Gartner: The Future of Network Security is in the Cloud - We Agree!
Gartner recently published a compelling read - The Future of Network Security Is in the Cloud by Gartner Research VP analyst Lawrence Orans and distinguished VP analysts Joe Skorupa and Neil MacDonald on on the future of network security. The report highlights a few potentially uncomfortable truths for many security pros. While much of the note is focused on secure access and identity, there are good takeaways for those folks looking to secure apps in the new enterprise datacenter - the public cloud.
Specifically, Gartner made a few interesting (to me!) observations and recommendations:
- Tromboning, hair-pinning, or backhauling traffic is killing the business. There is more “stuff” (users, devices, apps) outside the old, on-premises datacenter than inside it. Stop keeping security where it’s the least effective - furthest away from both apps and users. Gartner talks about bringing the security engines to the sessions, not vice-versa. This means, for apps in the public cloud, put network security enforcement there too. It also means that the control plane has to be multi-cloud - just as no DC is the center of the universe, neither is any one VPC/VNet.
- Given security and performance/latency requirements (TLS 1.3, etc), security has to be able to inspect encrypted traffic, once using a single-pass architecture. Each function can’t have its own decryption/encryption anymore, nor can organizations have traffic flowing in the clear between disparate security functions either. Which demands a secure, high-performance, integrated approach to network security.
- An integrated approach - “racking and stacking” happens many, many times - potentially every day. Meaning that complexity in provisioning (lots of discrete virtual “boxes,” even provisioned by scripts) is a recipe for disaster.
- Finally, they talk about moving stuff from a box-based management philosophy to a policy- and services-based approach to security. Just like most infrastructure, network security should be a call-able service (infinitely scalable with no hardware increments). This is how it HAS to go – given the “un-boxing” and elasticity of application and network infrastructure – network security must follow. Unfortunately, many of the traditional network security providers have a very box-centric view of the world - from licensing, to provisioning, to control and ops, to reporting - which is hard to change.
We could not agree more. These are some of the same observations we’ve made in working with organizations as we have innovated our product. Now, we’re focused on protecting apps in the public cloud (think: the old data center firewall and associated network security suite of services), instead of focusing on protecting users and devices (e.g., HQ firewall, secure web gateway) but the realities are largely the same. In fact, with the exception of accommodating the geographic spread of users, many of the evaluation criteria Gartner cites apply to the application side of network security too. Some examples of evaluation criteria I found particularly relevant:
- Breadth of services
- Location of policy decision points
- Location of management/control plane - policies shipped to local enforcement, not production traffic shipped to central location.
- Architecture - cloud native + not shipped around (VM-VM or cloud-cloud)
- TLS everywhere
- Single pass architecture
So two things pop out of this – network security has to go cloud native, and while we’re doing that, let’s not forget all of the lessons we learned over the last 20 years about data center network security. Things like the importance of performance while doing security, the importance of manageability, and the importance of getting security next to the thing you are protecting.
If you’re a Gartner client, I recommend having a look at this note. Thanks for reading!