The industry is unmistakably moving towards cloud hosting and data center virtualization. The advantages of migration are very tangible and the top executives see the value in it, reflected well in the exponentially increasing pace. What is less obvious is that this migration has a very strong impact on the network topology and on the security boundary.
As we migrate our apps and servers inside a concentrated core (virtualized or cloud hosted), we are creating a watertight IT boundary and a radical topology change that closely resembles “inverted networks.” By definition inverted networks are “an inverted network design employs the philosophy that that security should be focused at the core of the network rather than on the perimeter” (source: Webopedia).
Jargon is meaningless, unless it has a real implication on how CIOs should think, and in this case, yes it does. It has a very powerful effect on how data is going to be accessed and more importantly how it is going to be secured.
I see it as a unique opportunity that may finally allow us to take advantage of this flux to truly secure the data and communication. Enforcing uniform policy-based access-control both inside the office and outside the network perimeter for remote workers is also a lot easier (without a major security overhaul of infrastructure).
The implications of cloud/virtualization are often mislabelled as mere operational changes. As we move the data center to the cloud or a virtualized environment, we are creating a highly concentrated core that contains very tightly packed services and virtual machines. All “less secure” user agents now are on the outside of this perimeter using their desktops, laptops, smartphones tablets, etc. This is very unlike traditional LAN-based networks, wherein potentially infected user devices brought in from outside connect directly inside the secure LAN without ever needing to cross the security perimeter.
This is a very stark change for IT. For the first time we are separating the trusted and fully controlled network artefacts from the ones that may not be fully trusted. The BYOD (Bring Your Own Device) paradigm makes it practically impossible now to fully trust the safety of user devices. Most of the security companies had been operating under a premise that all devices/services on the LAN are trusted and secure. This assumption is far weaker today than it was a decade ago. There is a large set of user machines that are not controlled by a domain admin policy, either because they are not enterprise ready or, quite simply, are personal devices.
Let’s zoom out to the big picture, now that we have all the pieces in place. The resultant topology looks exactly like an inverted network topology – a concentrated core of IT controlled services surrounded by a tight boundary (of private cloud or virtualized data center) separating a periphery of semi-trusted user units (remote or on-premise). Let’s call these semi-trusted users and devices “grey units.”
This is a unique opportunity to truly secure your data and services by ensuring that all “grey units” always connect to the secure core over a secure and controlled channel. It would be unwise not to take advantage of such a situation and still allow transparent connectivity to this data center.
It is easy to see that since there is already the concentrated core the most natural policed channel is a VPN. Not just any VPN; it must be in tune with your cloud set-up. Ideally it should be compatible with cloud data centers. The novelty in such a deployment is that you no longer have to implicitly trust on-premise / wireless user devices (grey units). All users are now required to connect to the data center over a secure VPN channel. This gets you some major security benefits (if you choose a good VPN solution) including the following:
- Role-based access control: You can control exactly which user/team can access which resource/service. This is far more powerful than denying authentication/authorization at the application level since it prevents interaction at the network level itself. A malicious agent must now first break the VPN security to even get to a sensitive application portal. This is the same reason exposing any service on the Internet is a bad idea, even if it needs credentials for access (it’s why you invest in firewalls for perimeter security). The key differentiator for VPN security is that a firewall can only separate networks across a boundary but is corporate-role agnostic. A VPN’s access control on the other hand allows it to make a decision based on a user’s identity and corporate role.
- Unified access policy: Now that your core is separated from all grey units, all users – whether they are inside the office (LAN or Wi-Fi) or connecting from a remote location – will go through the same ingress/egress channel and will comply with a unified security policy. A unified policy is easier to maintain and is likely to have fewer holes.
- Secure communication: You will have assurance of fully secured and confidential communication between grey units and your network core.
Operational opportunity: solve the right problem
There are other profound operational benefits of using VPN around your network core. A VPN allows your existing systems, even the legacy ones, to function seamlessly without needing a security overhaul of the entire infrastructure (this is an error prone and expensive investment).
An article at Securityweek highlighted the inadequate security of some ubiquitous protocols like FTP. There are people who advocate the retirement of such protocols. I think that is an attempt at solving the wrong problem. The problem is of security. There is a sharper way to address it rather than discontinuing use of powerful and widely supported protocols. Once you secure all access to your apps and services over secure VPN channels, you ensure that all your existing policies and servers remain untouched while all the traffic is secured inside an industry-strength encrypted tunnel. This is a trivial problem to solve in inverted networks; VPNs were built just for this purpose.
The other most visible benefit is that inside the core, all servers/services can leverage the performance of fast, inexpensive connections while the external users / periphery uses an encrypted VPN channel to use the same protocols but with full security.
- All communication is trivially encrypted without building and maintaining security into each app. This is a significant operational efficiency gain.
- Your apps and services continue to operate inside the core without needing expensive upgrade/replacement and not having to compensate for unnecessary security overhead. Wonder why many popular Web-based services do not offer HTTPS as a default? It is expensive and inefficient.
In fact, it is more secure to use a VPN than to build security into each service/protocol individually. VPNs do not even allow a malicious party to see what kind of service the user is using (because the service IP and port are also encrypted); all he sees is a secure channel to a VPN server that aggregates all network access (FTP, HTTP, HTTPS, VoIP, etc.). Unlike simply encrypting the connection (like HTTPS, SSH, SFTP), a malicious party would still be able to get the hostname/IP, TCP/UDP ports trivially. A well-researched hacker may be able to identify the vendor/distribution of the service itself (using various kinds of signatures).
This is very valuable information and can greatly assist in a successful exploit. With a good VPN, all of this information is safely hidden inside the secure encrypted tunnel.
What does your solution need?
- Scalability/resizability: The need for scalability cannot be emphasized enough. Your data is growing at a phenomenal rate, your communication will grow proportionally too and so will your need to connect to it from anywhere. New technologies have a large appetite for bandwidth and storage and it’s not going to abate any time soon.
- Reliability: Unfortunately this is not easy to assess before buying; hence, there is no substitute for a pilot/trial program, especially if your investment is going to be small.
- Flexibility: Your solution must be adaptable. I have written about it before, getting locked into a vendor for any reason opens you up for your infrastructure being held for ransom. I have heard of many companies that refuse to operate with any solution if there is only a single vendor for it and it will not allow a switchover.
- Device support: This is probably the easiest to understand. We are experiencing unprecedented platform/device fragmentation, and the BYOD (Bring Your Own Device) paradigm ensures you will have zero homogeneity. Your solution must work on all major platforms, preferably not needing intrusive changes like jailbreaking your devices.
From a CIO perspective, it is hence a wiser investment to leverage this opportunity and secure the data center in this new security landscape where we all need to be securely connected to our business networks from anywhere at any time.
Jitender Sharan is the founder and CEO at CipherGraph Networks. He has several years of VPN/network security experience and specializes in enterprise-class security. He founded CipherGraph Networks in 2011 with the vision of taking VPN to the cloud and offering a scalable and secure VPN service targeted at business networks/data centers in the cloud as well as on-premise. CipherGraph Cloud VPN is a hardware-free VPN service (SaaS model) that offers remote access with enterprise-class security, high performance and role-based access control. Contact: firstname.lastname@example.org.