With the rapid development of cloud migration, wireless access, and the Internet of Things (IoT), the numbers of services and assets that enterprises must protect are quickly increasing and traditional security products are challenged to meet a changing set of requirements.
While Software-Defined Wide Area Networks (SD-WANs) reduce the time needed to interconnect services at enterprise branches from a month to minutes, implementing the security measures for these interconnections continues to be labor intensive. Further, as enterprises provide access at all times to mobile employees working around the world, how will these enterprises ensure that the employees are covered under a uniform security policy from wherever they access the company intranet?
The stakes are high, as demonstrated by the WannaCry ransomware that wreaked havoc across the globe in May 2017. Three hundred thousand users were affected in more than 150 countries, incurring as much as USD 8 billion in damages. New Advanced Persistent Threat (APT) and ransomware attacks emerge every few months that prompt security professionals to ask what measures are necessary to keep up with these changing threats.
Cloud Security Services Are the Answer
Cloud-based security is not a new concept. Indeed, cloud security services for Web and email are already a mature industry, and the size of the cloud-based Distributed Denial of Services (DDoS) mitigation market is quickly approaching that of traditional anti-DDoS devices.
Cloud security services have distinct advantages over traditional security devices. First, users can provision cloud services on an as-needed basis and apply for appropriate resources as specific threats develop. This advantage eliminates the need for large, upfront investments. Second, users can configure services at any time on a unified portal that allows for deployment in minutes or even seconds. Third, cloud services ensure the consistent fulfillment of security policies, as it is no longer necessary to perform configurations repeatedly on different devices. Fourth, cloud service providers can update security capabilities in a timely manner to implement services such as threat detection and vulnerability discovery to protect against the latest threats without requiring users to upgrade local security devices. Finally, the cloud approach provides significantly higher reliability than independent security devices, offering SLA guarantees as high as 99.999 percent.
The advantages of cloud security services are still evolving, and the cloud services of the future are expected to become increasingly integrated.
Cloud Security Services Become More Agile
In the early stages of development, cloud security services mainly moved security functions to the cloud to be provisioned as services.
Initially, security devices were only loosely coupled to customer services. In the example of Web security gateways, traditional hardware devices were deployed at enterprise egresses. When internal employees accessed websites on the Internet, these devices provided authentication, Web filtering, and visualization of SSL-encrypted flows.
In contrast, security services for Web access deployed in the cloud use a proxy or similar method to redirect Web traffic from users into the cloud for processing. Early cloud security services offered little innovation in terms of capability — they simply made use of the cloud for convenient provisioning, elastic scaling, and service distribution. These first cloud security services merely deployed security devices in the cloud and provided them as services, a substantial number of customers were attracted. But, in an environment where the rate and sophistication of attacks continues to increase, it is clear that enterprise requirements have not been completely solved.
Only ubiquitous services can ensure an overall effective security solution. If any part of a system is unprotected, attacks will surely enter through those vulnerabilities to threaten the entire system.
Web security for enterprise branches is essential. Branches require a long list of security services that include email, isolation, antivirus, protections against data leakage, mobile security, as well as keeping an audit trail. It is expected that these services will be modified over time to meet the changing scale of enterprise branches and the nature of their threat traffic. The requirement for continuous updates greatly increases management complexity. In fact, compared with the ease of deploying a multi-function Next-Generation Firewall (NGFW) at the egress gateway, first-generation cloud services were neither simple nor efficient.
Consolidated, and Deeply Integrated
For cloud security services to mitigate the difficulties faced by Chief Information Security Officers (CISOs) and IT administrators, the technology needs to develop through two stages. First, services need be consolidated; and portals, billing systems, and management methods unified for enterprise use. Second, the pain points mentioned in the previous section need be addressed: Cloud security services become deeply integrated with enterprise core services so that cloud security services can be provisioned simultaneously with the enterprise services they protect.
To see how this approach can be implemented, consider an enterprise with multiple branch offices. When new branch offices are opened, dedicated circuits to interconnect with headquarters are needed to access the enterprise intranet. SD-WANs are gradually replacing dedicated lines and Internet service for branches. The goal is to deeply integrate cloud security service packages with SD-WAN cloud services to form an all-in-one solution. In this scenario, SD-WANs provide dynamic route selection for branch service traffic, and also bring additional, application-specific bandwidth.
Optimally, cloud security services are deployed at the same time as SD-WAN services, Connections between branch offices and enterprise headquarters are usually made over leased lines so that branch users can access applications such as ERP and CRM on the headquarters intranet. Depending on service requirements, the SD-WAN will reuse part of the bandwidth on the Internet access link that is bound to the leased line to run basic security services such as VPN encryption and access control.
Using the Internet connection, branch employees typically access external websites, such as search engines, news websites, and external email. Cloud security must therefore include Web and email security gateway services.
Additionally, branch employees may connect to a public cloud to access Software-as-a-Service (SaaS) products, such as Office 365, storage, or the commercial Web. To ensure security, a Cloud Access Security Broker (CASB) must be deployed on these connections. Traffic generated by interactions with public cloud services is normally encrypted over HTTPS or a similar method, and standard firewalls are unable to process that traffic. However, CASBs can use APIs or proxies to mediate all interactions between users and the public cloud. CASBs apply the appropriate protocols to implement functions such as web security, access control, and data leak prevention.
The security cloud services described here — VPN, Web and email security, and CASB — can be provisioned, billed, scheduled, and managed along with the SDN. All-cloud architectures make elastic scaling possible for security services operating concurrently with the SD-WAN.
Many solutions similar to integrated SD-WAN and cloud security services will emerge in the near future. These types of products and services are designed to meet essential enterprise needs and represent the forward direction of cloud security service development. At present, Huawei provides a wide variety of cloud security services and is working with its partners toward the rapid and healthy development of the security industry.