Service Provider Cloud

Cloud Upends Traditional Security Borders

At one time, IT security was all about defining network perimeters. Once IT and security administrators knew what those were, their job was to then reinforce those perimeters with various security tools.

Traffic passing between secure and insecure boundaries were filtered through firewalls, intrusion prevention systems and secure web gateways to help prevent against malicious activity and data loss.

This classic model of enterprise security -- based on security borders -- worked largely because employees physically resided on the corporate LAN.

Now, thanks to a growing mobile workforce and cloud computing, those traditional boundaries are eroding.

At the same time, many enterprise organizations are now to the point where the same security tools they implemented at the corporate network edge are far more useful being deployed in the cloud.

A changing workforce
The days of having to "go into the office" to get work done are long over.

We now live in a world where a company's workforce is more mobile than ever. To secure remote employees that access sensitive corporate resources from the Internet, there are two prevailing schools of thought.

The first is to require that users remotely connect to the corporate network using some form of secure VPN.

The idea is to force company data through the traditional gauntlet of security tools that reside at the network edge. While this architecture has worked in the past, it doesn't scale well. The inefficiencies of having your mobile workforce tunnel traffic back to a centralized location creates latency inefficiencies and can significantly increase the amount of Internet bandwidth required at the corporate office.

A second problem with this security approach is that many corporate resources no longer reside within a secure corporate boundary such as a private data center. (See Security Concerns Muddy Cloud Progress.)

Instead, applications, data and services are moving to the cloud at a record pace. And again, one could potentially engineer cloud access so that communication hairpins through the corporate network -- but this architecture is not an efficient model in 2017. (See IaaS, PaaS Drive Cloud Market.)

How cloud changes security
A more modern IT security architecture that caters to a growing mobile workforce, as well as the increasing use of the public cloud, essentially tears down classical network security boundaries.

If the goal is to provide uniform security policies for all users that access any company resources no matter where they are, security at the corporate edge is no longer an optimal deployment location.

Instead, security policies, such as access control, single sign-on, content filters, as well as data loss prevention though the use of cloud security services, can handle any user and any resource no matter where they reside. As an added bonus, users will no longer be forced to inefficiently tunnel traffic through a protected corporate border.

In this case, cloud-based security virtualizes network boundaries so they're wherever they need to be. And from a security administrator point of view, maintenance and upkeep of a cloud-based security architecture is just as easy compared to traditional boundary-based implementations.

New security methods
As an example, let's look at the rapid shift in the deployment of secure web gateways in the cloud -- as opposed to the corporate edge -- where they are traditionally deployed.

Using the classical edge deployment model, you only protect internal users from web-based threats.

So, when these same users work from home or on the road, they become exposed to malicious websites. While some security vendors provide client-based web security software to enforce policy outside of the secure network, it adds unnecessary complexity and the potential for gaps where policy could differ from one web security solution to the other.

Instead, a better approach would be to use a network-based secure web gateway that is implemented strategically in the cloud to service all employees no matter where they connect from.

All corporate devices would be configured to proxy web traffic through a unified public cloud solution that provides all the same security policy that an on-premises product offers. The primary benefit then becomes the fact that all users receive uniform policy and network access no matter if they are on the corporate network or off.

Completely abandoning the IT security model dominated by well-defined secure and insecure boundaries may not be for everyone just yet.

That decision largely depends on the current mobile habits of your workforce -- as well as the amount of cloud computing your organization relies on. But the way things stand now, your organization is likely moving in the direction where network boundaries are eroding. And if that's the case, network and security professionals should begin investigating the benefits of cloud-deployed security services.

— Andrew Froehlich is the president and lead network architect of West Gate Networks. Follow him on Twitter @afroehlich.

COMMENTS Add Comment
[email protected] 3/24/2017 | 1:49:40 PM
Re: Everywhere Making security improvements for remote employees are critical because it ensures that remote employees do not inadvertently compromise their employer's infrastructure. For those whose careers are conducive to remote positions it will help employers assure that they can provide every employee the same access to challenging and mission critical opportunities. These jobs should not be limited to only in-house employees or companies will limit the talent they have access to for each position. We have so many tools that enable collaboration with the ease that onsite collaboration is not a necessity.
kq4ym 3/24/2017 | 11:11:13 AM
Re: Everywhere As noted in the story, mobile use certainly is becoming the most common way things are going to be getting done in the future. And accordingly it does seem that using the cloud access is the way to move. Noting "loss prevention though the use of cloud security services, can handle any user and any resource no matter where they reside," and that's going to be the way folks are going to be accessing company resources in the future.
Ariella 3/22/2017 | 9:22:09 AM
Re: Everywhere @DanielCawrey well, there are pluses and minuses to each setup. People do like the freedom of working from anywhere, but employers seem to think workers are only truly committed if they see them showing up to a workplace at a designated time. Also having hte workers together in the same space can contribute to collaboration in the way real person interaction enables. Now I'm an introvert myself and pretty content working remotly, but even so I get the sense that the people who are seen on premises are viewed as mor integral and so more valuable. 
JohnMason 3/21/2017 | 9:36:58 PM
Secure Web If all corporate devices go through secure web proxies, then I am guessing there would be less need for the expense of Internet Security software on each corporate device.
danielcawrey 3/21/2017 | 3:26:34 PM
Everywhere I'm writing this from a coffeeshop. Later today, I'll take a bus and work on there. 

The mode of work is changing. Sometimes, the always-on mentality can be a grind. But you've just got to take breaks. I think I like this way better than sitting in an office. 
Sign In