Head in the Cloud, Feet on the Ground
Why a hybrid model makes sense for managed security services
Reeve Samson, CIO, Secure Designs
Everywhere you turn, the advantages of cloud are being touted - to such an extent that you could be forgiven for thinking that on-premises solutions are obsolete. The cloud model is undeniably appealing given the difficulties of provisioning applications across distributed organizations and the need to streamline administration costs without decreasing productivity. But in fact what’s emerging as the new norm is a hybrid environment of on-premises and cloud solutions.
One of the key characteristics of ‘cloud’ applications are that they are entirely hosted off-site – in other words, the organization doesn’t own an appliance, server or other endpoint dedicated to a particular function. However, the vast majority of companies who have moved much of their functions to a cloud model will still maintain local, premise-based network resources in the forms of critical data, extranets, and network segmentation for the foreseeable future. Moreover, adopting a cloud-based model is a relatively complex process, which means that large blocks of potential users – especially in the small and micro business segments - will exclude themselves from such solutions.
The On-Premises Collection Point
Because some of their critical data and business technology is hosted from the cloud, it is essential that companies have extremely reliable connectivity to enable efficient delivery of the data as needed. This is of critical importance to business continuity and sustainability. The on-premises network now becomes the collection point for a variety of data from disparate sources, subject to external influences, network speeds and vulnerabilities. And this is why network security should be considered in a category of its own.
Certainly, cloud-based security solutions offer some of the features of a premises based security platform. However, the most effective, efficient mechanisms with the highest levels of reliability are those with a physical footprint onsite. Take, for example, encryption, UTM, and DLP. On a cloud-based security platform these features lag behind locally-based network security in terms of functionality and performance, and other increasingly important a features such as secure managed WiFi are simply not available via the cloud.
Only an on-site security solution can secure all critical data coming from all connected networks and sources while also providing the most reliable connection options in the form of carrier redundancy, device fail-over, 3G or 4G connectivity and VPN/Private line fail-over.
This doesn’t mean that updates, monitoring and management can’t be taken care of by providers of managed security services who host that service remotely, from a central location. But it does mean that the physical security solution is actually based within the company walls. This enables you to achieve a number of key strategic advantages – in particular, the ability to select the optimum hardware platform to meet your organization’s metrics for reliability, security, and flexibility without sacrificing features, functionality, or performance.
Mix and Match
Deploying a remotely-managed security service to maintain and support the security hardware provides a similar level of convenience and efficiency to that of cloud, but without relinquishing the actual security platform to a third party.
For organizations using managed service providers (MSP), perhaps the most important advantage of an on-site solution is that it allows the MSP to manage their customers’ networks in a highly granular fashion: leveraging the existing infrastructure, connecting a myriad different network interfaces and connections into a local security appliance, securing and routing traffic between them, in ways that a hosted solution cannot support.
Many vertical markets such as banking, finance, and healthcare have large established extranets and intranets as well as connectivity to multiple third party vendors and providers. Traffic to and from these different segments must be managed and secured in ways not possible with a hosted security solution. Any customer requiring network segmentation, extranet support or carrier redundancy must deploy a premise-based solution. This applies to large portions of the market.
Areas of Advantage
Premises-based security platforms offer a superior model across a number of areas. Encryption in particular is worth a closer look, especially as it relates to site-to-site and mobile user VPN connectivity.
In a premises-based model, encryption is performed immediately at the customer edge, ensuring that all critical data is secure before leaving the corporate network. Many regulatory frameworks require this for compliance. Network-based solutions, where data is sent offsite over the carrier network in “plain text” and encryption occurs in a remote data center, expose customers’ data as well as their compliance status to vulnerabilities. Furthermore, network-based security platforms are by their nature shared environments. This means that anything impacting traffic or functionality on the platform has the potential to impact all customers on that platform. The more powerful managed security solutions provide organizations with customizable threat management and data loss prevention (DLP) solutions, defining custom objects and patterns and building policies that prevent this business-critical data from leaving the customer site.
Performance and Reliability
It is well understood in the industry that remote inspection and policy application of data introduces traffic latency and other performance issues. While for some businesses the effect may be minimal, for many others it will hurt the business. A good example of this is third party VOIP services, where traffic must arrive within very tight tolerances to maintain call quality. Premises-based solutions do not suffer from these issues. In addition, while most network-delivered or cloud-based security solutions can technically provide unified threat management (UTM) services - Content Filtering, Gateway Anti-Virus, Gateway Anti-Spyware, Application firewalls, DLP and other Next-Gen firewall features - they suffer from business impacting performance issues when those services are deployed en masse across a carrier’s customer base. Contrast this with best in class managed security appliances, that can be dropped into a network in a transparent manner and provide UTM services to an established network without any impact on existing infrastructure.
Premises-based solutions also offer superior models for reliability, including high availability (HA) appliances, carrier redundancy, VPN fail-over, and 3g/4g support. In addition, many customers have business requirements that dictate carrier and connectivity redundancy.
No managed solution can provide a total solution for regulatory compliance, but many frameworks require data isolation, security and encryption models that can only be accomplished by a premise-based solution. PCI, as an example, requires that databases containing credit card data be secured separately from other portions of a customer’s network so that traffic into and out of the database networks is inspected and filtered even if the traffic is the customer themselves. When selecting a managed security solution, organizations should seek offerings that allow highly detailed security policies to be established to meet the compliance requirements of the governing body.
Integration with the Cloud
Managed, locally-based solutions can also provide for Off-Net support, allowing large distributed organizations to provide managed security services wherever they are located, and provide a comprehensive security solution that is connection-agnostic. All sites and settings can be wrapped into a single, cloud based portal that customers can log into to see all their security configurations and reporting. Multiple account credentials can be provided, allowing customers flexibility to manage their security policies as needed. For example, divisional managers can be provided with access to view the sites they are responsible for while executives can be provided access to view a customer’s entire organization. And the service can be expanded infinitely without any constraints imposed by platform, data center, or support personnel capacity or availability.
The cloud is here to stay. Moving forward, organizations will need to consider how to properly deploy and manage security across an increasingly distributed IT environment. Identity management systems are going to become critical in the quest to provide role-based security across hybrid cloud platforms. Users must be identified and secure regardless of where the application or network resource they require exists. Centralized, role-based-access control solutions using a variety of technologies such as SAML, XACML, and LDAP are emerging on the market. While identity management solutions will be integrating into the hybrid cloud, many organizations will choose to keep this critical component hosted on-premise and made available to their cloud-based infrastructure. A properly managed and deployed premise based security platform is both a participant and critical component of these identity management and distribution models.
A network-based security platform makes available to customers some of the features offered by a premise-based solution, but the compromises to security, performance, reliability, features and flexibility render the solutions available on the market today sub-standard. For most businesses, a hybrid security model is the future. Certain systems, networks and data will always require a premise-based security solution. This is why there are very few purely cloud-based security providers and why most carriers offer both cloud-based and premise-based security platforms.