By: Sriram Subramanian Software Engineering Director, Juniper Networks IEC
Enterprises applications are migrating from being hosted in private data centers to being hosted on the public cloud. The Software as a Service (SaaS) model of accessing business critical applications over Internet has changed the flow of network traffic. This change has necessitated a further change in the way enterprise security is enforced. Cloud based security in various forms is a reality that CISOs must adopt these days.
Change in traffic pattern
Hosting applications within the data center of an enterprise meant that network traffic flowed from all the branches to the data center. This traffic pattern is easily secured by deploying large datacenter security appliances. Even Internet traffic can be sent over these secure connections from branches to the head office, with gateways deployed in the data center locations.
As the enterprise applications transitioned to cloud based services, the network traffic going to the Internet has increased many fold. Arguably enterprises still have legacy or on-premises applications but there is a clear shift in the traffic pattern. For faster access to cloud applications and better user experience, it is now critical to secure each branch and its access to the Internet. One solution is to deploy security appliances to each of the branches but this comes with the added responsibility of centralized policy management yet distributed enforcement.
Securing the data
In addition to network traffic, the business-critical data such as documents, presentations, mails are all being stored on the cloud providers systems. While cloud providers have the responsibility to secure access their services, it is important for enterprises to inject another layer of security for the cloud based applications. This is important for addressing data loss prevention (DLP) or monitoring access to cloud based services since the ability of doing business has moved from the IT-controlled desktops to personal mobile devices.
Trends in Cloud Security
With the above background in mind, let us look at some interesting trends in Cloud security.
Software Defined WAN (SD WAN)
Using technologies like network functions virtualization (NFV) and cheap availability of bandwidth to Internet, enterprises can deploy SD WAN as a solution to manage the change in traffic patterns. Most SD WAN solution provide some form of security and visibility to cloud based applications. These include Next Gen Firewall (NGFW) capabilities like Application firewall that is required to secure HTTP/HTTPS based cloud applications. Thanks to NFV these virtual security functions can be scaled based on demand and can also be managed centrally.
Security as a Service
Important security functions such as Firewall, Web Filtering, IDP etc. are basically software applications. If enterprise applications such as Microsoft Office can be served from Cloud (Office 365), it is natural for security functions to also be deployed on the cloud itself. Many networking vendors support virtual firewalls that can be deployed inside Amazon Web Services to secure inter and intra application data traffic. These virtual firewalls can be used like any other software service available with the cloud providers.
Yet another approach to Security as a Service is to replace perimeter security devices with security gateways on the cloud. In this model, the vendor offers the entire security function portfolio on the cloud and acts as a Web gateway for the branch. Basically, all the network traffic goes over an encrypted connection to a firewall/gateway running in the cloud. The advantage of this approach is similar to any other cloud based software services. The additional benefit is that the cloud vendor is responsible for ensuring that latest anti-virus, malware and other threats related patches are applied promptly.
Shadow IT and Cloud Access Service Broker
The self-service model of SaaS allows departments and teams within an organization to procure and use the applications that they desire. Known as “shadow IT”, this model of using application bypasses the traditional enforcement points of Enterprise IT. In many cases the Information Security teams are unaware of the usage of these applications. As mentioned earlier, it is important to secure the enterprise data from malware, ransomware and data loss. This requires a new model of cloud security called Cloud Access Security Broker (CASB). CASB software provides the much-needed visibility and fine-grained control over the services being accessed by departments and teams in an organization. CASB vendors can monitor API calls made to various cloud based applications and provide much better visibility into the enterprise data that goes into the cloud.
In simple terms the cloud computing revolution around enterprise application has clearly impacted the way security is enforced in modern networks. Mobility and always-on business processes require unrestrained access to SaaS application over cloud. This means that enterprises have to adopt more dynamic and cloud based security models to protect their networks and the business data.