Hybrid Networks Require an Integrated On-prem and Cloud Security Strategy

Today’s dynamic networks change so fast that traditional point security solutions fail to keep up

A constantly evolving network is the new reality that today’s IT teams must learn to live with. Rather than everyone transitioning to the cloud (leading to the ridiculous claim that “the network is dead”), what we are actually seeing is the near-universal adoption of a hybrid network strategy. Digital acceleration, user demand, and shifting business strategies add new edges to the network, making it increasingly difficult to manage and even harder to secure.

One of the primary issues organizations face is ensuring consistent policy enforcement and maintaining broad visibility across a network where users, devices, edge platforms, applications, and disparate compute and networking platforms – many of them temporary – are constantly churning. On average, organizations have deployed 45 cybersecurity tools in their networks, according to a 2020 report from IBM. Most of these are isolated point solutions that impede the ability of IT teams to centralize management and configurations, orchestrate policy, or even see and control their security infrastructure. And those organizations that build an overlay system to get their sprawling security under control end up spending a third of their time simply troubleshooting those workarounds, according to a separate report (PDF).

Part of the challenge is that most security tools are unable to be deployed everywhere in a hybrid network. Some only operate in a specific location, like a data center. Others only run natively on one or two cloud platforms. Cloud solutions failed to provide network segmentation for network edges opening doors for cyberattacks. Most also failed to develop modern networking technologies such as SD-WAN, 5G and WiFi6 and rely on multiple vendors, which adds complexity and higher cost. Home networks and remote users rely on a completely different set of security solutions. And essential networking technologies, like SD-WAN, are almost impossible to integrate with security.

To start, organizations need to consolidate as many of their security solutions into a single platform. Of course, this platform must provide more than just superficial interoperability to be effective. Solutions need to be deeply integrated to enable the collection and correlation of threat intelligence and centralize management and orchestration. Consolidation is also essential for applying automation and implementing machine learning and AI to allow real-time detection and response. And the most effective way to ensure such deep interoperability is to build everything on a common operating system.

The next challenge is that most platforms only support a limited set of environments or can only be deployed in specific areas of the network. But today’s expansive hybrid networks require a platform that can be deployed in any environment: on-prem versions for the campus, data center, and branch, and software versions for multi-cloud environments and home and mobile workers. And all features and functions must be available and perform consistently across all form factors, whether appliances, virtual machines, containers, or SaaS.

Modern on-prem security solutions

Performance is consistently identified as a top requirement for today’s networks. Networks are all about connections – and the faster, the better. Organizations also require high network performance to optimize applications, enhance user experience, and support digital agility. But a focus on connectivity means that network devices never have to ask things like, “What is this content, and what does it do?” “Which application is this?” “Who is this user?” “What device is being used?” and, “Where is all of this located?” All of that context is provided by network security.

This means that security tools need more computing power than network devices. A lot more. To do its job effectively without impacting user experience, a network security appliance must operate much faster than a networking device. But unfortunately, most security devices and platforms can’t. The off-the-shelf processors used to build them were never designed to support the specialized functions they must perform. It’s why most network firewall vendors won’t even publish their performance numbers for inspecting encrypted traffic.

Of course, increasing performance requirements are everywhere. It’s why vendors in nearly every market – cloud providers, video monitors, laptops, and smartphones, to name a few – have all invested in developing custom processors, or ASICs, to accelerate specific functions that a generic CPU struggles to deliver. Without a GPU, for example, streaming video wouldn’t be possible. Security is no different. Platforms built using custom security CPUs provide an average of 15X more performance for the same price as comparable systems.

The other major challenge is that today’s dynamic networks change so fast that traditional point security solutions fail to keep up. This creates security gaps that expose networks to enterprising cybercriminals. So, in addition to performance, security platforms need to up their game by converging security with the network. A converged platform ensures that security is automatically included whenever the network needs to suddenly adapt to shifting demands. And building networking functions into a security platform is very different from getting tools built separately to work together. An SD-WAN solution built inside a network firewall, for example, will operate far more securely than one that tries to add security as an overlay.

Modern multi-cloud security solutions

A cloud-based security platform has many of the same challenges as an on-prem solution. However, it can rely on dynamic scalability to measure performance needs. But even then, a multi-cloud security platform that has been optimized using the same engineering techniques used to create a physical ASIC will still run several times faster than comparable solutions.

A multi-cloud security platform must also run consistently in different environments, with consistent policies to reduce friction and operational overhead. Misconfigurations remain to be the number one source of security risks in the cloud – so, it’s not enough for security to simply run on a cloud platform. To take advantage of each cloud’s unique capabilities, security must run natively. But while few security platforms run natively on every major cloud platform, reports show that 92% of organizations have a multi-cloud strategy, with an average of 2.6 public and 2.7 private clouds. This means that many of these organizations are either running different security solutions in each cloud or are running non-native security solutions with limited functionality as they cannot take full advantage of the platform capabilities where they have been deployed.

But even if you find a solution that can run natively in multiple cloud environments, communications between clouds are often inadequate. As a result, it can be difficult for iterations of a security platform running in different cloud environments to share policy. Then, when applications or workflows need to span multiple clouds, it can be impossible to provide consistent protection and policy enforcement. Therefore, a security platform must also translate policies and functions between clouds. It’s even better for solutions deployed across cloud and on-premises to share the same policies!

Multi-cloud security solutions also play a critical role in protecting end-users. Cloud-based Security-as-a-Service extends protections and secure access control to mobile and home users. But this is another example of where implementing yet another security solution may not just further complicate management and reduce visibility but also diminish the overall effectiveness of a security strategy. Instead, cloud-based security services must be built on the same security platform. This ensures that security policy and enforcement follow every transaction end-to-end.

Integrating physical and virtual solutions

Another advantage of consistently deploying a single security platform that operates on a single OS across the network is it can also secure interactions between physical and virtual networks. While today’s complex, hybrid networks enable the digital acceleration that today’s organizations require to meet user demand and compete effectively in the evolving digital marketplace, they are a severe challenge for anyone trying to build and manage an effective security strategy. Starting with an integrated and universally deployable security platform – one built for speed and convergence that is consistent whether cloud, on-prem, container or SASE-based – is essential for building a security architecture that meets the demands of today and can scale and adapt to meet the needs of tomorrow’s network as well.

Related: Despite Warnings, Cloud Misconfiguration Problem Remains Disturbing

Related: Misconfigured Public Cloud Databases Attacked Within Hours of Deployment

Related: Misconfiguration a Top Security Concern for Containers

Related: StackRox Releases Open Source Tool for Finding Kubernetes Misconfigurations

view counter

John Maddison is EVP of Products and CMO at Fortinet. He has more than 20 years of experience in the telecommunications, IT Infrastructure, and security industries. Previously he held positions as general manager data center division and senior vice president core technology at Trend Micro. Before that John was senior director of product management at Lucent Technologies. He has lived and worked in Europe, Asia, and the United States. John graduated with a bachelor of telecommunications engineering degree from Plymouth University, United Kingdom.

Previous Columns by John Maddison:
tags:

New Technology Era

Leave a Reply

Your email address will not be published. Required fields are marked *