Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

10/10/2019
10:00 AM
John Grady
John Grady
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Network Security Must Transition into the Cloud Era

An integrated approach is the best way to provide organizations with the tools they need to decrease the attack surface and use strong security controls.

Cloud and mobility have been driving transformative changes in the way we work for nearly a decade and continue to rank among the top macro trends affecting the IT landscape today. In fact, many organizations have begun to build their entire business strategy around cloud capabilities. Enterprise Strategy Group research found that 39% of organizations now follow a "cloud-first" strategy when deploying new applications, up from 29% just a year ago.

By its nature, cloud computing puts distance between users and resources, creating a strain on legacy network capabilities. This is especially true of a traditional hub-and-spoke networking model that incorporates siloed security technologies. This type of approach introduces three key issues:

1. Degradation of performance and user experience: When traffic destined for cloud applications is first routed back to the campus and through the on-premises security stack, quality of service is negatively affected.

2. Limited visibility: Security tools can't control what they can't see, and without a full understanding of applications, users, devices, data, and other context, proper enforcement cannot occur.

3. Inconsistent policies: Appliance sprawl and disparate management consoles have left many organizations with a siloed rather than unified approach to security, which can limit both efficiency and efficacy.

The traditional approach is now changing as network technology becomes more dynamic and intelligently manages traffic based on users, applications, connections, and locations. The growing adoption of SD-WAN to improve network efficiency and management, especially relative to remote office/branch office (ROBO) locations, is a good example of this.

As the network evolves, security controls and how they integrate into the new architecture (including SD-WAN) must also be reevaluated. Security solutions must plug seamlessly into network technologies and shift control points to the edge with centralized management and distributed enforcement. Specifically, ESG sees a logical convergence of security tools delivered via a cloud-native, microservices-based platform beginning to coalesce as an extensible architecture called elastic cloud gateways (ECGs). ECGs are multichannel, multimode, cloud-delivered security services built on a globally distributed platform; they provide end-user access, threat prevention, and content inspection at the network edge.

Because the architecture is extensible, the technologies that make up the multichannel aspect of ECGs can vary. However, to address the SD-WAN-enabled, direct-to-internet ROBO use case, there are some logical components. These include secure web gateway (SWG), cloud access security broker (CASB), data loss prevention (DLP), and firewall functionality. Additionally, with the amount of encrypted web traffic growing by the day, SSL decryption for full visibility is important now and will quickly become a prerequisite.

Other technologies may include DNS protection and advanced threat prevention capabilities or a software-defined perimeter (SDP) for zero-trust capabilities. The integration with SD-WAN technologies enables intelligent enforcement of policy based on who the users are, what devices they're on, and what part of the network they're connecting through. It also facilitates improved coordination between security and non-security stakeholders to drive consistent policies based on business needs. Depending on the context, either part or the entirety of the ECG stack may be utilized for traffic inspection. Regardless of the specific list of technologies, by integrating multiple capabilities into a single solution, management is simplified, policy becomes more consistent, and with fewer gaps in the security posture, efficacy is improved.

Integrating SWG, CASB, DLP, firewall, and other capabilities is difficult to do at scale in an on-premises deployment. In fact, this has been one of the main drawbacks to the traditional model of using unified threat management (UTM) devices at the branch. The static nature of on-premises solutions becomes a larger problem as the number of security services increases, especially compute-intensive ones such as SSL decryption.

However, the cloud-native architecture of ECGs provides elasticity through microservices, which automatically scale up or down based on demand. This can enable traffic inspection for content control (i.e., DLP), threat prevention, and SSL decryption to occur without degrading the user experience or overprovisioning capacity. Furthermore, the cloud-native aspect of ECGs better aligns security to the cloud from a consumption perspective — not only relative to the shift from capex to opex but also by utilizing metering based on a combination of users, traffic volume, applications protected, or security services so that organizations are only charged for the resources they use while protection dynamically scales up or down based on the current need.

Finally, the multimode aspect of elastic cloud gateways builds upon CASB capabilities and is important for full control and visibility over both sanctioned and unsanctioned cloud applications. ECGs can be deployed inline as a forward or reverse proxy for better threat protection and user experience. Alternatively, ECGs can utilize an out-of-band deployment through cloud application API integrations that provide ease of use and retrospective analysis and policy enforcement for sanctioned applications. This flexibility enables organizations to meet their specific needs and priorities, be it real-time enforcement or maintaining quality of service.

Over time, ECG capabilities and SD-WAN functionality will likely collapse even further. Some vendors with stronger networking backgrounds (Cisco, for example) or that have shown themselves to be on the early side of the innovation curve (such as Palo Alto Networks) may be quicker to move down a consolidated network and security path. However, there will be a multiyear period in which technology networking and security partners integrate these solutions as a core route to market.

These innovations represent an important step in advancing network security into the cloud era. The foundation has been laid through the initial shift to cloud security services. However, a true cloud-native architecture is the only way to fully scale an ECG architecture, and an integrated approach is the best way to provide organizations with the tools they need to decrease the attack surface and use strong security controls while enabling user productivity.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Can the Girl Scouts Save the Moon from Cyberattack?"

John Grady is an Analyst covering network security at Enterprise Strategy Group. He leverages more than 15 years of analyst and cybersecurity vendor experience to help clients identify and quantify key market trends to facilitate data-driven business decisions. He previously ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24376
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 attempts to delete malicious files (such as .php) form the uploaded archive via the "Import Settings" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory w...
CVE-2021-24377
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 attempts to remove potential malicious files from the extracted archive uploaded via the 'Import Settings' feature, however this is not sufficient to protect against RCE as a race condition can be achieved in between the moment the file is extracted on t...
CVE-2021-24378
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 does not check for malicious files such as .html in the archive uploaded via the 'Import Settings' feature. As a result, it is possible for a high privilege user to upload a malicious file containing JavaScript code inside an archive which will execute w...
CVE-2021-24379
PUBLISHED: 2021-06-21
The Comments Like Dislike WordPress plugin before 1.1.4 allows users to like/dislike posted comments, however does not prevent them from replaying the AJAX request to add a like. This allows any user (even unauthenticated) to add unlimited like/dislike to any comment. The plugin appears to have some...
CVE-2021-24383
PUBLISHED: 2021-06-21
The WP Google Maps WordPress plugin before 8.1.12 did not sanitise, validate of escape the Map Name when output in the Map List of the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue