By now it would be no surprise that a significant share of your personal and business data and applications are running in the giant clouds of Amazon, Google or Microsoft. Microsoft alone claims about 10 trillion objects are stored using Windows Azure, and they aren’t even the largest player — Amazon Web Services (AWS) currently wears that crown according to Synergy Research Group. As the world becomes cloudier by the day, you might assume security threats are quickly changing direction as well. This is true, however, independent of environment — we’re finding that threats remain very much the same even when the threat vector has changed.
So we’re good right? We can offload a portion of our critical applications to the cloud where it makes sense, while other critical apps remain on premises, all without updating the way we deploy our network security. Well, technically you can do whatever you want, but if you’re moving applications to the cloud and enjoying all the benefits that go along with it — your network is suddenly different than it used to be. This may be the perfect time to take a look at ways to improve network performance and security as you modernize.
Much like the way you move applications to the cloud for reasons like improved efficiency and access, modernizing security can have the same affect. And while it initially sounds like adding another chore to the list — a next-generation security solution can actually require less management and provide a substantial cost savings. Isn’t the whole point of moving apps and data to the cloud to help everything run smoother? One way this can happen is by updating the way network traffic is routed to the cloud, and security can help.
Let’s take a look at why running cloud applications has changed the way we need to look at network security and performance.
Old network view
Take for example a manufacturing facility that not long ago ran its ERP (enterprise resource planning) system in a data center, and kept its manufacturing system operating on premises. In order to do this effectively, they typically relied on expensive MPLS lines going from the manufacturing floor to the data center. This was a fairly common network scenario, and being that Internet usage didn’t affect traffic to the ERP system — there was no need to prioritize traffic. And, while web browsing was unproductive for obvious reasons, watching cat videos on YouTube didn’t impact the business-critical ERP system because web traffic was separate.
Modern network view
If you fast-forward a few years, it’s likely that the same manufacturing facility is now running its ERP system in the cloud. They couldn’t be happier to eliminate the costly MPLS lines by going directly to the cloud from their manufacturing facility, and all they have to worry about is bringing in some more commodity Internet to support the move. Or is it? It turns out now that streaming cat videos on YouTube is taking up a large chunk of the network bandwidth, and is causing the ERP system to run slower than normal and even halt productivity. Does this mean that the network can’t operate as efficiently as it used to? No, it’s just different and while some applications will be moved to the cloud, others may remain on premises for years to come — they just need to make a few network adjustments to adapt. So, how can next-generation security solutions help?
More than just Next-Generation Security
Much like the example above, businesses are choosing to run an increasing amount of Internet applications in clouds like Amazon Web Services (AWS) or Microsoft Azure. The move to the cloud is forcing organizations to rethink the security technology they have in place, especially firewalls. This is because most next-generation firewalls used today are designed to only filter out unwanted application traffic rather than regulate and prioritize business-critical traffic. That means that any one of the many web applications could potentially lose performance due to flawed firewall design. Small to midsized companies typically neither have the IT resources nor the budget allocated to deploy enterprise-grade next-generation firewalls, WAN optimization devices and link balancers to help make the most of their hybrid cloud network. In all honesty, this type of setup might seem like overkill for their needs, but why should one have to choose between security or improved network performance?
Fortunately, the security industry is smart and constantly working to adapt to the changing threat landscape, and in this case — new network demands. Some vendors are working to integrate some great new performance enhancements into solutions like next-generation firewalls to enable network performance and link resiliency. Below are a few features we’re starting to see on a regular basis where the technology is readily available on an enterprise level. It just so happens that it’s finally starting to trickle its way towards the folks who need it most — smaller companies that don’t want to or simply don’t have the budget to deploy complex and costly setups just to be in the cloud.
- Cloud business applications awareness: Cloud-based business-critical applications need to be recognized and able to be prioritized accordingly. If an application to be prioritized is not known by the security device, the device needs to offer the functionality to custom create an application definition for this use case. The technology to do so is now readily available even in products not commonly recognized as next-generation firewalls, which means streaming YouTube videos should no longer interfere with any business-critical application traffic regardless of where it is hosted.
- Access to cloud hosted applications should be encrypted: Microsoft ExpressRoute is for sure the best way to get to the Azure Cloud as it’s basically a MPLS network where security and privacy is enforced via routing. In addition to ExpressRoute, a secure VPN connection is needed to really make sure company data cannot be read by anybody else. In the cloud, this requires another VPN endpoint that is typically another security device of the same manufacturer, just hosted in your private portion of the public cloud.
- To make sure the VPN connection to the private portion of the public cloud is available anytime and all the time, the VPN tunnel(s) need to be distributed across multiple uplinks in case one uplink goes down. New next-generation security devices can virtually split a logical VPN tunnel across multiple (sometimes up to two dozen) commodity internet uplinks and even compress traffic transmitted inside the VPN tunnel. The resulting logically available bandwidth to the cloud might actually be significantly bigger than the physically purchased bandwidth. Because the actual VPN tunnel is split across multiple uplinks, even if one or more fail, the VPN tunnel is still fully operational with no degradation that was often experienced in the old times when the VPN tunnels failed over to a secondary uplink, which often resulted in intermittent loss of connectivity due to long timeouts.
- Many of today’s networks are distributed across multiple physical locations and often in public and private clouds — this can create a challenge when it comes to implementing unified security policies. Central management and deployment flexibility are key enablers of extending security policies across distributed networks and securing all network attack surfaces.
Security threats and networks will never stop changing and with everything happening around the cloud, security folks need to remember that it’s our job to stay ahead of curve so organizations can enjoy all the benefits cloud innovation has to offer.