so what works in AWS, may not work in Microsoft Azure or Google Cloud Platform. These limitations can quickly lock you into a single vendor, making it difficult to operate ubiquitously across any cloud provider, should you want to do so in the future.

Simply put, these solutions don’t fully deliver. They can add cost, complexity and additional layers of management at a time when you’re trying to avoid that with a move to the cloud, and they rarely offer the robust functionality you need to maintain complete visibility and security.

Ubiquitous Visibility Across the Clouds

An alternative to the solutions mentioned above is to take security capabilities such as authentication, access control, multifactor authentication, transport encryption and application security that are traditionally used in the data center and cloud-enable them. By providing these capabilities as-a-service, you can easily open the window to see more clearly into your distributed deployments, whether in a single cloud, hybrid cloud or multicloud environment.

Referred to as secure application delivery-as-a-service, this approach goes far beyond the capabilities of a traditional application delivery controller or load balancer in the data center. Instead it absorbs security capabilities such as access control, multifactor authentication, transport encryption, and application security that are traditionally used within your data center and delivers them across cloud environments.

Running secure application delivery outside of your cloud environment allows you to create an effective “air gap” between your applications and infrastructure, and the resources of others hosted by your cloud provider. This approach prevents unauthorized users from gaining access to data and applications for which they do not have permission. Because it shifts the risk away from your critical resources onto an abstracted platform, you can now focus on utilizing real-time insight into application and threat metrics to ensure that the security posture of your applications remains consistent. No longer will you have to spend multiple cycles trying to uncover potential problems and address them quickly. What’s more, this type of service empowers Internet-scale visibility by delivering detailed audit, control, reporting and management of access successes and failures. 

By taking this approach, you can have out-of-the-box protection for every new application you deploy in the cloud, regardless of the cloud provider, enabling you to reduce implementation timelines and support continuous delivery models for faster innovation and deployment. Secure application delivery also is more cost effective than deploying multiple solutions individually throughout your cloud infrastructure since it integrates a variety of security management and control into a single solution.

As companies see the increasing benefits of moving to the cloud, it makes sense they also employ the cloud to provide the security and visibility needed to manage their distributed environments in this new network paradigm. Secure application delivery-as-a-service provides a valuable, comprehensive and cost-effective approach when compared to SDNs and other proprietary and limited tools that require you to invest in more infrastructure and employees to manage them. It can ensure your network is secure, even when it is no longer under your control in your own physical data center.

About the Author

Mark Carrizosa is VP, Security at Soha Systems, a secure application delivery-as-a-service for enterprises and SaaS providers. Carrizosa joined Soha Systems in 2015 from Walmart where, as principal security architect, he developed and implemented the company’s global e-commerce security architecture framework.

Edited by Ken Briodagh
Related Articles

Soracom Names Eugene Kawamoto CEO for Americas

By: Ken Briodagh    2/8/2018

Experienced Cloud Services Leader to Drive Growth at IoT-Connectivity-as-a-Service Provider

Read More

How Will IoT and Edge Computing Change Business in 2018?

By: Special Guest    1/19/2018

As business leaders and IT decision-makers continue to make digital transformation a top priority in 2018, the Internet of Things (IoT) will become on…

Read More

IoT Time Podcast S.3 Ep.3 GE Digital Twin

By: Ken Briodagh    1/17/2018

In this episode of IoT Time Podcast, Ken Briodagh sits down with Colin Parris, VP, Software Research, Global Research Center, GE, to talk about the Di…

Read More

2018 for the Internet of Everywhere: IoT-Enabled World & the Edge of the Internet

By: Special Guest    1/3/2018

The Internet of Everywhere, the always-on, always-connected ecosphere, extends to everything and everyone, transcending any regional, national or inte…

Read More

SolidRun Supports Google Cloud IoT Core Public Beta for the Enterprise

By: Ken Briodagh    1/3/2018

SolidRun collaborates with Google Cloud to help businesses unlock global device networks with the new MACCHIATObin ClearCloud 8K.

Read More