We tend to use the nebulous term “the cloud” as a catch-all phrase that implies any type of hosted environment, but it’s important to dig beneath the term when network security is at stake.
In reality, “the cloud” can actually take a number of different forms. Compute capabilities can be managed in a cloud service provider environment and server workloads migrated into a managed service offering – the most traditional and popular cloud approach. Software-as-a-Service (SaaS) solutions like Salesforce or Office 365 can be used to receive cloud provider services without agencies having to define anything about the applications themselves. There are also cloud-native applications, such as microservices, which can be threaded and delivered in various regions of the cloud environment at any time.
Each of these approaches can test an agency’s perimeter security efforts in their own way, which is why it is critical for us to look at and plan across the full cloud continuum. For example, an agency using a virtual private cloud through Amazon Web Services will have more geographic control over where things reside and generally be able to virtually define their perimeter. If that agency moves toward SaaS, that perimeter concept will begin to fall away. If that agency goes a step further with a mobile workforce and cloud-native environment, the boundaries of where resources are located may change by the moment as the agency scales up or down. Indeed, its data may not even exist within the vicinity of the network, making the perimeter very difficult to see.
Perimeter dissipation in hybrid cloud environments requires agencies to stop talking about network security and start talking about secure networks. In doing so, they must take a new, software-defined approach to security that allows them to operate their networks through a single enforcement domain.
Software-defined Secure Networks
Software-defined Secure Networks (SDSN) take the core component of Software-defined Networking (SDN) – where the control plane is centralized but the forwarding plane is distributed – and applies it to security across the entire cloud infrastructure. Through SDSN, agencies can deploy an automated system for threat detection and the management of security policies and compliance.
With SDSN, security is built into the very core of an agency’s hybrid cloud infrastructure, and every element of that infrastructure becomes an enforcement point. This approach is necessary to successfully secure hybrid cloud environments where the threat of increased security vulnerabilities is very real. SDSN provides an automated platform that agencies can use to mitigate risks across these environments.
SDSN allows for a programmatic approach to perimeter security. Agency managers can leverage controller-type SDN architectures and programmatic interfaces that extend the agency’s security domain into a cloud environment. They can interact with cloud services via APIs, allowing them to gain insight and potentially enforcement capabilities over their cloud resources. As such, SDSN is ideal for every type of cloud formation, from basic to cloud-native.
For example, an agency moving compute services into Microsoft Azure or AWS may want a certain amount of compute and storage capabilities to host their particular operating system. The agency may want to put a firewall in front of its network. With SDSN, it’s possible for that firewall to become part of the security component ecosystem within an extended, unified, and secure network. Managers can have centralized control over that firewall and treat it like any other data center in their environment.
Within this environment, SDSN provides a framework for managers to control and gather telemetry data from a multitude of devices and adapt their security as necessary based on threat intelligence. Managers can perform a centralized analysis of the information gathered from disparate components and sensors across their networks. Algorithms and machine capabilities can peruse the data that’s being collected, making it easier to identify anomalous behaviors that need to be vetted, clarified, and enforced against network policies. This automated process is more efficient, less prone to human error, and highly adaptable.
The Importance of Open Standards
Just as a hybrid cloud environment needs an ecosystem built on open standards, it’s important for the tools being used to maintain the security infrastructure to adhere to the same principals. It’s no longer realistic for agencies to be locked into a single vendor. Using resources from multiple vendors helps achieve the highest possible efficiency and performance, and allows managers to control any component in their network, regardless of vendor or where that component may reside.
A SDSN security approach based on open standards will help federal IT managers answer one of the most important questions they’ll be faced with in 2017: “How do I provide security intent to a system and enforce that intent across my entire hybrid infrastructure?” Through SDSN, they will be able to enable network adaptable, automated, and intelligent detection and enforcement capabilities from anywhere and across any cloud platform.
As the concept of the cloud continues to evolve, federal agencies will need solutions that evolve along with their cloud deployments to ensure persistent and effective network security. That will require eschewing a traditional “bolted on” security approach in favor of automated, software-defined methods where security processes are incorporated into their overall network architectures.
Tim Solms is the Vice President, US Federal and Managing Director of Worldwide Government at Juniper Networks.