Lessons Learned From Cloud computing Could Help You as You Design Your Next-generation Network Security Architecture...
Many years ago a Seattle-based book seller set about figuring out how to operate their services more efficiently and at scale, inadvertently piloting one of the largest paradigm shifts in the IT world. Yes, I’m talking about cloud computing. Cloud computing, birthed by Amazon, and quickly embraced by Google and Microsoft, is now surging out into the mainstream and will eventually become the new IT model for many enterprises.
Much has been written on the Amazon Web Services (AWS) business model and its architecture, and enterprises like Netflix who have migrated to AWS love it.
By all indications, the business appears to be thriving, although there continues to be a shroud of secrecy surrounding the business. The exact details of AWS revenue is not disclosed, but is included in the “other” portion of Amazon’s revenue. In the third quarter of 2012, this “other” part of Amazon’s business accounted for revenues of $648 million out of overall revenue of $13.8 billion, and 60 percent more than the quarter a year ago. If we assume only half of this revenue is associated to AWS, this means that AWS revenue could possibly account for more than a $1.3B annual run rate operation. Pretty sweet for an accidental service offering.
But what can we learn from Amazon’s successes here and its scalable, developer-friendly, flexible AWS model, and can any of these learnings extend to security—whether it is security operations, security architectures or security technologies?
Cloud Computing Might
The power of the cloud and how various businesses are leveraging it within AWS cannot be underestimated for security. The ability to utilize pools of computing resources can now be used to optimize and accelerate security analysis. For example, a honey pot infrastructure running in various cloud infrastructures can provide network data about attacks and suspicious hosts across geographical regions. By leveraging virtualization and cloud technologies, multiple honey pots can be deployed on the same physical host.
Security vendors are already utilizing the power of the cloud for key security analysis. For example, security vendors are harnessing the computational power of the cloud to analyze unknown files for malicious behaviors as part of a comprehensive strategy to tackle modern malware and targeted threats. The power of the cloud enables hundreds of thousands of files to be analyzed in minutes, with a platform for malware that lets it do exactly what an attacker intended it to do. This means the malware can be observed in a protected “sandbox” without impacting an enterprise’s network. With the results of the analysis, a malware signature can be created, enabling protection at an unrivalled speed.
In the Amazon world, developers win. Because the AWS infrastructure was developed first by Amazon developers before being offered to other businesses as a service, the development platform is flexible, with technical features that provide developers various options to innovate and design their application of choice. Developers will continue to be the driving force in both the public cloud and within private cloud environments for security.
We can learn from this AWS model of embracing developers. Network security IT admins have a choice to work with developers and their goals of application delivery at scale or work against them, and be a burden to developers by trying to track and control their actions. Application developers want to be in control of their applications, they want to move virtual machine “servers” running these applications as they please, and they want to create new virtual machine workloads as needed.
Security, by its very nature, tends to be slow and ponderous with policy changes, approval processes for support of new applications and/or adopting new architectures. Security’s role is now to be more nimble, and embrace the dynamic nature of application developers and ensure compliance continues to be enforced in this environment. This means binding appropriate security policies to applications as they are created and moved. More importantly, it means automating this process to ensure that developers are able to execute change with greater speed, quality, consistency, and yet with a programmatic focus on security. If your security solution doesn’t exhibit these characteristics, it’s time to evaluate alternatives before your developers get frustrated and find some loopholes to bypass security.
Simplicity, not Complexity
With AWS came the concept of self-service of applications, but built on an application infrastructure platform with rich APIs. Developers can leverage this platform for their application delivery needs, without having to worry about the back-end infrastructure design or the protocol being used. For example, do you believe AWS customers care that their infrastructure is built on Xen, not VMware or Hyper-V? It’s all about simplicity, not complexity.
Similarly, in the security world, simplicity is key. If you’re looking through multiple network security management tabs to understand or define your security policies, then you are likely to make more errors. If you have to set security policies by ports and protocol, and continually update them as new applications are developed, then this operational burden will continue to be your Achilles heel, leaving you little time to focus on defining a network security strategy or performing proactive security analysis.
Don’t equate simplicity with ineffectiveness. Your security solution still needs to address requirements from the new threat and application landscape. But, if your security solution takes you days to configure, or you get a wave of despair every time you have to make changes to the security policies, then it’s not an effective solution.
There are various characteristics of the AWS model that we can extend to security -- the ability to leverage economies of scale for security analysis, or to work more closely with application developers to embrace their speed of innovation. The bottom line is that cloud computing is a disruptive and transformational technology that will be adopted by enterprises in one form or another. Lessons learned from a cloud computing leader may help as you design, or consider, your next-generation network security architecture.