SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Where should security lie in the network? Cloud or private data centre?
Wed, 20th Sep 2017
FYI, this story is more than a year old

How do you protect your family in dangerous times?

In the pioneering days – in a lonely ranch with no neighbours in sight – the answer was obvious: you ring fence the estate, keep watch on who is coming and going, securely lock all buildings and keep tabs on family members.

A hundred years on, and all had changed. Most things now happen in the social “cloud”. Home schooling gives way to public school. Instead of chickens, a kitchen garden and the family goat, food mostly comes from local shops. The parents go out to work, and family protection is no longer so clearcut. You still lock the door at night and keep valuables in a safe, but you rely more on the social cloud's own services – police and ambulance. Then there are questions about family safety as you all travel between home and public spaces…

In the business networking sector, a similar change is happening, but a whole lot faster. Even ten years ago data protection was mostly about firewalls and in-house anti-virus – and intruder detection systems were hot news. Now we have two growing challenges to cope with:

1. The perimeter is getting bigger and fuzzier. No longer bound by the ranch fence, the family are scattered across the neighbourhood and beyond. Similarly the office network is stretching to include wireless zones, home and mobile workers, BYOD (Bring Your Own Device) connectivity and the Internet

2. Much more is happening in the cloud. This is still a matter of choice, but economics and the demand for efficiency and agility are driving a lot of routine work and applications into the cloud space.

So, where should security now be placed? 

The pioneering instinct to keep everything locked away in a well-guarded private data center is understandable, but no longer makes good business sense. Few organisations have the skills and resources to protect their data as securely as the best cloud services, where economies of scale allow more to be invested in state-of-the-art security than most organisations could ever afford.

Cloud-based security solutions often share a platform with a content delivery network designed to accelerate access to web applications, so they can actually improve performance while protecting applications. As specialists, cloud security providers are not only more experienced but also more up-to-date with latest on-going malware trends. They are also qualified experts on legal compliance and government regulations. Finally, there is the attraction of paying a smaller recurring fee instead of a massive upfront capital outlay for enhanced security.

So, do we put all security in the cloud? No, there are still applications and content best kept close to hand for reasons that could include legal responsibility, reliability, reduced latency or sheer protective instincts. So the first question when making decisions should be: “is there any reason NOT to put this data or application in the cloud?” If the answer is “yes”, you maintain a smaller, tightly managed private data center to host those exceptions.

Then there is that tricky question of how best to protect data and applications in transit between the office and the cloud. The gap between initial forecasts and actual data suggests that even the cloud's early champions have been surprised by the uptake of cloud services, so that many large organisations are already advocating a “cloud first” policy on the strength of the savings, scalability and reliability of cloud applications at headquarters.

But when it comes to rolling out those services to the more remote branch offices, it can lead to a backlash. Unless the remote office justifies the cost of a dedicated private line, it may well have to rely on one or more public Internet links such as best-effort ADSL, wireless or LTE connectivity, and the resulting loss of reliability, slower speeds and latency problems can make cloud performance a lot worse than when applications were hosted in-house. The workers are not happy: not because of the actual cloud service, but because of what happens between the cloud and the office – and this is also a security issue.

A recent development that addresses the problem has been the long awaited extension of software-defined networking (SDN) to the wide area network (WAN). SDN has already revolutionised local area networks and data center connectivity, but extending it to the wide area was a far bigger problem. Building predictable service quality over less predictable “best effort” links was one challenge. Another was to reduce delays between nodes often separated by hundreds of kilometres. Above all, there was the challenge of far less standardisation across a geographically dispersed WAN. Since last October, however, there has been a spate of SD-WAN offerings from carriers including Sprint, AT-T, Telstra, MetTel, Windstream, TelePacific and others across the globe.

What are they offering? The SD-WAN can seamlessly integrate any number of private or “best effort” Internet connections to deliver better bandwidth and reliability, while managing appropriate security. Even if the WAN extends across thousands of kilometres, the SD-WAN will make local forwarding decisions based on observed local conditions, such as link quality and throughput. The central controller implements software forwarding based not only on centralised business policy objectives and security policy requirements but also real-time network quality. So the routing, priority and security for any application data flow is independent of the underlying link structure or types of connectivity used.

Automated cloud-based management allows business policy decisions to be changed in-house for maximum performance, lowest cost and optimal security that is tailored to specific types of data, user or circumstance. The result is a practical, cost-effective way to extend the full benefits of cloud computing to the very edges of an organisation. All traffic between the office and the carrier's edge is encrypted by the system but, if the users are still not convinced that it is safe to entrust critical data on a public link, they can always add a private MPLS line so that the SD-WAN can route mission-critical or real-time services via MPLS, while offloading other traffic to alternative routes.

So, to return to the headline question: where should security lie on the network? The answer now is that cloud security is extremely good, and can be entrusted with the bulk of everyday applications and data. The simple question “why should we not put this on the cloud?” will identify a smaller number of critical exceptions where security is best entrusted to the private data center. And between the two extremes there is no longer a dangerous gap, but the growing opportunity to install an SD-WAN to bring cloud security to the very edge of the organisation.

Your family is probably a lot safer now than it ever was in “them pioneering days”.