Marc Casey Apcela

Network security in the era of hybrid cloud

Hybrid Cloud Network Security

Protecting networks and the data that traverses them might seem to be an impossible task these days. Whether it’s a nation-state-sponsored infiltration that seeks to tamper with industrial systems or a criminal organization planting ransomware for profit, there are fresh horror stories of breaches every day in the media. But not all is lost: a different approach to enterprise network architecture in tandem with cloud-based security services can help increase the effectiveness of existing security practices and technology.

Where security spending is going – besides up

Security functions have historically been deployed in the enterprise datacenter. This was because enterprise IT used to be self-contained; it was separated from the outside world by a barrier of protection called the firewall. The boundaries became permeable as organizations become more connected to the internet. With the growing importance of web-facing applications and the rapid growth of mobile technologies, the last decade has seen those boundaries become ever more porous.

One approach is to spend more money on the problem. Enterprises are forecasted to increase spending on security to $81.7bn this year, an 8.2% increase over 2016 according to IDC’s Worldwide Semiannual Security Spending Guide. Security hardware and software in 2017 are expected to generate $15.2 billion in sales, while endpoint security software segment will garner $10.2 billion in revenues this year, according to IDC.

And yet in the U.S. alone, there were 1,093 data breaches in 2016, a new all-time record, according to a report released by the Identity Theft Resource Center (ITRC), a non-profit consumer organization. The increased spending doesn’t seem to correlate with greater security; researchers have offered estimates that suggest that a significant portion of security spending —sometimes upwards of 30% or more– goes wasted, with technology going unused for a variety of reasons, including not being able to integrate it with existing systems and not having enough staff to use the technology on an ongoing basis.

Evolving scope and size of threats

Threats continually evolve and seem to always be increasing in scope. A new variant of Petya ransomware infected systems across Europe in June 2017, causing trouble in organizations ranging from Danish-based shipping giant AP Moller-Maersk to health care facilities in Pittsburgh, PA in the USA. An attack of a different type, the Mirai Botnet attack used compromised DVRs, IP video cameras and other devices to target Dyn, a provider of domain name system (DNS) services, in October 2016. The distributed, denial-of-service attack (DDoS) attack affected multiple DNS servers and caused interruption of services to a number of well-known sites, such as Twitter and Amazon.

Attack traffic reaching 300Gbps or more was seen over half a dozen times in 2016, more than enough to overwhelm the DDoS defenses of a single enterprise datacenter. This means more hardware (or software) concentrated in an enterprise datacenter won’t solve the security problem.

Re-architecting the enterprise network for security

To handle the scale and scope of attacks to come, more enterprises are starting to look at building a distributed network architecture (see Figure A). In essence, this architecture is characterized by:

  • Aggregation of traffic from regional branches of the enterprise or partners and suppliers into regional hubs.
  • The hubs are located in carrier neutral datacenters, offering interconnection points with cloud service providers
  • The underlying access networks (MPLS, LTE, broadband) are managed as a logical network via SD-WAN technology

Figure A: Example of a distributed network architecture

There are a number of benefits to shifting ingress and egress traffic to the regional hubs instead of through a datacenter at the company headquarters. Network security is improved by

  • Reducing the distance data is moving across the public internet – there are fewer routers and switches and packet inspection devices that are potentially misconfigured or compromised.
  • Additionally, the use of direct interconnection with cloud services reduces the attack surface available to hackers.

Taking security to the (network) edge

Further enhancements to security can be gained from the distributed network architecture. How? If the enterprise has already interconnected via multi-tenant datacenters, the placement of compute and storage resources at the ‘edge’ gives an opportunity to extend security policies and process used in the enterprise datacenter closer to where users are.

The recent SANS Institute 2017 Data Protection Survey surveyed InfoSec professionals, who identified encryption of data at rest and in transit, access controls, firewall and Unified Threat Management (UTM) as the top three network related controls for data. It follows then that if the network functions are distributed as suggested above, then the security functions need to move with them.

The architecture can vary based on factors such as space and power availability and the use case as well. A large branch office might do well to have a nearby hyper=converged infrastructure (HCI) (Fig. B below left) for additional processing power to go with a layer of security functions.

Figure B: Examples of application and security functions at distributed network nodes.

Examples of functions include (but are not limited to):

      • VPN/secure access/user and application access policy control
      • Content filtering
      • DDoS mitigation
      • Bot detection
      • IDS/IPS

Different traffic and performance requirements might see enterprises using a mix of cloud-based services and dedicated appliances, or a fully virtual appliance approach (Fig. B above right).

The gain and the pain

Ultimately, the goal of applying a distributed network architecture increases security by enhancing the ability to follow industry best practices, while taking into account the new challenges of mobile users and distributed applications. For example, the practice of segmentation of network traffic. Being able to separate out different classes of traffic addresses needs for data protection with regulations and laws such as PCI, HIPAA, and GDPR that require separation of sensitive data.

Given that network policy enforcement becomes more challenging with growing number of endpoints-most notably mobile devices on sometimes unsecured wireless networks-doing at the network edge enables application of policy closer to the user’s first point of entry. This approach makes it more efficient to prioritize risk profiles and map those profiles to network policies. One example of this in practice might be the offloading of low-risk traffic to public internet connections before it aggregates into a big load at a central location—a location that has a high-cost MPLS for performance and security reasons. Why saturate those links with low-priority traffic? Why let that traffic mingle with more sensitive data?

There are some challenges with this model: only the largest enterprises are going to have the financial resources to invest in a global datacenter presence and staff it properly. And even for those who have the resources, will they be able to adequately cover all of the markets that they serve or have partners? The good news for the CEO and CSO is that a growing number of companies are doing the legwork for them by integrating and deploying the network and technology stack and offering it as a service.

Today’s security challenges, along with the changing nature of enterprise application development and consumption, are difficult to handle in a traditional enterprise datacenter architecture. Instead, forward-looking companies should look at how a distributed network architecture built with security services in the technology stack can help increase the effectiveness of existing security practices and technology.

By Mark Casey

Mark Casey

Mark Casey, Apcela’s President and CEO, is a progressive leader intensely focused on leveraging emerging technologies and his deep knowledge of the global telecom and IT markets to deliver top results for clients, associates and stakeholders.

Mark’s experience and reputation is built on a successful track record of over 25 years in the communications industry delivering results for industry heavyweights including AT&T and Verizon. Mark joined railroad operator CSX in 2001 to lead CSX Fiber Networks supporting large carriers with complex network optimization. In 2005, Mark led the acquisition of FiberSource,® the core intellectual property among other assets of CSXFN, to form the nucleus of CFN Services.

Mark holds a BBA from the University of Massachusetts at Amherst and an MBA from American University.

View Website

CONTRIBUTORS

What Futuristic Transportation Will Look Like In Your Lifetime

What Futuristic Transportation Will Look Like In Your Lifetime

Futuristic Transportation Being stuck in traffic or late for work because of a hold up on the dreaded commute could ...
AWS S3 Outage & Lessons in Tech Responsibility From Smokey the Bear

AWS S3 Outage & Lessons in Tech Responsibility From Smokey the Bear

AWS S3 Outage & Lessons in Tech Responsibility Earlier this week, AWS S3 had to fight its way back to ...
Cloud Services Are Vulnerable Without End-To-End Encryption

Cloud Services Are Vulnerable Without End-To-End Encryption

End-To-End Encryption The growth of cloud services has been one of the most disruptive phenomena of the Internet era.  However, ...
The Five Rules of Security and Compliance in the Public Cloud Era

The Five Rules of Security and Compliance in the Public Cloud Era

Security and Compliance  With technology at the heart of businesses today, IT systems and data are being targeted by criminals, ...
What is shadow IT?

How to Make the Move to the Cloud Securely

Move to the Cloud Securely The 2016 Enterprise Cloud Computing Survey from IDG offers multiple interesting insights concerning the state ...
Two 2017 Trends From A Galaxy Far, Far Away

Two 2017 Trends From A Galaxy Far, Far Away

Reaching For The Stars People who know me know that I’m a huge Star Wars fan. I recently had the ...
How Big Data Can Empower Native Ads

How Big Data Can Empower Native Ads

Empower Native Ads The realm of big data is expanding an astonishing rate, and its presence can be felt across ...
Cloud-Based or On-Premise ERP Deployment? Find Out

Cloud-Based or On-Premise ERP Deployment? Find Out

ERP Deployment You know how ERP deployment can improve processes within your supply chain, and the things to keep in ...
10 Ways The Enterprise Can Prevent Data Leaks In The Cloud

10 Ways The Enterprise Can Prevent Data Leaks In The Cloud

Prevent Data Leaks In The Cloud More companies are turning to the cloud for storage. In fact, over 60 percent ...
Scale Matters in the Enterprise Cloud

Scale Matters in the Enterprise Cloud

The Enterprise Cloud What used to be an unknown and mysterious term, “the cloud” is now a common and mostly ...

NEWS

U.S. IT Sector Employment Expands by 8,100 Jobs in November, CompTIA Analysis Reveals

U.S. IT Sector Employment Expands by 8,100 Jobs in November, CompTIA Analysis Reveals

DOWNERS GROVE, Ill., Dec. 8, 2017 /PRNewswire-USNewswire/ -- New hiring in computer and electronics manufacturing and technology services and custom ...
Deloitte TMT Predictions: Machine Learning Deployments, On-Demand Content and Live Events Will Continue to Drive Growth

Deloitte TMT Predictions: Machine Learning Deployments, On-Demand Content and Live Events Will Continue to Drive Growth

NEW YORK, Dec. 12, 2017 /PRNewswire/ -- Deloitte forecasts double digital growth in machine learning deployments for the enterprise, an increasing worldwide ...
The Department of Defense Cloud

Internet Association asks for U.S. net neutrality vote delay

WASHINGTON (Reuters) - The Internet Association, whose more than 40 members include companies like Google and Amazon, urged the Federal ...