Digital business, mobile computing and cloud technology have pushed much of enterprise computing outside the corporate data center, transforming what was once a single, well-defined enterprise perimeter into multiple, geographically dispersed digital edges with boundaries that must be secured. This trend has greatly accelerated with new forms of digital engagement via mobile devices and social channels, applications assembled via multiple components, APIs and, if things weren’t complex enough, the exploding Internet of Things (IoT).
To cope, many security personnel in organizations are looking for new ways to keep centralized control over IT infrastructures while simultaneously extending security measures to the digital edge, where commerce, population centers and digital ecosystems meet. Some of our Equinix partners and customers have embraced an Interconnection Oriented Architecture™ (IOA™) strategy that pushes IT infrastructure beyond the centralized enterprise data center to multiple, distributed interconnection hubs (“edge nodes”), that are in physical proximity to employees, partners, customers and cloud providers. Once it’s colocated locally, fast and secure interconnection for data exchange among partners and services can be used to reduce latency and enhance performance for a superior user experience. As prescribed in the IOA Security Blueprint, newly routed traffic is sent through the digital edge node, where security services at that node can be leveraged to inspect all data, ensuring data protection and privacy, as well as compliance and sovereignty.
How to secure your digital edge boundary
Protecting distributed IT exchange points without impinging on performance requires moving security policies and infrastructure out to the same physical edge locations that you are trying to protect. Backhauling traffic to a centralized enterprise data center to do a “security scrub” on that data is not only counterproductive, but often prohibitively expensive, requiring very high bandwidth and massively scalable security equipment and software. The round trip caused by such a tactic causes unacceptable delays that degrade user experience.
The most efficient way to prevent serious security breaches is to deploy boundary controls locally at each edge location. Using the IOA Network Blueprint as the foundational layer, you can implement new boundary control inside your geographical edge nodes at the ingress and egress points of segmented traffic flows. This is the closest point to users, clouds and business partners, and the ideal location for a standardized set of hybrid IT boundary services (e.g., those that leverage Security-as-a-Service over multicloud connectivity).
The “trust nothing” model
Such an architecture resembles airport security, with various security checkpoints at gate entry and between international and domestic flights. As with an airport, the first checkpoint determines whether the actor has a valid reason to be in and out of the security zone and uses a “zero trust” model that challenges both the ingress and egress of traffic. This initial checkpoint, as well as other strategically placed checkpoints, examines traffic at intersection points with partners, networks, cloud providers, etc. The security infrastructure is not that different from security at the corporate data center, but it’s tailored specifically to what’s needed at each edge location.
Equinix has published an IOA Boundary Control design pattern with detailed step-by-step instructions for securing boundaries at the edge (see diagram below):
The steps include:
- Determining the security policies and filters for each flow of traffic segmentation.
- Estimating the boundary services by measuring the local volumes and arrival rates of each flow.
- Qualifying the expected latency overhead. Because your security will be proximate to the flows and data it is protecting, your starting latency will already be much lower than before, allowing you to scale and add more security control.
- Sizing the security services and reviewing placement options. Use physical/virtual appliances in the edge node and/or potentially extend services with Security-as-a-Service (Security-aaS). Remember that individual local traffic demands are typically lower in a distributed model, versus an aggregated centralized one.
- Applying your security boundary stack across all network types: mobile and broadband, internet, multicloud, digital ecosystems (B2B) and metro WAN links to other hubs/corporate data centers.
- Logging everything for either real-time or later pattern analysis.
Tight security with faster performance
The benefits of IOA-based security boundary control include:
- Localizing security boundaries where business is actually done for enhanced security and greater performance, providing a better overall user experience.
- Reducing attack vectors in private networks, where most sensitive data traffic resides.
- Applying greater security tools and strategies to more physical locations, with much less performance impact than if they were implemented centrally.
- Minimizing the impact of an attack at a single location by using distributed edge nodes to keep the attack within a single geographic boundary and not let it propagate throughout the entire network.
- Returning control across cloud, services and partners back to the enterprise.
Security-as-a-Service use case
We spoke of leveraging cloud-based Security-aaS in this boundary control design pattern. Such a service is currently available on Platform Equinix from one of its partners, Deloitte. Deloitte offers customers a cloud-based risk intelligence service that makes enterprises more secure, vigilant and resilient. First, the professional services firm performs security testing to determine how to avoid attacks via preventative controls and security management services. Then, they team up with organizations to continuously monitor the network in real time and use predictive analytics against baselines, trends and history to ensure the Deloitte team can spot threats and respond appropriately.
Deloitte leverages the Equinix Cloud Exchange within secure and reliable Equinix data centers to connect its hosted environment to customers’ hybrid and multicloud environments at their digital edge. This strategy enhances Deloitte’s ability to develop continuity management, recovery, incident response and forensics plans. By leveraging an IOA framework for its Security-aaS solution, Deloitte helps organizations become cyber-resilient. Continuous monitoring, incident response and forensic capabilities proactively detect and even arrest threats, identify root causes and recover systems and data in case of incidents.
Enterprise IoT security use case
With the rapid growth in the IoT for home automation and the adoption of big data cloud analytics for harvesting the resulting information feeds, security at the edge is becoming more important than ever. An IoT vendor rolling out millions of these smart devices has harnessed an IOA framework deployed on Platform Equinix for the secure colocation of its authentication platform at the intersection of its multicloud architecture – all interconnected via the Equinix Cloud Exchange. Through the Equinix partner ecosystem, the customer also gains the expertise and ongoing managed services it needs to design and maintain the boundary security controls for its Equinix Performance Hub deployment, achieving security control at the edge for multicloud interoperability.
Watch for upcoming blogs in this series on security at the digital edge. In the meantime, read the IOA Playbook, and start planning your move to the digital edge.
You may also be interested in previous IOA Playbook design pattern articles:
How to Segment Traffic Flows at the Network Edge