In the last few posts I’ve been laying out the future of hybrid IaaS clouds. I’ve discussed how the choice between public and private will not be an enduring decision, but rather that choosing whether to locate a workload in public or private space will be a transitory choice that shifts with requirements. The same way you may work from your office in the morning and from home at night, so too will workloads move as required to the most effective private or public resource.
This brings up an interesting dilemma. Today we still rely heavily on network based security solutions. A majority of environments still deploy firewalls, network based intrusion detection/prevention, proxies, etc., and they are relied on heavily for risk mitigation. In a world where endpoints and servers are completely mobile, does it make sense to focus on network based security solutions?
Before I go any further, let me explain a bit of my background for those who do not know me. I have been a long time network security guy. I cut my teeth on writing Cisco ACLs and I was one of the first beta testers for Check Point FW-1. Over the years, I’ve had a number of books published on the topic of network security. I wrote the SANS Perimeter Security track and still maintain and teach it to this day. I also teach the SANS Network Intrusion Detection course. When I got into writing iPhone apps, my first two programs were PacketDecode and PortFind, tools designed to help the network security weenie figure out what is going on on the wire. So when I ask “Is network security still relevant?”, I do so as someone who has a lot of sweat equity invested in the discipline.
Stop and think about your laptops for a moment. Where do you apply a majority of your risk mitigation? In other words, think of the top 3 “must have” risk mitigation techniques you employ on laptops that would keep you awake at night if they were suddenly gone. Did the corporate firewall make the list? What about network based intrusion detection? My guess is they did not.
For most folks, the top 3 list would include:
- Mechanism for ensuring systems stay patched and up to date
- Mechanism for ensuring malware stays off of the systems
- A personal firewall that can be centrally managed
So as hybrid cloud brings mobility to server based workloads, the smart money says we’ll be looking at similar solutions to secure our servers as well. Will it just be public workloads that are secured this way? My guess is that will not be the case. For example we typically do not apply a different set of security policies to laptops versus desktops. It simplifies deployment to simply use a consistent policy across the board. I’m thinking the same will be true in the server space as well.
So is network security dead and buried? Hardly. Even as workloads become mobile, organizations will want to maintain some semblance of control over their network infrastructure. We’ll want to ensure that spammers don’t hijack our resources, random individuals do not borrow Internet access via Wifi, etc. So network based security will continue to have its place in a corporate environment, it will simply play less of a role in our overall security posture.
Hybrid IaaS brings with it a rethink of how we apply security. While in the past we have heavily relied on network based risk mitigation, that model will clearly need to be changed. Expect much resistance from the hard core network security folks. No one wants to hear their skills need to be updated.