Network Security in the Cloud Age: Everything Changes

We’ve spent a lot of time discussing the disruptive impact of cloud and mobility on pretty much everything. If you need a reminder, you can check out the Inflection paper, which really defines how we (correctly) viewed these tectonic shifts in the computing landscape. And Rich is updating that research currently, so you can check out the first post as he discussed the trends that promise to upend everything we know about security Tidal Forces.

To quickly summarize, cloud computing and mobility disrupt the status quo by abstracting and automating huge portions of the technology infrastructure, basically replacing the corporate data center. You no longer stroll down to the wiring closet to troubleshoot a network problem because your employees are distributed throughout the world, using all sorts of devices to access your critical data. Your data center basically no longer exists because its been moved to some monstrous Infrastructure as a Service (IaaS) provider that offers far better economies and far faster service than your IT group ever could. The physical layer is totally abstracted and you interact with your network (and the rest of your technology stack) either through a web console or more likely an API.

Development and Operations organizations are now collaborating, which means as soon as a developer makes a change, it can be deployed instantly (after some automated testing) to the production environment. This continuous deployment model may require changes to the networks and certainly can introduce security issues. Yet, there isn’t really the ability to have someone scrutinize the changes or ensure all of the governance and security policies remain in place.

To further complicate things, you no longer run many applications on infrastructure you control. If you haven’t heard Software as a Service (SaaS) is a thing (we call it the new “back office”), and you don’t get to tell the SaaS provider what the network should look like. You connect to their service over the Internet and that’s that. You no longer know where your data is, nor do you have the ability to monitor the traffic flows to detect misuse.

To be a little more clear about the impact to networking in the cloud age, let’s highlight the impacts:

1. Your data is everywhere (and nowhere): Whether it’s an application you’ve built (and running in an IaaS environment) or an application that you buy (provided by a SaaS player), the commonality is that you have no idea where you data is and have limited means to protect it within the network.
2. Lack of visibility: You can’t tap an IaaS or SaaS environment, so you don’t have visibility over what’s happening on your network. Some cloud providers are increasingly offering access to greater levels of network telemetry, but accessing the packets kind of breaks the agility and elasticity of the cloud.
3. Bottlenecks don’t make sense: One way to get around the lack of visibility is to route all traffic through an inspection point and enforce your security policies there. Unfortunately most cloud-native architectures don’t support that approach given the inherent isolation between computing tiers and an increasingly serverless approach. The last thing you want to do is make the cloud look kind of like your existing environment, so traditional bottlenecks won’t survive the disruption.
4. App-specific infrastructure: Finally, you don’t just have one network to worry about. You may have hundreds, since every IaaS stack is a different network. Every SaaS service that you buy has a different network. With no consistency and really their shouldn’t be since you want to build the appropriate network for the application, not force fit a sub-optimal network because it’s the lowest common denominator.
5. Velocity of change is unprecedented: With continuous deployment, changes to the network need to happen in lock step with the application and operational changes. That means the work queue that your network and security ops folks work through goes the way of the DoDo bird. There just isn’t time for the traditional way of managing and securing the network and your existing staff cannot keep pace in this kind of environment.

So basically the Tidal Forces of the cloud are upending almost everything you know about security. And those that can’t get their arms around this and try to apply the old models will fail.

Focusing on the Right Things

Before you reach for the hemlock, let’s take a step back and remember what we (as network security professionals) need to do:

1. Connectivity: The network needs to provide access to the resources (either applications or data) from wherever in the world they reside, whenever they need access, on whatever device they happen to be using. Within policy constraints of course, but IT can no longer dictate access.
2. Availability: The network needs to be reliable and survivable to ensure uptime requirements for the application are met. It’s a bad day when business stops because of a network problem, and a worse day when it’s a security issue taking the network down.
3. Performance: There are lots of potential points to slow down an application. But the expectation is that the network is not one of them, especially during peak usage. In the old days, you needed to build for those times of peak usage. But you got no credit the other 99% of the time you had all of this network infrastructure built out.
4. Security: Last, but not least you better not have any kind of security issues that originate from the network. And in fact, the expectation is that you can detect attacks using the network. So you need to make sure the network is secure (and the reason for a successful attack).

In each of these critical imperatives, the cloud actually improves things. But not if you think you’ll do the same old, same old, running all of your traffic through a small set of ingress and egress points to ensure you can inspect the traffic through your security devices.

In terms of focusing on the right things, if you can provide connectivity, availability, performance and security within the tolerances required by the applications, does it matter what the network architecture looks like? We’re sure some purists would say yes, but there were similar purists hanging onto the SNA protocol for years. They couldn’t make the necessary changes and went the way of the dinosaurs. So success moving forward is really about making sure you can provide the services your organizations needs, while keeping pace with the velocity of change in the cloud age.

Everything changes. Including network security. So let’s map out what that means to you and your network security controls.

Network Security in the Cloud Age

Given the critical imperatives defined above, we need to rethink how we do network security. The old stuff just doesn’t work and we can’t afford to compromise on the power of the cloud just to salvage our traditional security models. So let’s set some design goals for this new fangled cloud-based network:

• Secure Network Everywhere: Traditionally when you wanted to enforce security controls, you would backhaul traffic behind your corporate perimeter and inspect the traffic using the same equipment (and policies) in use on your internal network. That doesn’t scale. So let’s flip the perspective and not think in terms of moving the traffic to the security controls, rather let’s extend the secure network controls to the location, user or device.
• Infinite Perimeters: You can’t dictate the devices or location or access, so you need to think about how to build a perimeter around each device. So basically the device is the network, which means you need to securely interconnect the networks. In traditional networks you would set up tunnels between each location/network, but that’s a N*N-1 problem and N could be millions. The network architecture needs to evolve to protect every device where it is, doing whatever it is doing providing _secure mesh_ between all of these devices.
• Elasticity: The demand for bandwidth is insatiable. So you need a secure network design that can scale with your requirements. Yet, building for peak usage isn’t efficient, so you’ll want to be able contract when you don’t need as many pipes. Basically you want only as much network as you need at that moment in time. Especially since you pay based on usage.
• Policy Driven: You have different security requirements for the ingress and egress networks. Ingress provides access to computing resources and therefore must focus on protecting the data. Egress protects users in how they access resources outside of the organization. These different policies must be supported on whatever the network looks like, and the policies need to be able to change at the speed of continuous deployment. Which means that…
• Automation Wins: Things change in an instant in cloud-land. Given there is no time to have a human make changes, your environment must be automated. But you have to trust the automation and be able to roll back changes when necessary. That means you’ll need to program your networks, like you program everything else. Yes, that means software-defined networks will happen. We’ll dig into this extensively later in the series.

Design goals are great, but what does that mean specifically for what you need to build and how can you build it? We’ll dig into the requirements and solution architecture in the next post.

- Mike Rothman (0) Comments Subscribe to our daily email digest

from Network Security in the Cloud Age: Everything Changes