Legacy cybersecurity designs take advantage of campus and data center network architectures that have fewer well-known traffic entry and exit points through which traffic must flow. These entry and exit points are ideal locations to inspect traffic using firewalls, IDS/IPS appliances, and other traffic filtering technologies. As a result, cybersecurity design for decades has been based on this architecture.
The cloud network architecture has changed this paradigm. Access and access to the public internet are no longer forced through well-known entry points, but become natural checkpoints. While many security teams want to enforce policies that force all cloud traffic flows through well-known checkpoints, it’s simply a data center architectural mindset, at odds with the agile goals that have driven businesses to cloud migration strategies. Fortunately, there is a solution: embed network security in and distribute it across the entire cloud network, not just at well-known checkpoints.
Embed security in the cloud network: what?
The data center era of cybersecurity design emerged because cybersecurity was not embedded in network equipment. Network devices, such as hubs, switches, and routers do not have the extra processing power needed to provide high-performance switching and routing, and also perform packet inspection and filtering. Thus, the market for devices specifically designed for network security, such as firewalls, has emerged and is firmly embedded in the network at designated checkpoints.
In the cloud, the network is not built on hardware with finite processing power, but all software, operating on the nearly limitless computing power offered by the cloud service providers ( CSP) provided. So now, network software platforms that provide packet switching and routing can easily perform high-performance encryption, packet inspection, threat detection, firewalling, and machine learning anomaly detection. at the same time on the network itself. However, not all cloud networks are the same or capable of embedding.
Secure cloud network
There is an emerging secure cloud network market. Gartner Market Guide calls it Multi-Cloud Networking Software. Security architects and their network partners should explore top solutions because that’s where vendors will embed security in the cloud network. However, understand that many vendors refer to their solutions as “multi-cloud networks” when their solutions simply “connect to” multiple clouds, stopping at the edge of the cloud and shifting network traffic. to native cloud structures that do not provide embedded network security.
Security depth
A secure cloud network embeds network security into the network and complements existing investments, such as firewalls and other single test appliances. Think of a secure cloud network as the network data plane inside and on corporate public clouds. It watches all traffic flows on the network, regardless of how that stream is introduced into the network. Businesses that have deployed secure cloud networks often find cryptomining, TOR servers, connecting to bad actors, using their cloud workloads as a source of attack DDoS, none of which is detected by existing security infrastructure. It’s different in the cloud, and security teams have to architect accordingly.
How will this develop?
For the past two or three decades, network and cybersecurity professionals have been configuration professionals tasked with providing network connectivity or applying complex security policies. These professionals have the valuable knowledge and experience needed to build fragile infrastructure and repair it when it inevitably breaks. We are rapidly approaching a time when networking and cybersecurity will become more computer science than configuration. Infrastructure as Code (IaC) will drive complex, multi-dimensional optimization of a dynamic, fully programmable multi-cloud network and cybersecurity infrastructure in the cloud.
DevOps and application teams have been on this path for decades, long before the cloud arrived. Revision control systems, workflow automation, Git repositories, and CI/CD pipelines, all streamlined application delivery workflows, but these powerful capabilities take out ditch the network infrastructure and network security groups. Today, secure cloud has become a fully software, fully programmable infrastructure that applications can programmatically optimize to create a dynamic combination of security , cost and performance.
Where to start?
Please don’t think of a secure cloud network as the same as a data center network and security. Today, it’s all software, downloadable from public cloud marketplaces, and paid for on a consumer basis through a cloud marketplace account. Therefore, find it, download it, activate it and play with it. Talk to people in your organization’s network and compare it to native cloud structures. Consider a multi-cloud strategy. Is the company prepared? What if the company’s business acquires a company and that company needs to support a multi-cloud environment next week? It happens all the time, so be prepared for these changes in cybersecurity.
Rod Stuhlmuller, vice president, customer relations, Aviatrix
