Toward Central Network Security Policy Management for Hybrid Clouds

cloud_security_planeAs organizations embraced the public cloud over the past few years, security teams were on the hook to modify network security policies and implement security controls to protect cloud-based workloads. The goal was simple: Protect cloud-based workloads with network security polices and controls that were equal to or better than existing safeguards for physical and virtual servers in corporate data centers.

This turned out to be far more difficult than expected.  Many organizations tried to force fit their existing security controls (firewalls, ACLs, network segments, VPNs, etc.) to accommodate cloud-based workloads. This turned out to be a technology mismatch as security controls built for physical and virtual servers were too inflexible to service the public cloud. 

As an alternative, a lot of firms decided the best bet was to create a customized network security infrastructure for the cloud with its own controls and associated policies. According to ESG research, 70% of organizations use separate controls for public cloud-based resources and on-premises VMs and servers today. 

Unfortunately, this strategy also had issues: 25% of cybersecurity professionals claim that one of their biggest cloud security challenges is maintaining strong and consistent security across corporate data centers and multiple cloud environments. Why the problems? Security teams had to implement different controls across disparate public clouds. And since the controls had different capabilities, security pros were forced to modify and maintain different policies to manage different controls across different infrastructure.

As the saying goes, complexity is the enemy of security, and, let’s face it, maintaining different network security policies and controls for different cloud service providers (as well as on-premises virtual and physical servers) is the definition of complexity. Infosec managers understand this is a no-win situation and are poised to do something about it. ESG research indicates that 70% of organizations plan to unify security controls for all server workloads across public clouds and on-premises resources over the next two years.

This sure seems like a worthwhile strategy, but can enterprises really find some type of standard security control that can be applied to physical servers, virtual servers, various public cloud services, containers, micro-services, etc.? Maybe, but this seems like a stretch to me.

Fortunately, they may not have to. As it turns out, some of the security controls are already there. VMware provides NSX, cloud providers offer security groups, Linux servers have iptables, Windows servers have Windows firewalls, etc. Heck, even container technologies like Docker provide firewalling capabilities for network isolation. 

You wouldn’t bring your own beer to a brew pub, so why bring a firewall to a physical server, virtual server environment, or cloud infrastructure? The firewalls are already there.

So, what does this mean? The future of network security is all about central policy management. 

Now this capability starts with the discovery of all workloads across physical, virtual, and cloud-based infrastructure. It then maps out application connectivity and existing segmentation rules. Some systems will assess whether these rules provide adequate protection and may even point out weak rules that leave workloads open to attack. Sophisticated policy management systems may also suggest policies and rules on their own. Finally, central network policy management engines will discover all physical, virtual, and cloud-based security controls and their associated rules, and then provide a central place to manage and view all controls across the whole enchilada. Oh, and standards like OpenC2 will help enable these capabilities. 

It should be noted that this transition is already impacting the security industry as the center of power shifts from network security controls (often hardware) to central network security policy management (always software). As a result:

  • Firewall vendors are shifting strategies. Cisco is pitching hybrid cloud workload protection (StealthWatch/Tetration), Palo Alto championed its cloud security strategy with an epic cloud security event (and then acquired, and Check Point is offering its cloud security blueprint, all while Fortinet crows about its security fabric.
  • Security software vendors have jumped in. McAfee, Symantec, and Trend Micro are extending their anti-malware server products for workload isolation.
  • Independents are flexing their cloud muscles. Startups like Edgewise Networks, Illumio, and vArmour look at the world from the public cloud back into the data center. In other words, they are targeting the real action in the cloud today and are then poised to replace existing network security infrastructure already deployed in private clouds over time.
  • Network security policy tools extend to the cloud. Vendors like AlgoSec, FireMon, and Tufin are in the catbird seat if they can extend support to heterogeneous environments and get the word out to cybersecurity pros that they’ve evolved beyond firewall management. 

Given industry confusion and intense competition, CISOs must proceed ahead with caution by casting a wide net. The move to central network security policy management is a virtual certainty, but which vendors win or lose in this transition remains to be seen. 

Topics: Cybersecurity