Feature - Every cloud has a silver perimeter
By Michael Hamelin, Chief Security Architect with Tufin Technologies
Ever since John McCarthy came up with the principle of that `computation may someday be organised as a public utility’ back in the 1960s – and so creating the science (if that is the right word) of cloud computing – security has been a watchword when it comes to the cloud.
And by association, firewalls are inextricably linked to the process of securing the cloud-computing environment.
But with the arrival of advanced cloud services such as Facebook and Salesforce, comes with it an increased pressure on the structure and capabilities of the firewall itself. Moving data securely into and out of the cloud takes a lot more processing power – in real time – than checking data as it traverses the internet/Internet perimeter, largely owing to the high data throughputs that are involved with such transfers.
Just to make life interesting, we are moving into an era of software and firmware-driven firewalls, meaning that the useful life of a given firewall technology is now greatly extended.
Add in the need to meet an increasingly tighter set of compliance rules – created against the backdrop of more complex regulatory mandates – and you have a recipe for greater stress on the IT security systems involved.
The good news is that the increasing automation of firewall policies (aka rules) has become a lot more commonplace, meaning that, not only do organisations realise the efficiency savings that results from well-applied automation, bit they also gain a greater level of visibility and control over a more flexible perimeter.
But it is not all wine and roses, as the days of straightforward firewalls covering network address translation features, terminating VPN sessions, and making allow/block decisions on access requests – have given away to a dynamic and high data throughput IP traffic stream that includes a flotilla of Port 80 (and beyond) traffic that can hide many different types of threats.
Despite this seachange in firewall requirements, it is still quite common to see IT security teams managing their configuration rules using simple text files.
But this approach is potentially error-prone in today’s climate of cloud-based applications, data centre virtualisation and compliance requirements, for the simple reason that cloud-based services require application awareness in firewall rules.
For example, many organisations make use of cloud-based services such as Facebook, Google, LinkedIn or Salesforce.com for important elements of their business.
These services are not just simple Web sites - they deliver a mix of hundreds of personal-use and business applications in an extensible code environment.
The problem here is that most organisations cannot block - or restrict – IP traffic for the entire site, instead preferring to apply a more granular security policy to applications and users.
As a result of this, security teams are now bringing in next-generation firewalls to meet the demand for application-level network security. The manual management of much more granular polices that include application and user intelligence is, I have found, simply not scalable.
The situation is compounded by the fact that the application agility supported by virtualisation technologies accelerates the rate of change in firewall rules - applications that used to take weeks to provision in a physical environment can now up and running on a virtual server in a matter of minutes.
In addition to this, firewalls themselves are being virtualised with the security resources having to manage multiple rule sets across firewall virtual machines.
The resultant complexity in network security due to applications launching at the `speed of business’ only serves to underscore the need for automated checking and auditing of changes to firewall rules.
The issue of compliance also enters the frame, with one long-term effect being that firewall management is now maturing as a standard for network security operations.
A large part of compliance, I have observed, is about managing the existing infrastructure, with change controls, documented audit trails, and segregation of un-authorised users from regulated applications.
Meeting compliance expectations - without increasing administrative burdens - is a major requirement for utilising cloud-based services and virtualised applications.
And it’s against this backdrop that security professionals have learned to adjust to the fact that new - and improved - technologies introduced into their IT environment bring with them a number of new and improved challenges.
In the case of IT security, they are almost always a function of risk and complexity. And this is why automation matters so much.
The good news, thankfully, is that our industry is keeping pace, so that from a management perspective, the automation exists to account for the increased complexity that is introduced by game-changing technologies such as virtualisation.
And it’s with this in mind that I’ve listed a few ways that you and your team of professionals can leverage automation to maintain visibility and control over your organisation’s network security operations in virtual environments:
* Automate the checking of suggested firewall rule changes to ensure the network does not slip out of compliance. This is especially valid in virtual environments as applications and desktops appear on servers requiring resources are launched after the firewall rules are updated.
* Automate job ticket workflows to ensure that security, server, and network teams remain in sync as firewall rules change. All teams within the IT organisation can audit and work from the same workflow, eliminating redundant systems and extra auditing efforts.
* Automate the co-ordination of firewall rules with switches and routers to ensure performance and security coverage. Firewalls are an essential element in the network fabric, and must be integrated with network operations. This approach removes most errors and inefficiencies associated with managing related tasks across the network.
* Automating network compliance auditing not only saves time and money, it’s smart business. As organisations move data and processing to the cloud, they are still accountable to compliance mandates for controlled access, application segregation, and critical data protection. Automation allows firms more flexibility when it comes to adapting virtualisation and cloud solutions.
It is important to understand that firewall management software provides the essential capability to secure the business while allowing IT to evolve the firewall infrastructure, embrace virtualisation and cloud services, satisfy compliance mandates, and automate tasks to reduce operating costs.
The resultant visibility that can be achieved across the organisation’s network of firewalls allows security teams to be confident that the business infrastructure is protected, even as network complexity increases.
Some experts may argue that the `disruptive’ and hyped any given enterprise technology is, technology the bigger the security headache that will result.
It is also important to understand that the pace of security automation is – by and large - keeping up with the rate of change to enterprise environments.
Firewall management software provides the essential capability to secure the business, whilst at the same time allowing IT to evolve the firewall infrastructure, embrace virtualisation and cloud services, satisfy compliance mandates, and automate tasks in order to reduce operating costs.
Firewall management software may not be a silver bullet in the context of security and managing firewalls, but when it comes to managing the extra complexity that stems from virtualised environments, it can definitely be a silver lining…