Bill Wohnoutka

By Bill Wohnoutka

With the migration of applications from the corporate data center into the cloud well underway, traditional IP/VPN and dual data center perimeter-based security measures are becoming less effective. Increasing use of unsecured broadband and mobile devices by remote workers is accelerating the need for a new, more flexible security perimeter that can protect users regardless of how they access enterprise applications and assets.

SD-WAN solutions promise all the benefits of network orchestration by delivering ease of design, deployment and management for connecting remote locations to an IP/VPN — but the presence of premises-based x86 equipment perpetuates the need to manage a complex device potentially running four or five different virtualized functions and multiple “best of breed” vendors. Furthermore, these solutions do little or nothing to protect enterprise users of devices on mobile or broadband networks.

Network and security IT staffs run lean. We typically see one to two dedicated security employees in our midsize-to-large enterprise customer base. The budget to hire, train, retain and retrain a larger staff simply does not exist. Budget for hardware-based prevention and detection tools consume the largest share of the IT security budget. As IT budgets continue the transition from CapEx to OpEx – with capital preserved for more strategic investments – the pressure is on senior IT executives to find similar “pay as you go” and “expand as you go” solutions for security. Delivering against the governance, risk and compliance objectives remains the number one task for senior IT executives today, and that accountability brings these issues in front of the board of directors regularly.

A Push Into the Cloud for Security

While much has been said about the fear of compromised security in the cloud ecosystem, incorporating cloud-based security services into a multi-layered approach undoubtedly provides opportunities to protect users, devices and applications that simply could not be protected with a perimeter-based hardware security strategy.

1. A virtual security perimeter.

“By 2020, 85 percent of large enterprises will use a cloud access security broker (CASB) solution for their cloud services, which is up from less than 5 percent in 2015.”

– Gartner, How to Evaluate and Operate a Cloud Access Security Broker, Neil MacDonald and Craig Lawson, Dec. 8, 2015

In many cases, the only physical thing standing in front of network-security hardware in a remote location is a locked door. Migrating enterprise security controls from hardware located on premises into a cloud security service puts multi-layered physical security in place. More importantly, using a cloud-security service will enable you to define a virtual security perimeter that enables enterprise security controls to protect users and devices regardless of how or where they access hybrid cloud applications and assets. As BYOD becomes an increasingly important concern within compliance frameworks, this feature of a cloud-security solution should not be overlooked. Cloud-security controls give enterprises the ability to extend role-based and zone-based policies governing network access, content filtering and application control. They also extend monitoring visibility for behavioral anomalies that may be an indicator of compromise, such as communication with a C2, data leakage or malware delivery.

2. Simplified security infrastructure management.

“There will be an estimated 1 million cybersecurity job openings in 2016, with the number expected to increase to 1.5 million by 2019.”

— Forrester (May 10 2016)

Cloud-security solutions shift the burden of break/fix on hardware, patching and upgrading of operating system and security software, as well as maintenance of the enterprise security policies through the various orchestration tools and rule bases to the cloud-security provider. Thus, offloading running the security hardware and systems along with the obligation to react and respond to availability and performance issues presents a very compelling value proposition to an already overtasked but small staff. In addition, the forklift upgrades and infrastructure refreshes every three to five years transfer into the domain of the cloud-security provider, offering greater flexibility and buying leverage as the deployment, configuration and education are left to the providers. Moving enterprise security controls into the cloud frees up internal resources to focus on the development of a Security Event and Incident Management (SIEM) console and reaching the end goal of helping to ensure governance, reporting and compliance (GRC) across the enterprise.

3. Security expertise on staff.

“Hiring and retaining security practitioners, particularly analysts in the SOC, is difficult and expensive. According to our surveys, 58 percent of North American and European security decision-makers say hiring cybersecurity practitioners is a major challenge for them.

— Forrester (May 10 2016)

Adding security experts to an IT team is an expensive, time-consuming process, and qualified security analysts are very difficult to retain. Cloud security service providers have an opportunity to enlist the help of world-class security experts and supply them with industry-leading tools and training. Because they are monitoring an entire threat landscape, rather than a single network, cloud security providers are in a better position to bring the knowledge of their community of users to bear on identification of zero-day exploits as they are discovered in the wild. The economy of scale is at play in cloud security services; having a service provider that maintains the staff, multiple third-party threat/reputation feeds and a platform that can identify and correlate indicators of compromise is key.

How Should Channel Partners Prepare Themselves?

Channel partners should assess their own capabilities and readiness to participate in the coming market shift. Premises-based hardware security has long been the domain of very specialized channel partners, but these new cloud-security services will favor providers who can bring a well-integrated combination of IP/VPN, SD-WAN and cloud security services side by side.

Bill Wohnoutka is vice president of sales, security solutions, for Level 3 Communications.