Secure Cloud Transformation: The Business Mandate for a Cloud-native Security Architecture

"The nice thing about having a cloud-based system," observes Microsoft EVP Scott Guthrie, "is it drives customers toward automation that helps them scale better." Scott (quoted, by the way, in Richard Stiennon's new book Secure Cloud Transformation: The CIO’s Journey) makes an important point: Employing cloud-based technologies sets an enterprise up for growth.

That drive to automation can mean everything for a progressive IT team: Shift to the cloud, and help your organization prosper. Consider the unspoken converse to Scott’s insight: Stick with outdated network models, and hold your organization back.

The Crippling Burdens of Castle-and-Moat: Latency, Expense, and Risk

Attachment to legacy network topologies and archaic castle-and-moat security will hamstring an enterprise’s potential for growth.

For one thing, clinging to the old ways won’t help performance. Hub-and-spoke networks were never designed for internet access: Appliance-based firewalls, by their very intent, funnel corporate data traffic to the internet. Maintaining hardware-based security appliance-based firewalls will only exacerbate that bottlenecking because the approach can’t easily scale to accommodate future growth in internet traffic. (Tack on VPN lag for remote workers, and user experience suffers all the more.)

Worse, sticking with a hardware approach will become an even more expensive choice as traffic grows and threats become more complex and more frequent. IT will have to “throw boxes at the problem”: Need a new DLP model? Buy another appliance. New threats? Buy another appliance.

And trying to block intruders from an entire hub-and-spoke network with a castle-and-moat approach is no longer practical, nor is it even particularly secure, since (among other serious risks) it makes every asset on the network vulnerable to an individual breach.

Beware of Fake-cloud Virtualized Hardware

These fundamental limitations to enterprise growth threaten the business model of many hardware vendors, whose success depends upon prolonging the lifespan of an untenable network architecture. Many of those appliance makers have responded to the threat the cloud presents to them by virtualizing their hardware, placing a virtual version of physical hardware in a cloud data center somewhere. Yes, their technology is in the cloud. No, their customers no longer have to maintain hardware. But this “cloud” technology isn’t any better than the appliance-in-the-data-center solution from before. And, as Scott Guthrie of Microsoft might note, the enterprise is not set up to scale for growth. Instead, this "fake-cloud" architecture only replicates a flawed (and convoluted) network model. The firewall remains a latency-inducing bottleneck, now it's just farther away in the cloud somewhere (instead of on a rack down the hall). Backhauling over the internet is still backhauling, no matter how the (virtualized) hardware appliance vendor spins it. User experience is still terrible, and the model doesn't scale any better than a hardware solution.

A fake-cloud virtualized-hardware solution offers little-to-no performance advantages over its pure hardware-appliance-based counterpoint: Traffic must travel a long distance (typically having to hop over multiple cloud network backbones) to get “secured,” and only then can it travel on to its intended destination. Imagine if other transit services required similar detouring. (“Welcome to your flight from Miami to Dallas...with a brief stopover in Anchorage.”)

The limitations of fake-cloud solutions don’t end with their systemic “so-many-connecting-flights” network routing. Security doesn’t improve with the move to a destination cloud. As my colleague Patrick Foxhoven noted recently in Forbes, “Moving to a cloud virtual machine (VM) of the same security hardware technology you used before doesn’t provide new scalability to perform full SSL inspection, nor redundancy, improved service availability, or greater bandwidth.”

Cloud-native Architecture: Distributed, Fast, and Scalable

Modern enterprise IT leadership recognizes the importance of user experience -- including ensuring fast access to resources, even for employees located in the most distant branch offices or working remotely. That same IT leadership understands the performance local internet breakouts provide, and also appreciates the security impact: Shifting from a LAN/WAN approach to direct-to-cloud not only accelerates user connectivity, it isolates risk to individual, ephemeral connections, meaning (unlike with a protect-the-whole-network approach) intruders can never have the run of the castle.

Zscaler has spent the last eleven years investing in cloud infrastructure to develop a fully-distributed service: With Zscaler, direct-to-cloud access is fast because security services are close, right there at the cloud’s edge. Distribution translates to performance: With more than 100 global points of presence (located conveniently next to the nearby internet exchange), Zscaler can deliver security services closer to users -- no matter where in the world they’re situated -- faster than any other security vendor.

Secure Cloud Transformation...In Their Own Words

In Secure Cloud Transformation: The CIO’s Journey, industry analyst Richard Stiennon shares the stories of sixteen visionary CIOs, documenting their (and their respective enterprise’s) journeys to the cloud. The case studies provide a constructive narrative of how they addressed technical, logistical, and even cultural challenges to transform their organizations. Each IT leader’s story provides insight in its own way, but all espouse the benefits of a cloud-native architecture. Here are a few of my favorite quotes:

• "Do not invest in a traditional network...That's old school,” recommends Erik Klein, infrastructure architect with European dairy conglomerate FrieslandCampina. “Make sure that you create a network where, based on the applications, the quickest, most efficient route will be taken. In the end, users are not interested in technology, they are only concerned that the applications they are working with on a day-to-day basis perform well and perform constantly."
• "We have more local breakouts than we used to have,” says Hervé Coureil, the chief digital officer who oversaw secure cloud transformation for more than 100,000 employees and contractors around the globe for French energy management firm Schneider Electric. “Before the cloud, internet access was a second-class citizen. After the cloud, it becomes a critical element of our network usage. We used to have firewalls and numerous other hardware appliances, but now we have a cloud-first strategy that Zscaler has allowed us to do."
• "I remember thinking, 'All these security appliances, this is ridiculous,' says Alex Philips, CIO of National Oilwell Varco, an American multinational manufacturer of oil and gas equipment. “All of those mobile employees did not work behind those security appliances. They were going directly to the internet. With the Zscaler cloud service, we could protect them no matter where they were."

Success Tomorrow Hinges on Change Today

Reliance on outdated technology -- including virtualized versions of that old technology -- propagates bad practices and heightens vulnerabilities. For the modern enterprise, secure cloud transformation is a business mandate. That requires employing a cloud-native solution and eschewing “fake-cloud” propaganda. (A Zscaler customer recently contrasted our services with the pitch of a fake-cloud virtualized hardware solution: You can’t put 1000 VCRs in a data center and call it Netflix.)

Moving to the cloud can set an enterprise up for tremendous success. Conversely, legacy networks can limit an organization’s ability to grow. Too often, the real obstacles to progress are the change-averse cloud-doubters who fear letting go of the old ways, and who shore up archaic hub-and-spoke networks with metaphorical band-aids and duct tape. The cloud isn’t on the horizon. It’s here. And success tomorrow requires embracing change today. As Microsoft’s Scott Guthrie notes in Stiennon’s Secure Cloud Transformation, “The future is going to happen, whether they are convinced or not.”