In Cloud Networking, Security Needs to be a Combined Effort
From our experience in the cloud, layers of security are best
Cloud computing infrastructure is elastic, scalable, highly available, and accessible – but is it safe? The undisputed largest barrier to business cloud migration is security. From the 2014 survey of the ODCA’s large enterprise members, 67% of respondents reported security was the largest limiting factor for virtual private, community, or public clouds. The survey also found that regulatory issues and vendor lock-in concern members as well, with 56% and 46% of respondents respectively voicing these as concerns.
In my own experience, as our company began to put our internal systems into the cloud, we were uncomfortable with any loss of control over our data and network infrastructure. Security, accessibility and control were the conceptual backdrop to the creation of our own software-defined networking product (VNS3). Our own cloud migration allowed us to begin assessing what critical capabilities network virtualization, and the broader cloud computing industry, needed to provide secure capabilities for cloud users.
Complexity is the biggest security risk
Regardless of cloud deployment type (from public to hybrid or SaaS to managed hosting), all businesses need security at the application layer. Yet the security needs are largely unmet by IaaS and Cloud Service vendors. Instead, most security and compliance requirements are the responsibility of the cloud users.
Gartner analyst Lydia Leong writes: “IT managers purchasing cloud IaaS should remain aware that many aspects of security operations remain their responsibility, not the cloud provider’s. Critically, the customer often retains security responsibility for everything above the hypervisor.”
Businesses using any type data center resources should be vigilant about their security, both in on-premise data centers and any cloud environment. The biggest difference between traditional data centers and cloud computing is the complexity. With increasing data volumes, distributed resources, and differing security rules for cloud versus on-premise, organizations need help managing the complexity of security.
So who should verify compliance standards? Should security be the sole responsibility of either cloud users or providers? Why not everyone?
Security complexity solution: Layers of security
Security needs to be a combined effort, where cloud providers, certified professionals, vendors, and users work together to offer a security and control solution that matches a particular industry’s needs.
Our experiences from migrating both in-house cloud systems and helping over 1,000 customers lead us to take an application-centric approach to cloud networking. We think of security as a layered approach, much like the rings of an onion. On the very innermost layer, cloud users should have the ultimate level of security, controlled access, and insight into their applications or instance.
Our recommended approach to network security includes using both a highly available overlay network and site-to-site IPsec connectivity. These two features keep the businesses’ application safe from attacks in both the underlying infrastructure and over the public Internet, no matter who owns and accesses the network. This way, providers can offer on-demand infrastructure while cloud end users benefit from low costs while still controlling their security in public clouds.
A layered security approach requires an orchestration of cloud provider features and the application security features controlled by the application owners. Tim Phillips describes it as “virtual application networking” or a feature of the network that allows the application owner to define the security requirements of each server and applications. To us, this clearly shows that application-centric networking can span the cloud stack to offer application-layer security.
Focus on the business, not the infrastructure
With a combined security effort, IT teams can focus on keeping their end products secure, rather than managing the underlying cloud or data center security layers.
One of our customers, Quantum Retail, was able to guarantee security across their internal infrastructure in both data centers and cloud networks. As a leading retail Supply Chain software vendor, Quantum Retail had used on-premise deployments for their retail data analysis and management solutions. As business grew and the public cloud became more appealing, they created a cloud-only SaaS to deploy directly into their customers’ networks.
But to connect via the public cloud, Quantum Retail needed more network security than any provider offered. The team needed secure, isolated connections between their internal systems and their customers. Building on top of the public cloud IaaS security features, the Quantum Retail team used overlay networks to create one secure, global virtual network. Now they are able to connect existing internal IT and customer implementations across the public cloud.
Using both IPsec edge connectivity and SSL/TLS VPN, Quantum Retail added network security features to the existing data center and cloud networks. With overlay networks on top of public cloud, the company now manages more than 100 cloud environments as a “single network mix.”