Cloud computing has opened up a new direction in next generation enterprise computing. But security till date has not been addressed so seriously in this sector. Author has discussed major security challenges and also the opportunities, which vendors can capitalize from here.

A key strategy shift that must occur as a result of cloud-based trends and the limitations of existing security practices is the adoption of a Cloud Security Architecture. This strategy allows an enterprise to have access to on-demand, point-of-use security perimeters in order to consistently enforce organizational policies and provide advanced threat management capabilities that keep pace with an enterprise’s dynamic adoption of cloud computing and user mobility. An important consequence of this shift is a strategic migration away from security appliances, which create location-based architectural limitations, high capital costs and critical points of failure.

In this architecture, the cloud security service provider is essentially taking over responsibility for the burdens associated with security device management: patching, signature updates, user management, log file maintenance and backups – duties which are not core to most businesses. This frees up your internal resources to think more strategically about how security capabilities can enable the business and how granular policies can be crafted that support compliance mandates while helping employees be more productive.

Natural Evolution of Security Delivery

A Cloud Security service can logically be seen as the next generation in a Security Capability Maturity Lifecycle. Initially, there is a manual process to solve a security problem. Next, it becomes automated through software. Then, it becomes easier to manage through a turnkey appliance. Finally, the solution becomes on-demand and available pervasively in the Cloud.

In addition to providing an elegant solution to the arcane and cumbersome security appliance overload, the Cloud Security Architecture also augments endpoint security. While we are not advocating removing the security software on a desktop PC or laptop yet, the cloud security service can protect the endpoint from critical web-borne threats and protect the enterprise from data loss with a Zero Footprint Deployment – no expensive-to-maintain software agent on the desktop. Cloud endpoint protection is provided on the “first hop” into the cloud, before the user reaches any web destinations.

Various Architectures for Managed Security

True Cloud Security should be differentiated from Managed Security Service Providers (MSSP) and Hosted Applications by CISOs seeking to procure the right solution for their enterprise.

MSSP: Outsourced management of on-premise equipment. Essentially the organization is attempting to shift labor costs to a service provider, but retains the appliances and all the associated costs, architectural and scalability limitations and points of failure. An example of MSSP is a vendor managing your distributed deployment of firewalls or desktops.

Hosted Applications: Provider acquires and manages single-tenant appliances. This architecture is not designed from the ground up for cloud operations. Boxes are essentially co-located, with no economies of scale gained from architecture with dangerous points of failure and troublesome performance issues. An example of Hosted Applications is a vendor deploying Squid web proxies in a data center and performing web filtering by routing your Internet-bound traffic to the data center.

As clean water and electricity saw a natural move to professionally managed services, enterprise security is moving from a cottage industry to a professionally managed service.

True Cloud Security: Provider delivers service with virtualized multi-tenant infrastructure designed to be resilient, redundant and high performing. An example of true cloud security is Zscaler which has a multi-tenant platform with a distributed global network.

Inbound versus Outbound Security

Most of today’s security products—such as firewalls, VPN, IDS/IPS—protect corporate networks and servers from threats coming from the Internet. Newer threats infect end users accessing Internet resources by using bots, phishing, and malicious active content, all of which subsequently infect corporate networks. Other than deploying caching and URL filtering products, corporations have done very little to inspect user-initiated traffic and protect their users.

With threats emerging from the Internet trying to compromise enterprises well under control, the new focus needs to be outbound security – protecting users while they are accessing the Internet.

When we say cloud security, we are not talking about securing the cloud computing platform such as Amazon or Google. We are talking about cloud-delivered security whereby Internet bound traffic is filtered by a service in the cloud to make sure that the users are protected from the threats of Internet. We are also not talking about replacing firewalls which do a fine job for inbound security threats. The focus should be towards newer threats, which require monitoring Internet-bound traffic.

Cloud computing is undoubtedly gaining momentum in current scenario but at the same it is imperative to measure security requirement with highest degree. Tomorrow’s dynamic and converged network will be integrated with cloud computing architecture and thereby cloud security unquestionably will play major role in every organization.

—By: Sridhar Namachivayan, Country Manager, Zscaler India.