Securing Clouds, Apps and Data Without a Performance Hit

Bryson Hopkins
Securing Clouds, Apps and Data Without a Performance Hit


You’ve heard it before: The corporate network perimeter has disappeared. We see this in countless ways. Organizations are collaborating and conducting digital business globally via hybrid and multicloud, and they’re interacting over social networks. More people and devices are connecting into corporate networks from just about anywhere. Remote workers accessing information and applications worldwide via mobile devices is just one increasingly common example. Significant digital activity has become a requirement for doing business in the current era. At the same time, it has widened organizations’ security surface areas and made legacy security boundaries more vulnerable to newer types of cyber-security threats, such as the recent WannaCry ransomware attack.

Leverage an IOA strategy to place secure controls at the digital edge

The blurring of the network perimeter requires a new approach to security. The most effective solution to is to localize security services at the digital edge, where commerce, population centers and digital ecosystems meet, versus the old method of centralizing security services at a single, corporate data center. The digital edge must be prepared for multicloud application and data flows that service users and things across multiple global networks and cloud services. In this environment, security can no longer be thought of as a gate, or a wall. It’s now more akin to airport security, with bidirectional domestic and international traffic and various classes of service.

Deploying an Interconnection Oriented Architecture™ (IOA™) strategy is the best way to enforce corporate security in the digital era. It provides a framework for strategically placing networks, security, data and applications at the digital edge. Locating security services alongside the traffic intersection points of networks, partners and clouds is a major shift from the philosophy of centralizing security services in which most chief security officers (CSO) subscribe. However, enforcing security controls and extending your security posture to the edge, where most digital business is transacted-allows you to expand, scale and fine-tune your security controls in tune with your digital business. Not only can you better maintain privacy and data sovereignty requirements, but you can also place latency-sensitive data and services in proximity to multiple clouds and population centers, thereby improving overall performance to all dependent services.

In addition, the strategy helps you gain insights into how cloud and SaaS services are being consumed and enable shadow IT with less risk by applying dynamic and real-time policy controls that govern the use of those services, as well as detect packet-level anomalies. Finally, the low-latency advantages of implementing security, governance and controls locally can significantly improve the user experience.


Deploying security services via digital edge nodes

Intrigued? You should be. By following an IOA strategy, you can accomplish these security capabilities with digital edge nodes that act as communications hubs inside the infrastructure they are meant to protect. A digital edge node is vendor-neutral, which means you can tailor it to support various network, cloud and data capabilities via interconnection solutions such as the Equinix Performance Hub, Cloud Exchange and Data Hub. Organizations can add security services to the edge nodes to establish edge-based security checkpoints with localized firewall, SSL termination and malware and DDoS protection using a “trust-nothing” security model.

All traffic can be routed to the edge node, where a deep packet inspection zone enables other security services, such as vulnerability scanning, data leakage control and monitoring and logging for analytics. You can also apply policy management to detect unauthorized activity and catch rogue traffic and user mistakes.

The steps for greater security and control

Equinix has published an IOA Security Blueprint with detailed step-by-step instructions for deploying a secure edge node infrastructure (see diagram below).


The steps involve:

  1. Establishing digital boundary control: Boundary control is all about setting up security checkpoints at the digital edge’s primary network with localized firewall, SSL termination via virtual private networks (VPNs) and other protections for malware and DDoS. This contains threats at the edge, where they can be neutralized locally.
  2. Deploying an inspection zone: The primary purpose of an inspection zone is to provide transparency (deep packet inspection) to enable other security services (like those that detect vulnerability exploits or lawfully intercept data leakage, etc.) It also monitors and logs activity for security analytics.
  3. Applying policy administration and enforcement: Policy management (via Policy Decision Points [PDP]/Policy Enforcement Points [PEP]) is applied to establish security “guard rails” with fine-grained prescriptions for what is and is not allowed in traffic flows. Policy management, operating in line with the traffic segmentation strategy, detects rogue traffic or unauthorized activity. It also catches mistakes made by users or developers.
  1. Locating identity and key management locally: By colocating high dependency identity and key management services in each digital edge node, it’s easy to improve performance and scale. Simply place services closer to where you have large numbers of users and at multicloud intersection points.
  2. Linking all security controls with logging and analytics: By linking security controls, algorithms can detect any security issues before they cause a problem and ensure all traffic is legitimate before a breach occurs, blocking unwanted traffic locally at the edge.

Security at the digital edge benefits

The benefits of deploying security at the digital edge via an IOA strategy include:

  • Airtight security that doesn’t impinge on performance, scale or the user experience
  • Increased insight into cloud and SaaS service consumption, with the ability to apply real-time policy controls that govern their use dynamically
  • The extension of your security strategy and posture to where you do most of your digital business, scaling and changing as your business scales and changes
  • The removal of the security risks of shadow IT, in fact security becomes an enabler to innovation rather than a road block.

Upcoming blogs in this series will provide design patterns for each of these steps in more detail. In the meantime, read the IOA Playbook and start planning your move to the digital edge, free of security concerns.

You may also be interested in these IOA Playbook blogs:

Networking at the Edge

Localize and Optimize Traffic

How to Segment Traffic Flows

Optimizing Multicloud Interconnection

Offload Your Internet Traffic

Subscribe to the Equinix Blog