Network security as a service, or NSaaS, tools are the latest enterprise IT trend. While these services offer numerous...
benefits in terms of lower Capex and reduced in-house maintenance responsibilities, migrating security services to a cloud-based model can produce unexpected results if not carefully evaluated. For those considering abandoning on-premises network security tools in favor of a new model of network infrastructure security, make sure you understand how this migration can affect your network.
It was only a decade ago the cloud computing market started to heat up. One common opinion regarding cloud services was while applications and client-server resources were likely to shift to a cloud-based model, traditional networking and network security tools were likely to stay in-house. For the most part, that prediction was correct.
Yet, a decade later, we're finally beginning to see a surge in enterprise IT departments no longer wanting the hassle of managing physical network security devices on premises. Fortunately, there is any number of security vendors champing at the bit to gain your network infrastructure security business. The list of services includes newer network security tools, such as advanced malware detection, data loss prevention and threat intelligence analytics.
Shift away from traditional appliances
Also becoming increasingly popular is a shift away from traditional network security edge appliances, such as intrusion prevention systems (IPS) and next-generation firewalls (NGFWs). In their place would either be a locally deployed virtual appliance that's cloud-managed or a fully cloud-deployed edge security platform that requires no on-premises hardware or software.
For example, network telemetry analytics products from companies such as Cisco, Symantec and Palo Alto all use a combination of threat intelligence teams, global network monitoring and advanced security intelligence to identify and remediate threats in near-real time. All of this is performed independently in the cloud. The enterprise customer simply reaps the benefits in the form of updates, access rules and other remedies that are pushed from the cloud to the corporate network automatically.
This is a great example of how NSaaS can be used at such a massive scale that virtually no traditional enterprise company could afford to match the level of capability on its own.
Edge devices offer another opportunity for network infrastructure security
On the other end of the spectrum, we have network edge devices that comprise the security perimeter of the network. These commonly include firewall and IPS appliances. When dealing with these types of network security services that protect data flowing in and out of a protected LAN, it usually makes the most sense to continue to have the security appliance hosted directly on the corporate network.
That said, it's becoming increasingly common to deploy virtual appliances -- as opposed to physical appliances -- at the edge. Additionally, NSaaS providers allow network infrastructure security administrators to manage firewall or IPS appliances using the public cloud. This not only includes configuration settings, but also firmware updates and feature enhancements that can be fully automated.
In other use cases, NGFWs and IPS appliances can be completely moved to the cloud without the need for any type of on-premises appliance -- either physical or virtual. This is ideal for organizations with large portions of users who work from home or companies with large numbers of small remote sites. However, it's likely not cost-effective for businesses that still maintain large corporate offices, with hundreds or thousands of users, because of how traffic flows in and out of the internet.
In a situation where all internet traffic is first routed to a hosted cloud firewall, it has the potential to create added network latency and unnecessary bottlenecks. The answer to this would be to use dedicated WAN links to the NSaaS provider, as opposed to the public internet. But if that's your only option to fix latency or throughput issues, you're almost certainly better off sticking to a traditional on-premises edge security deployment model.
Lastly, it should be pointed out that a tremendous amount of trust must be put into offloading any type of network security service to a cloud provider. Carefully consider the fact that your company's intellectual property and digital livelihood will be placed into the hands of an external entity. Thus, any partnership with a cloud security provider must be open and transparent.
Choosing the wrong cloud provider to house your network infrastructure security strategy not only will put your job as an IT decision-maker on the line, but potentially the jobs of the entire company, as well. Thus, do your homework, ask all the right questions and be sure the partner you go with is someone that can be trusted both now and into the distant future.