Netskope Cloud SecurityCisco UmbrellaPalo Alto Prisma CloudZscalerCloud SecurityCloud NetworkingSASECiscoNetskopePalo AltoCloudSecurity Transformation
Article8 minute read

How Hybrid Cloud and Multicloud Are Shaping Security Models

Keeping pace with the proliferation of cloud consumption has challenged security architects and engineers to reconsider their network boundaries.

In this article

No longer do critical applications or data reside in one or two centralized locations. These assets have sprawled into hybrid cloud, multicloud and SaaS domains. 

On the flipside, the adoption of SD-WAN, colocation facilities and the rise of the remote workforce have greatly expanded the vectors by which your company's digital assets can be accessed. A new security model is required to adapt to the evolving needs of businesses so that they can protect their workforce and intellectual property anywhere, and at anytime.

 The security landscape

"They [attackers] will take advantage of the massively increased threat surface that is created by the ultra-connectivity of users and devices, and the future prevalence of simple, poorly-secured Internet of Things (IoT) devices connected to the network and cloud services." – Marcus Weldon (2016)

Organizations are tasked with securing their greatest asset: data. To accomplish this task, companies must be able to prevent unwanted or malicious traffic from propagating across their infrastructure while ensuring data is not lost, stolen, tampered with or misused in any capacity. Security teams must find leverage points within the network to achieve these objectives. A goal of security architecture is to define boundaries that serve as those leverage points for inspecting traffic and protecting digital assets. However, boundaries are becoming harder to define as sources and destinations of traffic greatly expand.

Remote workers, either at a branch office or on a remote access VPN (RAVPN), represent a source boundary for users and devices. And of course, there is another source of traffic that comes from the Internet which is handled by restricting access to a handful of public facing services. Keeping resources confined and defining the sources, destinations and vectors by which those resources are accessed has been relatively straightforward for most of the 21st century.

As we transition through the decades, traffic patterns are shifting dramatically. Organizations already headed towards a multicloud or hybrid cloud strategy have to deal with a proliferation of destinations, while companies forced to face the challenges of enabling a remote workforce are dealing with an explosion of sources. And Software as a Service (SaaS) applications create a multitude of vectors by which data can be compromised.

With all this in mind, organizations are facing unprecedented security challenges that are marked by expanding perimeters, the speed of which new services are activated and identifying valid sources of traffic.

 Securing everything, everywhere

"Like a prison, it is not enough to have high walls and a barbed wire fence: there must be checkpoints and locks within its walls and constant patrolling of the hallways and conduits. The combined use of endpoint, perimeter, and network-based security will be required for protecting data and applications." – Marcus Weldon (2016)

How do you achieve ubiquitous secure connectivity without jeopardizing application performance or the agility cloud has given your business to deploy new services? Cloud-native security solutions are being developed by vendors to address this very question and are commonly referred to as Secure Access Service Edge (SASE), a term coined by Gartner. But what does cloud-native security mean? And what is SASE?

 Cloud-native architecture

Cloud-native architecture defines applications and services that are meant to run natively in the cloud. The "cloud" could be one of the public cloud providers or a private cloud hosted by a company. The bottom line is this is not a lift-and-shift architecture that uses point products in a DIY service chain. It is a component-based design that gives providers the ability to scale their solution as demand dictates, cleanly integrate and activate new services and place their services within proximity to their users as to not degrade network performance. 

The list below, while not all encompassing, provides good indicators to whether or not a solution meets the main tenets of SASE.

  • Component-based design:
    • Ability to scale access up or down based on network conditions.
    • Native service-chaining to improve performance & simplify operations.
  • Comprehensive security and monitoring:
    • Combines DNS Filtering, Firewall, Web Proxy, TLS Inspection, DLP, etc.
    • Complete visibility into all traffic sources and destinations.
  • Global access for security in a cloud:
    • User and device on-ramp to minimize latency to security services.
    • Low latency connectivity to cloud, SaaS and Internet services.

Consuming a cloud-native SASE service is based on the "as a service" model, with the businesses and agencies connecting to a SASE provider only having to meet the requirements for connecting to begin receiving these services. To put it another way, this is purely an OpEx consumption model, giving businesses the freedom to find best-in-breed service offerings and avoid vendor lock-in that is common with CAPEX consumption models.

Cloud-native SASE architecture
Cloud-native SASE architecture

 Heavy branch architecture

For years, businesses have been running DIY security stacks at their remote locations. This can include a router or SD-WAN device, a next-generation firewall (NGFW) and any additional security services such as content filtering or intrusion prevention systems (IPS). The challenge with the DIY approach is that businesses end up with multiple point products from different vendors that are difficult to integrate to get the desired service-chain. 

The branch heavy architecture looks to ameliorate this pain point by consolidating these services into a single, all-in-one appliance. Advancements in hardware can make this viable for running production workloads. Additionally, vendors in favor of this model either have or are working on consolidated management of their products to provide more streamlined operations for running their devices. Indicators of a branch heavy architecture include:

  • Hardware focused design:
    • Purpose-built hardware that must be right-sized for deployment.
    • Supports all security features without degrading throughput performance.
  • Comprehensive security and monitoring:
    • Combines DNS Filtering, Firewall, Web Proxy, TLS Inspection, DLP, etc.
    • Complete visibility into all traffic sources and destinations.
  • Security on the edge device:
    • Security enforcement happens locally at the remote office.
    • Does not utilize Internet bandwidth to take action against traffic.

Branch heavy SASE solutions are more in line with how businesses have been consuming networking and security products for years. This is a CapEx consumption model that requires businesses to purchase hardware and licenses from a vendor and own the lifecycle of the hardware at remote offices. The advantage a branch heavy architecture brings is the ability to perform security actions as close to the source as possible. This eliminates unnecessary bandwidth consumption of Internet circuits should the traffic need to be dropped.

Heavy branch SASE architecture
Heavy branch SASE architecture

 The secure road ahead

"The flexibility and scalability offered by the distributed cloud will allow the network to rapidly and automatically adapt to threats in order to confuse, redirect, block and contain the attacker before any damage is done. Importantly, localized edge cloud resources will allow security functions to be applied at the network edge, where they can best protect the network and scale most effectively." – Marcus Weldon (2016)

Several years ago, Marcus Weldon painted a vision for what the future of security would look like in 2020 and up to 2025. Gartner gave the industry a term for this vision: SASE. While vendors are just now adopting the term to describe their solutions, it is important to realize that SASE is a combination and approach to implementing holistic security. 

The architectures that are emerging are interpretations of the vision and description laid down by technology leaders and analysts. The ultimate goal is to protect your organization's digital assets and the people that make your business a great place to work. While the technology is promising, there is still the challenge of finding which solution and architecture is most appropriate to address your company's security needs, current and future.

It begins by understanding the current state of your security infrastructure, recognizing vectors of attack you have mitigated and those outstanding or not thought about and mapping out how to address identified and unidentified security issues — the latter being the most difficult to do since it requires anticipating problems before they become problems. Security models such as Zero Trust are a subset of the SASE architecture that make upstream security prevention viable in today's ever-expanding environment of sources and destinations on business networks.

Attackers only need to be successful once, and organizations need to be 100 percent effective to combat cybercrime. That is why WWT has invested heavily into developing an ecosystem to help companies find their way to the right SASE solution. From our briefings, workshops, on-demand labs and training to our Advanced Technology Center (ATC) capabilities, we are equipped to help you every step along the way.

 References

Weldon, M. K. (2016). The future X network: A Bell Labs perspective. Boca Raton, FL: CRC Press.

Technologies