why a hybrid model makes sense: mingling cloud and on-premise security

3

Click here to load reader

Upload: mary-mcevoy-carroll

Post on 21-Jun-2015

118 views

Category:

Technology


2 download

DESCRIPTION

Everywhere you turn, the advantages of cloud are being touted. Network security, with all its complexities, seems like a perfect candidate for the cloud, especially given the difficulties of provisioning applications across distributed organizations and the need to streamline administration costs without decreasing productivity. But in fact what’s emerging as the new norm in IT security is a hybrid environment of on-premises and cloud solutions.

TRANSCRIPT

Page 1: Why a Hybrid Model Makes Sense:  Mingling Cloud and On-Premise Security

                                                                                                                                                                                                                                                                 

Secure  Designs,  Inc,  301  N.  Elm  Street,  Suite  550,  Greensboro,  N.C.  27401.    Tel:  +1  336  232  5900  

   

Head  in  the  Cloud,  Feet  on  the  Ground  Why  a  hybrid  model  makes  sense  for  managed  security  services    Reeve  Samson,  CIO,  Secure  Designs      Everywhere  you  turn,  the  advantages  of  cloud  are  being  touted  -­‐  to  such  an  extent  that  you  could  be  forgiven  for  thinking  that  on-­‐premises  solutions  are  obsolete.  The  cloud  model  is  undeniably  appealing  given  the  difficulties  of  provisioning  applications  across  distributed  organizations  and  the  need  to  streamline  administration  costs  without  decreasing  productivity.    But  in  fact  what’s  emerging  as  the  new  norm  is  a  hybrid  environment  of  on-­‐premises  and  cloud  solutions.        One  of  the  key  characteristics  of  ‘cloud’  applications  are  that  they  are  entirely  hosted  off-­‐site  –  in  other  words,  the  organization  doesn’t  own  an  appliance,  server  or  other  endpoint  dedicated  to  a  particular  function.  However,  the  vast  majority  of  companies  who  have  moved  much  of  their  functions  to  a  cloud  model  will  still  maintain  local,  premise-­‐based  network  resources  in  the  forms  of  critical  data,  extranets,  and  network  segmentation  for  the  foreseeable  future.    Moreover,  adopting  a  cloud-­‐based  model  is  a  relatively  complex  process,  which  means  that  large  blocks  of  potential  users  –  especially  in  the  small  and  micro  business  segments  -­‐  will  exclude  themselves  from  such  solutions.    The  On-­‐Premises  Collection  Point  Because  some  of  their  critical  data  and  business  technology  is  hosted  from  the  cloud,  it  is  essential  that  companies  have  extremely  reliable  connectivity  to  enable  efficient  delivery  of  the  data  as  needed.  This  is  of  critical  importance  to  business  continuity  and  sustainability.    The  on-­‐premises  network  now  becomes  the  collection  point  for  a  variety  of  data  from  disparate  sources,  subject  to  external  influences,  network  speeds  and  vulnerabilities.  And  this  is  why  network  security  should  be  considered  in  a  category  of  its  own.        Certainly,  cloud-­‐based  security  solutions  offer  some  of  the  features  of  a  premises  based  security  platform.  However,  the  most  effective,  efficient  mechanisms  with  the  highest  levels  of  reliability  are  those  with  a  physical  footprint  onsite.  Take,  for  example,  encryption,  UTM,  and  DLP.    On  a  cloud-­‐based  security  platform  these  features  lag  behind  locally-­‐based  network  security  in  terms  of  functionality  and  performance,  and  other  increasingly  important  a  features  such  as  secure  managed  WiFi  are  simply  not  available  via  the  cloud.      Only  an  on-­‐site  security  solution  can  secure  all  critical  data  coming  from  all  connected  networks  and  sources  while  also  providing  the  most  reliable  connection  options  in  the  form  of  carrier  redundancy,  device  fail-­‐over,  3G  or  4G  connectivity  and  VPN/Private  line  fail-­‐over.        This  doesn’t  mean  that  updates,  monitoring  and  management  can’t  be  taken  care  of  by  providers  of  managed  security  services  who  host  that  service  remotely,  from  a  central  location.    But  it  does  mean  that  the  physical  security  solution  is  actually  based  within  the  company  walls.    This  enables  you  to  achieve  a  number  of  key  strategic  advantages  –  in  particular,  the  ability  to  select  the  optimum  hardware  platform  to  meet  your  organization’s  metrics  for  reliability,  security,  and  flexibility  without  sacrificing  features,  functionality,  or  performance.        Mix  and  Match  Deploying  a  remotely-­‐managed  security  service  to  maintain  and  support  the  security  hardware  provides  a  similar  level  of  convenience  and  efficiency  to  that  of  cloud,  but  without  relinquishing  the  actual  security  platform  to  a  third  party.    

Page 2: Why a Hybrid Model Makes Sense:  Mingling Cloud and On-Premise Security

                                                                                                                                                                                                                                                                 

Secure  Designs,  Inc,  301  N.  Elm  Street,  Suite  550,  Greensboro,  N.C.  27401.    Tel:  +1  336  232  5900  

For  organizations  using  managed  service  providers  (MSP),  perhaps  the  most  important  advantage  of  an  on-­‐site  solution  is  that  it  allows  the  MSP  to  manage  their  customers’  networks  in  a  highly  granular  fashion:    leveraging  the  existing  infrastructure,  connecting  a  myriad  different  network  interfaces  and  connections  into  a  local  security  appliance,  securing  and  routing  traffic  between  them,  in  ways  that  a  hosted  solution  cannot  support.        Many  vertical  markets  such  as  banking,  finance,  and  healthcare  have  large  established  extranets  and  intranets  as  well  as  connectivity  to  multiple  third  party  vendors  and  providers.    Traffic  to  and  from  these  different  segments  must  be  managed  and  secured  in  ways  not  possible  with  a  hosted  security  solution.    Any  customer  requiring  network  segmentation,  extranet  support  or  carrier  redundancy  must  deploy  a  premise-­‐based  solution.    This  applies  to  large  portions  of  the  market.        Areas  of  Advantage  Premises-­‐based  security  platforms  offer  a  superior  model  across  a  number  of  areas.    Encryption  in  particular  is  worth  a  closer  look,  especially  as  it  relates  to  site-­‐to-­‐site  and  mobile  user  VPN  connectivity.        In  a  premises-­‐based  model,  encryption  is  performed  immediately  at  the  customer  edge,  ensuring  that  all  critical  data  is  secure  before  leaving  the  corporate  network.    Many  regulatory  frameworks  require  this  for  compliance.  Network-­‐based  solutions,  where  data  is  sent  offsite  over  the  carrier  network  in  “plain  text”  and  encryption  occurs  in  a  remote  data  center,  expose  customers’  data  as  well  as  their  compliance  status  to  vulnerabilities.  Furthermore,  network-­‐based  security  platforms  are  by  their  nature  shared  environments.    This  means  that  anything  impacting  traffic  or  functionality  on  the  platform  has  the  potential  to  impact  all  customers  on  that  platform.  The  more  powerful  managed  security  solutions  provide  organizations  with  customizable  threat  management  and  data  loss  prevention  (DLP)  solutions,  defining  custom  objects  and  patterns  and  building  policies  that  prevent  this  business-­‐critical  data  from  leaving  the  customer  site.      Performance  and  Reliability  It  is  well  understood  in  the  industry  that  remote  inspection  and  policy  application  of  data  introduces  traffic  latency  and  other  performance  issues.    While  for  some  businesses  the  effect  may  be  minimal,  for  many  others  it  will  hurt  the  business.    A  good  example  of  this  is  third  party  VOIP  services,  where  traffic  must  arrive  within  very  tight  tolerances  to  maintain  call  quality.  Premises-­‐based  solutions  do  not  suffer  from  these  issues.    In  addition,  while  most  network-­‐delivered  or  cloud-­‐based  security  solutions  can  technically  provide  unified  threat  management  (UTM)  services  -­‐  Content  Filtering,  Gateway  Anti-­‐Virus,  Gateway  Anti-­‐Spyware,  Application  firewalls,  DLP  and  other  Next-­‐Gen  firewall  features  -­‐    they  suffer  from  business  impacting  performance  issues  when  those  services  are  deployed  en  masse  across  a  carrier’s  customer  base.    Contrast  this  with  best  in  class  managed  security  appliances,  that  can  be  dropped  into  a  network  in  a  transparent  manner  and  provide  UTM  services  to  an  established  network  without  any  impact  on  existing  infrastructure.      Premises-­‐based  solutions  also  offer  superior  models  for  reliability,  including  high  availability  (HA)  appliances,  carrier  redundancy,  VPN  fail-­‐over,  and  3g/4g  support.  In  addition,  many  customers  have  business  requirements  that  dictate  carrier  and  connectivity  redundancy.      No  managed  solution  can  provide  a  total  solution  for  regulatory  compliance,  but  many  frameworks  require  data  isolation,  security  and  encryption  models  that  can  only  be  accomplished  by  a  premise-­‐based  solution.    PCI,  as  an  example,  requires  that  databases  containing  credit  card  data  be  secured  separately  from  other  portions  of  a  customer’s  network  so  that  traffic  into  and  out  of  the  database  networks  is  inspected  and  filtered  even  if  the  traffic  is  the  customer  themselves.    When  selecting  a  managed  security  solution,  organizations  should  seek  offerings  that  allow  highly  detailed  security  policies  to  be  established  to  meet  the  compliance  requirements  of  the  governing  body.      Integration  with  the  Cloud  Managed,  locally-­‐based  solutions  can  also  provide  for  Off-­‐Net  support,  allowing  large  distributed  organizations  to  provide  managed  security  services  wherever  they  are  located,  and  provide  a  comprehensive  security  solution  that  is  

Page 3: Why a Hybrid Model Makes Sense:  Mingling Cloud and On-Premise Security

                                                                                                                                                                                                                                                                 

Secure  Designs,  Inc,  301  N.  Elm  Street,  Suite  550,  Greensboro,  N.C.  27401.    Tel:  +1  336  232  5900  

connection-­‐agnostic.    All  sites  and  settings  can  be  wrapped  into  a  single,  cloud  based  portal  that  customers  can  log  into  to  see  all  their  security  configurations  and  reporting.    Multiple  account  credentials  can  be  provided,  allowing  customers  flexibility  to  manage  their  security  policies  as  needed.    For  example,  divisional  managers  can  be  provided  with  access  to  view  the  sites  they  are  responsible  for  while  executives  can  be  provided  access  to  view  a  customer’s  entire  organization.    And  the  service  can  be  expanded  infinitely  without  any  constraints  imposed  by  platform,  data  center,  or  support  personnel  capacity  or  availability.    The  cloud  is  here  to  stay.  Moving  forward,  organizations  will  need  to  consider  how  to  properly  deploy  and  manage  security  across  an  increasingly  distributed  IT  environment.  Identity  management  systems  are  going  to  become  critical  in  the  quest  to  provide  role-­‐based  security  across  hybrid  cloud  platforms.  Users  must  be  identified  and  secure  regardless  of  where  the  application  or  network  resource  they  require  exists.    Centralized,  role-­‐based-­‐access  control  solutions  using  a  variety  of  technologies  such  as  SAML,  XACML,  and  LDAP  are  emerging  on  the  market.    While  identity  management  solutions  will  be  integrating  into  the  hybrid  cloud,  many  organizations  will  choose  to  keep  this  critical  component  hosted  on-­‐premise  and  made  available  to  their  cloud-­‐based  infrastructure.    A  properly  managed  and  deployed  premise  based  security  platform  is  both  a  participant  and  critical  component  of  these  identity  management  and  distribution  models.        A  network-­‐based  security  platform  makes  available  to  customers  some  of  the  features  offered  by  a  premise-­‐based  solution,  but  the  compromises  to  security,  performance,  reliability,  features  and  flexibility  render  the  solutions  available  on  the  market  today  sub-­‐standard.    For  most  businesses,  a  hybrid  security  model  is  the  future.    Certain  systems,  networks  and  data  will  always  require  a  premise-­‐based  security  solution.    This  is  why  there  are  very  few  purely  cloud-­‐based  security  providers  and  why  most  carriers  offer  both  cloud-­‐based  and  premise-­‐based  security  platforms.