SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Security challenges posed by hybrid cloud - Zscaler
Fri, 2nd Aug 2019
FYI, this story is more than a year old

As organisations become more comfortable using cloud-based platforms and services, an increasing number are adopting a hybrid cloud approach.

However, while such a strategy can pay dividends, it can also cause security challenges.

A hybrid cloud is appealing for a number of reasons.

Rather than being limited to a single provider, an organisation can make use of a portfolio of services.

It might choose to host some of its internal servers in one cloud while adopting a SaaS service provided by another.

Hybrid clouds also offer flexibility and scalability that can meet the needs of various business units and stakeholders.

But organisations using hybrid clouds often run into problems with security, particularly if they try to use the same approaches in the cloud as they used when protecting their traditional, on-premises IT resources.

This includes the use of firewalls, VPN links, and other network-centric technologies.

Unfortunately, such a legacy security approach can result in poor user experience, inflated costs, and dangerous holes in protection.

Unless they change strategy, organisations could face rough times ahead.

The failings of network security

The concept of network-centric security has been widely used for decades.

Yet, while the IT environment has changed, with users increasingly mobile and apps and services now in the cloud, security has remained static.

In reality, it's not possible for network security to protect applications and data held on cloud platforms.

Some challenges include:

  • Remote access: Technologies such as virtual private networks were designed to connect devices to networks, rather than users to applications, which made network access and application access synonymous. However, with this approach, security remains tethered to the data center even though applications have shifted to the cloud. Security in a data center requires holes to be poked in the firewalls to allow inbound VPN traffic. At the same time, these VPNs create a poor user experience as cloud-bound traffic must backhauled through the data center.
  • Complex network segmentation: Once granted network access, users gain full access to resources, which increases risk because east-west movement is unrestricted. The only way to reduce this risk is through network segmentation, which is complicated and doesn't allow the control of access to individual applications.
  • Lack of visibility: A VPN only provides visibility into IP and port data, which is insufficient when there is an increase in self-service applications, cloud services, and shadow IT. The IT team's job becomes more difficult as this lack of visibility prevents them from seeing what users are accessing which applications, from where, and on what devices.

A lack of agility

A fundamental part of achieving business agility is having the ability to support the constantly changing needs of the enterprise, and this is one of the many benefits of cloud adoption.

However, as organisations become cloud-enabled, their network-centric security ends up being an albatross, slowing their ability to scale.

Security lags behind due to two key limiting factors in a network-centric approach:

  • Restricted capabilities: While the cloud is scalable, security appliances are not. Network-centric appliances can handle a finite volume of traffic and it's only a matter of time before they reach capacity and need to be replaced. Such upgrades, often unplanned, take funds from future budgets and drain resources as the IT team has to configure all those new appliances. What's needed is a solution that is flexible enough to scale with the needs of the business.
  • Backhauling costs money: MPLS is expensive and it's the transport on which network-centric security is built. As user traffic is backhauled through a data center over MPLS, then directed out to the cloud via the site-to-site VPN, then back, the enterprise is hit twice as hard as it was when traffic went straight to the data center. As more and more traffic becomes destined for cloud, this cost will continue to escalate, spreading IT‘s already limited resources ever thinner and restricting the enterprise's ability to scale.

As hybrid cloud adoption continues to climb, more and more IT teams will find themselves facing the challenge of properly securing this complex new environment.

While VPNs have been widely used to secure data center applications, organisations must now configure additional site-to-site VPNs to connect users securely to apps in the cloud.

In addition to managing their existing environments, IT teams get the added layer of complexity that comes with managing new cloud environments.

Multiple environments mean there is no longer one security method that works across the entire IT infrastructure.

To achieve strong security in a hybrid cloud environment, IT teams will need to embrace new methods and rethink their approach to the challenge.