Is Network Security Relevant in the Cloud?
Is Network Security Relevant in the Cloud? Short answers: yes, and no. But the details matter.
For the last 15 months, we’ve seen a previously unimaginable acceleration in the use of cloud and greater reliance on technology overall, all of which pushes more app efforts to cloud faster than originally planned. This acceleration brings several discussions to a head, but we’re here to talk about network security (netsec).
Within netsec in the cloud, there are a few different ways of segmenting, but where this article will draw the line is between protecting users as they access the cloud and protecting apps deployed into the cloud. The former, protecting users, has seen plenty of investment and innovation and is a relatively well-understood problem.
The latter is what we’re going to focus on. And so the question is, given all of the development and innovation in the cloud, is network security relevant? Sure, security is, but in the network?
Network Security Matters
We hear that network security doesn’t matter anymore — there is no perimeter, can’t trust the network so defenses have to be at the app, cloud provider does netsec, and there are container security solutions. The reality isn’t so simple, for a number of reasons:
- There are lots of different new app approaches,
- Customization of security in these environments is possible, powerful, but an expensive low-leverage effort — but that applies only for that app (i.e., it’s inconsistent across apps),
- There is a core security principle — defense in depth. Designed by humans, all security implementations are fallible. But it requires a layered approach, and there are plenty of examples where the primary defense failed.
- Related, but different — most security folks want to keep threats as far away from the resource they’re protecting as possible (e.g., DDoS).
The bottom line is that the network is the common ground. It’s the only thing that every app touches.
Security Culture and Technology Meets the Cloud
There are two dimensions to examine — culture and tech. First, culture: Developers run the show. The move to the cloud changed everything we do to a developer context — vocabulary, how we think, deployments, tools, etc. It makes sense — devs are closer to the business. Security and availability used to be in IT terms, but now we need to present in dev terms.
Security in particular needs to change outlook — not NO or SLOW, but something else. Need to think about adapting, not controlling. But it’s harder — in the name of being responsive to the business, there are more cooks in the kitchen, a much more dynamic environment, and a looser control model. Even still, the dog (developers on behalf of the business) should wag the tail (infrastructure and security).
Because it’s now harder, does this mean netsec is no longer relevant? No. It just means we have to change the way we do it.
Shifting gears to technology, while the network is the common ground, the common ground is a lot more dynamic. Dynamic, for our purposes, means lots of apps deployed rapidly. Self-service is the norm, and infrastructure is procured and deployed in the same model. This is the nature of being responsive to the business, and a Good Thing. But traditional netsec isn’t built for a dynamic environment.
Traditional netsec was built for a network that was architected once and typically not changed for long periods of time. This meant that security folks could place controls at key points and trust that they were seeing all traffic at those controls. Nearly all of security visibility was focused on those points. In the cloud, some basic services won’t always go through a control point (e.g., DNS), and the dynamic environment means that the network is constantly changing.
Because it’s now harder, does this mean netsec is no longer relevant? No. It just means we have to change the way we do it. We need to add a lot more visibility into our netsec capability. Rather than stare into the pipe we sit on, we need the cloud equivalent of satellite imagery and drones. To see the dynamic environment and deploy security controls accordingly — what new apps and infrastructure are deployed, and where to place security.
Network Security Tools Need to Change
So, do we have the right tools? Short answer, no. As stated above, most of the traditional toolset was based on a different reality with a different set of assumptions.
Again, netsec is relevant and important, but the implementation needs to change. Two key concepts are critical, both mentioned previously — adaptation and visibility. Adaptation means that both the culture and the toolset need to quickly adapt to change, rather than control it. Visibility is a prerequisite. Not the “find all my vulnerabilities” visibility, but a clear, real-time picture of the environment so security controls can adapt and deploy controls automatically at the pace of change. In other words, network security has to become cloud native.
The bottom line here is that network security is relevant, but implementations (both culture and tech) need to adapt — and become adaptable. So like devs and infrastructure, security too can be responsive to the business.