How network security in the cloud differs from legacy security in a data center

How network security in the cloud differs from legacy security in a data center
Pictured: Visitors attend the CeBIT 2017 technology trade show on March 20, 2017 in Hannover, Germany. Today’s columnist, Rod Stuhlmuller of Aviatrix, explains how security in the cloud differs from legacy on-premises security. (Photo by Alexander Koerner/Getty Images)

Legacy network security designs took advantage of campus and data center network architectures that had few well-known traffic entry and exit points through which traffic had to flow. These entry and exit points were the ideal places to inspect traffic with firewalls, IDS/IPS devices, and other traffic filtering technologies. As a result, the last decades of network security design have been based on this architecture.

Cloud network architecture has changed this paradigm. Entry and exit from the public Internet is no longer forced through known entry and exit points, which become natural checkpoints. While many security teams would like to enforce policies that would force all cloud traffic flows through well-known checkpoints, it is simply the architectural thinking of the data center that conflicts with the goals of security. agility that have led companies to cloud migration strategies. Fortunately, there is a solution: embed network security and distribute it throughout the cloud network, not just at known inspection points.

Integrate security into the cloud network: what?

The network security design of the data center era arose because network security was not built into the network equipment. Network devices such as hubs, switches, and routers did not have the additional processing power needed to provide high-performance switching and routing, in addition to performing packet inspection and filtering. Therefore, the market for special devices designed for network security, such as firewalls, emerged and was installed on the network at designated inspection points.

In the cloud, the network hasn’t been built on hardware with finite processing power, it’s all software, operating with the near-infinite computing power provided by cloud service providers (CSPs). So now, the network software platform that offers packet switching and routing can easily perform high-performance encryption, packet inspection, threat detection, firewalling, and machine learning anomaly detection, all at the same time on the network itself. . However, not all cloud networks are created equal or have the capability built in.

Secure cloud networks

There is an emerging market for secure cloud networks. Gartner Market Guide calls it multi-cloud networking software. Security architects and their network counterparts should explore leading solutions because this is where vendors will embed network security in the cloud. However, please understand that many vendors call their solutions “multi-cloud networks” when their solutions just “connect” to multiple clouds, stopping at the edge of the cloud and passing network traffic to the cloud’s native constructs. cloud that do not offer integrated network security.

security in depth

Secure cloud networks integrate network security into the network and complement existing investments such as firewalls and other single point of inspection devices. Think of a secure cloud network as the network data plane within and between the public clouds of the enterprise. See all traffic flows on the network, regardless of how the flow arrived on the network. Companies that have implemented secure cloud networks have often encountered cryptomining, TOR servers, connections to bad actors, using their cloud workloads as sources of DDoS attacks, none of which had been detected by the security infrastructure. existing security. It’s different in the cloud, and security teams need to design accordingly.

How will this evolve?

For the past two or three decades, network and network security experts were configuration experts tasked with providing network connectivity or enforcing complex security policies. These experts had the valuable knowledge and experience needed to build the fragile infrastructure and repair it when it inevitably broke down. We are fast approaching a time when networking and network security will become more about computing than configuration. Infrastructure as Code (IaC) will drive complex, multi-dimensional optimization of a dynamic, fully programmable, multi-cloud network infrastructure and network security in the cloud.

Application and DevOps teams have been on this path for decades, long before the cloud came onto the scene. Revision control systems, workflow automation, Git repositories, and CI/CD pipelines all streamline application delivery processes, but these powerful capabilities have eluded network infrastructure and security teams. networks. Today, secure cloud networks have evolved into a fully programmable, software-based infrastructure that can be programmatically optimized by applications to achieve a dynamic mix of security, cost, and performance.

Where to start?

Don’t think of secure cloud networking as similar to data center networking and security. Today, everything is software, downloadable from public cloud marketplaces, and pay-as-you-go through a cloud marketplace account. So, find it, download it, fire it up and play with it. Talk to your organization’s networking staff and compare it to cloud-native builds. Consider a multi-cloud strategy. Is the company ready? What if the company’s business acquires a company and needs to support a multi-cloud environment next week? It happens all the time, so be prepared for these network security changes.

Rod Stuhlmuller, Vice President, Customer Relations, Aviatrix

Leave a Comment