Cloud Upends Traditional Security Borders

Cloud computing, along with the mobile workforce it has created, is changing the way security works within the enterprise. Here's what IT should know about the challenges.

Andrew Froehlich

March 21, 2017

4 Min Read
Light Reading logo in a gray background | Light Reading

At one time, IT security was all about defining network perimeters. Once IT and security administrators knew what those were, their job was to then reinforce those perimeters with various security tools.

Traffic passing between secure and insecure boundaries were filtered through firewalls, intrusion prevention systems and secure web gateways to help prevent against malicious activity and data loss.

This classic model of enterprise security -- based on security borders -- worked largely because employees physically resided on the corporate LAN.

Now, thanks to a growing mobile workforce and cloud computing, those traditional boundaries are eroding.

At the same time, many enterprise organizations are now to the point where the same security tools they implemented at the corporate network edge are far more useful being deployed in the cloud.

A changing workforce
The days of having to "go into the office" to get work done are long over.

We now live in a world where a company's workforce is more mobile than ever. To secure remote employees that access sensitive corporate resources from the Internet, there are two prevailing schools of thought.

The first is to require that users remotely connect to the corporate network using some form of secure VPN.

The idea is to force company data through the traditional gauntlet of security tools that reside at the network edge. While this architecture has worked in the past, it doesn't scale well. The inefficiencies of having your mobile workforce tunnel traffic back to a centralized location creates latency inefficiencies and can significantly increase the amount of Internet bandwidth required at the corporate office.

A second problem with this security approach is that many corporate resources no longer reside within a secure corporate boundary such as a private data center. (See Security Concerns Muddy Cloud Progress.)

Figure 1: (Source: Tpsdave via Pixabay) (Source: Tpsdave via Pixabay)

Instead, applications, data and services are moving to the cloud at a record pace. And again, one could potentially engineer cloud access so that communication hairpins through the corporate network -- but this architecture is not an efficient model in 2017. (See IaaS, PaaS Drive Cloud Market.)

How cloud changes security
A more modern IT security architecture that caters to a growing mobile workforce, as well as the increasing use of the public cloud, essentially tears down classical network security boundaries.

If the goal is to provide uniform security policies for all users that access any company resources no matter where they are, security at the corporate edge is no longer an optimal deployment location.

Instead, security policies, such as access control, single sign-on, content filters, as well as data loss prevention though the use of cloud security services, can handle any user and any resource no matter where they reside. As an added bonus, users will no longer be forced to inefficiently tunnel traffic through a protected corporate border.

In this case, cloud-based security virtualizes network boundaries so they're wherever they need to be. And from a security administrator point of view, maintenance and upkeep of a cloud-based security architecture is just as easy compared to traditional boundary-based implementations.

New security methods
As an example, let's look at the rapid shift in the deployment of secure web gateways in the cloud -- as opposed to the corporate edge -- where they are traditionally deployed.

Using the classical edge deployment model, you only protect internal users from web-based threats.

So, when these same users work from home or on the road, they become exposed to malicious websites. While some security vendors provide client-based web security software to enforce policy outside of the secure network, it adds unnecessary complexity and the potential for gaps where policy could differ from one web security solution to the other.

Instead, a better approach would be to use a network-based secure web gateway that is implemented strategically in the cloud to service all employees no matter where they connect from.

All corporate devices would be configured to proxy web traffic through a unified public cloud solution that provides all the same security policy that an on-premises product offers. The primary benefit then becomes the fact that all users receive uniform policy and network access no matter if they are on the corporate network or off.

Completely abandoning the IT security model dominated by well-defined secure and insecure boundaries may not be for everyone just yet.

That decision largely depends on the current mobile habits of your workforce -- as well as the amount of cloud computing your organization relies on. But the way things stand now, your organization is likely moving in the direction where network boundaries are eroding. And if that's the case, network and security professionals should begin investigating the benefits of cloud-deployed security services.

— Andrew Froehlich is the president and lead network architect of West Gate Networks. Follow him on Twitter @afroehlich.

About the Author

Andrew Froehlich

As a highly experienced network architect and trusted IT consultant with worldwide contacts, particularly in the United States and Southeast Asia, Andrew Froehlich has nearly two decades of experience and possesses multiple industry certifications in the field of enterprise networking. Froehlich has participated in the design and maintenance of networks for State Farm Insurance, United Airlines, Chicago-area schools and the University of Chicago Medical Center. He is the founder and president of Loveland, Colo.-based West Gate Networks, which specializes in enterprise network architectures and data center build outs. The author of two Cisco certification study guides published by Sybex, he is a regular contributor to multiple enterprise IT related websites and trade journals with insights into rapidly changing developments in the IT industry.

Subscribe and receive the latest news from the industry.
Join 62,000+ members. Yes it's completely free.

You May Also Like