Cloud Security: Part 2: Evolution of Network Security to Cloud-Centric Security
“When is this idiocy going to stop?” “What the hell is cloud computing?” This is what Oracle’s Co-founder Larry Ellison’s opinion was about cloud computing back in 2008. In his defense, he was probably bogged down by the abuse of the term. But if a business- and tech-savvy person like Larry Ellison was a naysayer of this phenomenon, who could possibly blame a large number of CxOs who outright rejected cloud computing as a total fad! Aside from this general lack of faith in this new architectural paradigm, one of the biggest inhibitors to cloud adoption in the enterprise realm had been the notion of security. The mere thought of sensitive enterprise data leaving the data center was a mental barrier to cross for a lot of CTOs and CISOs, and for good reason. While users were predominantly working from within the office, and accessing data over LAN or WAN, enterprises could build their own fort (or perimeter) of network firewalls, switches and routers to keep the security in check. For the rare set of remote workers, there was always the provision of VPNs, creating the effect of an extended perimeter…but a perimeter nonetheless. For many years, this approach of perimeter security had worked fairly well. But as the adoption of cloud (SaaS and IaaS) has increased, and more and more employees have started working remotely, managing security for sensitive data and applications is becoming a nightmare. The illustration below from an earlier post depicts this phenomenon of data proliferation.
Network Security – the tools, the processes, the culture!
The face of IT and network security needs to be seen from a broader lens, not just an array of tools and technologies to manage sensitive data and other resources – but as a culture! Perhaps two contrasting examples can help explain this point. A new hire in a large multi-national is likely to go through a number of considerations and steps before he can actually start working. Consider ordering a laptop; configuring it with the latest patches; provisioning the new user and the device in the systems to make sure he has access to email; enable access to necessary on-prem applications; set up access to LAN resources; set up proxy settings for Internet access; so on. This is just the tip of the iceberg. There’s tons happening behind the scenes. There’s a clearly defined SOP and a checklist for everything (if you’re lucky!). If, and when everything works out, the employee determines that he needs access to the CRM application, for example. And you know what…there’s a process for that too – one that requires getting approvals from people across the globe; people that you need to chase after to give you approvals, because they don't check their mails regularly. We’ve all been there!
Now consider a start-up that encourages new hires to bring their own devices (BYOD), running all their business applications in the cloud. With just a few clicks, the new hire can be set up with access to a bunch of business applications – no LAN configuration, no VPN, no proxy settings for Internet access etc. Just your own laptop, your WiFi, and your corporate identity!
Practically speaking, most enterprises would lie somewhere in between in terms of experience. But the point is that years of layered security tools and subsequent processes become an inherent part of the culture – a culture that is hard to shake off and adapt.
The CIA Triad
While the processes and culture may determine how secure and user-friendly an organization’s information or network security posture is, the basic needs for information security remain unchanged. No organization wants its data or its customers’ data to be exposed to malicious actors or be exposed to accidental manipulation. The CIA (Confidentiality, Integrity, Availability) triad is a very widely used model to define the basic principles of information or network security. So, for those not familiar, let’s take a quick look at the three concepts:
Confidentiality: Confidentiality refers to ensuring that any enterprise data is only accessible to authorized users. It is generally enforced through capabilities like encryption and multi-factor authentication (MFA). MFA ensures that only authorized users have access, while encryption ensures that even in the case of a data breach, the leaked data is rendered useless for the infiltrator.
Integrity: Integrity refers to ensuring that data can be trusted to be free of any unauthorized manipulation. One form of enabling such trust, for example, is digital signatures
Availability: Availability refers to ensuring that authorized users have access to data, whenever needed, without any discontinuity.
These principles supersede the underlying architecture or the complexity of the enterprise information network, whether it’s all on cloud or all on-prem. So cling on to these if you’re learning about them for the first time.
Networking and Network Security: Foundational Concepts
It’s important to understand a few basic network security components. Like the previous part, this is just a representative list (not even close to exhaustive) of components to build a basic understanding for readers.
Private Network: A private network is a network of connected resources (computers, routers, servers, switches etc.) that are not accessible to anyone outside that network. Though not interchangeable terms, the term Intranet is also used to denote a private network.
Local Area Network (LAN): The best example of a LAN is the network that you connect to when you go to office. Once you’re connected to the LAN, you get access to other services in the office like printers, fax machines, or file servers that you wouldn’t have from your home, for example. A LAN is often limited to a single building or office.
Wide Area Network (WAN): As opposed to LAN, a WAN spans a very large geographical area. The Internet itself is an example of a WAN. The commonly known technologies that enable WANs are DSL, cable, fiber-optic or even 3G/4G/5G.
Virtual Private Network (VPN): A VPN, as the name suggests, is an extension of the private network such that enables accessing your company’s Intranet resources over normal Internet. VPNs have been the de facto method for enabling remote workers to securely access a company’s on-premise applications. Authentication and Encryption are core components of almost all VPN solutions.
Gateway: Simply put, as the name suggests, a gateway sits “at the gate” of a network such that all data that goes in and out of the network passes through it. There are many different types of gateways, so let’s keep this generic definition in mind.
Network Firewall: A network firewall has been the core of enterprise security, or what we call perimeter security. Its core purpose is to monitor each packet (unit) of data going in and out of the network, and gauging whether this packet of data is safe to consume. By doing so, the firewall forms the perimeter around the enterprise network. Historically, network firewalls are hardware-based.
Secure Web Gateway (SWG): An SWG ensures that any network traffic that is being consumed by users on the enterprise network is free of malicious content (malware) that could infect the user’s device. If it sounds similar to a firewall, it’s probably because it is! It’s just that historically, firewalls have focused on deeper inspection of data, whereas an SWG focuses on advanced threats (a network architect would kill me for this, but consider this analogy: you need an anti-virus or anti-malware to detect and block viruses that could infect your computer but you still need your network router to monitor all the bits and bytes to block all unwanted traffic).
Router, Switch, Network Appliance: In technical terms, these are all different terms, so they’re not to be used interchangeably. But let's bundle them for the sake of simplicity. Most network security solutions have historically been deployed on network equipment like routers, switches, special purpose hardware (appliance) or even servers. So these hardware components have formed the core of most networking and network security technologies.
Authentication: Authentication is a mechanism to validate the identity of a user. Authentication has been (and still continues to be) the cornerstone for enabling only valid users to access business applications or even network security resources. The simplest mechanism for authentication is the username and password, but most enterprises adopt a second or third factor (hence called MFA – multi-factor authentication) to enforce a higher level of security. Here’s a nice list of different types of authenticators, if you’re interested.
Encryption: Encryption lies at the heart of any network security infrastructure, and ensures that confidentiality (out of the CIA triad) is maintained for all sensitive data, whether it's stored in a database or in transit over the network. For any network security solution like firewall or SWG, encryption is a core component.
Cloud-centric Security
Admittedly, the title of this post is slightly misleading, almost indicating that cloud security is either a superset of network security; or perhaps the next phase of network security. Neither is true. In fact, the title depicts the need for a shift in mindset more than anything else. Historically, most of the enterprise’s sensitive data would only traverse the local network – employees inside the office accessing data from the company’s data center. Cloud computing has turned this concept on its head, because now sensitive data resides on the local network, but in addition to that, a lot of it is moving to the cloud. Most networking and network security components that enterprises have grown accustomed to, focus on the sensitive data on the private network. Today, the whole Internet is potentially an enterprise’s private network.
To make matters worse, as enterprises have started building more digital channels of engagement, they’ve started acquiring a lot of sensitive data of end consumers too. Regulations like GDPR are enforcing that enterprises take consumer and third-party data just as seriously as their own sensitive data. This is totally changing the notion of the “network” that needs to be secured. Most of the network components mentioned in the previous section were built on hardware infrastructure like routers, switches and servers that a CISO could manage with physical and logical security measures. But what are they supposed to do in a cloud-dominant world when they themselves have no clue where their company’s or their consumers’ data physically resides!
The beauty of IaaS and SaaS is that all that underlying hardware is now hidden. Everything is delivered as-a-Service. Today, the notion of enterprise or information network spans a significant amount of services rather than hardware equipment. The IT and CISO organization now needs to understand how it can secure the company’s modern company assets (SaaS applications, IaaS assets and data), which are beyond their physical grasp. This requires a totally new set of skills, tools and culture.
Here’s the catch – if your (and your consumers’) data is on the cloud, whether SaaS or IaaS, who is responsible for its security?
Data Security and Shared Responsibility
Here’s the catch – if your (and your consumers’) data is on the cloud, whether SaaS or IaaS, who is responsible for its security? Again referring back to new privacy regulation like GDPR, who is liable in the case of a breach? It has taken quite a bit of time for the industry to figure out the specifics, and there is still a long way to go. But let me conclude this part with what’s called the Shared Responsibility Model, a very commonly accepted framework in cloud security today. The short of it is that there is security "of" the cloud, which generally lies with the cloud provider; and then there is security "in" the cloud, which generally lies with the enterprise. The enterprise needs to add a whole new breed of capabilities, skills and culture that can address this modern form of network.
As network security evolves from being hardware and perimeter-centric to service-centric; and data gets further dispersed, CISOs need to understand their enterprise’s new responsibilities around information security. Wake up to the fact that company and consumer data has already left the enterprise’s physical IT infrastructure, and the responsibilities have increased further. The conventional network security tools, processes and mindset are not scalable for the cloud-centric future. When is this idiocy going to stop? ;)
Jump to Cloud Security: Part 1: The Cloud!
DISCLAIMER: All the cool views presented in this post are my own, and do not necessarily reflect the views of my past or present employers.