There was a time when an application was typically a single piece of software running on a data center server or user PC, but today’s applications are more likely to be distributed combinations of interconnected, automated, often mobile components from multiple sources or vendors. These application components-and the continuous interactions among them-may be deployed in a central or regional colocation data center, a cloud service infrastructure or across a multicloud environment that likely includes mobile users and/or business partners.
Functionality that was traditionally enacted with static perimeter security using fixed hardware appliances must now be distributed at intersection points within each edge node to control traffic without impacting performance or user experience.
Placing a security inspection zone at the digital edge
In a previous article, we discussed how implementing a security boundary control design pattern from the Security Blueprint reduces security exposure. The pattern offers steps for protecting a company’s multiple digital edge perimeters while increasing the number of network entry points. This article covers step two in the security design pattern. Step two recommends establishing an edge-based inspection zone that employs a zero-trust model and deep packet inspection of traffic flows among components, cloud services and users at each edge node.
Application architectures have become quite complex over time, which is why they require dynamic and adaptable approaches to traffic monitoring along with algorithms that yield security insight, detect intrusion and automate effective responses. These new tactics can yield trusted traffic flow data using deep packet inspection that is performed “on the wire” in real time. The most effective way to protect distributed applications is to create a policy-based inspection zone in each edge node where intersection traffic from various cloud providers, trusted user networks, extranet partner networks and untrusted external networks interconnect. These “guard rails” are crucial for managing shadow IT.
This strategy boosts enterprise security, preventing unwanted, dangerous data from traveling through the interconnections. It can also thwart information theft from data leakage by preventing specifically classified traffic from visiting unauthorized destinations. The inspection zone can store useful data for analytics, not only for security trends and alerts, but also for a variety of other business-use cases. For example, these inspection zones can provide insights into heavily used enterprise services resulting in the creation of better routes to these services or new ways to distribute these applications to improve user experience.
Today, application performance with reduced latency depends on fast, proximate interconnections among component infrastructures. To achieve this, many organizations are adopting an Interconnection Oriented Architecture™ (IOA™) strategy that pushes enterprise IT capabilities out to a company’s digital edge, where commerce, population centers and digital ecosystems meet. By deploying edge nodes alongside security controls within distributed colocation data centers using fast, direct and private interconnection, you can dramatically boost application performance and significantly reduce latency. The result is a far superior and more secure user experience than the former default of backhauling all traffic to a distant enterprise data center.
The Inspection Zone Design Pattern
Once you’ve applied the recommendations of the IOA Network Blueprint at your digital edge as the foundational layer and established boundary controls (the first step toward creating security guardrails as depicted in our first security at the edge article), you’ll want to monitor digital engagement and traffic by creating an inspection zone in each of the edge nodes. These zones function a bit like airport security at the intersection points of all networks, flows and traffic. Border control allows entry into the security zone, where it then inspects all traffic before allowing that traffic through (again, regardless of arriving or departing data or workloads).
Creating an Inspection Security Zone
This security design pattern details the following steps for establishing and maintaining an effective inspection zone:
- Determine the level of monitoring required for each segmented traffic flow, including the volume of data to be captured per event, and projected arrival rates and growth.
- Measure the amount of traffic and deploy inspection appliances in the edge node. Route authorized and authenticated traffic from boundary control to the appliance inspection zone.
- Apply real-time traffic analysis across each of the distributed edge nodes, logging and aggregating data for analysis.
- Leverage the inspection zone to apply user-centric security models.
The benefits of a well-architected inspection zone include:
- The ability to monitor and log all traffic across network segments and cloud services
- Efficient scaling when inspection zones are distributed across high-bandwidth, low-latency intersection points
- The ability to leverage highly capable digital ecosystems and security services (like SaaS) without impinging on performance
- The flexibility to quickly and easily add and monitor traffic from new cloud services
- Putting IT back in control
Public sector customer use case
At Equinix, we’ve seen thousands of companies re-architect their infrastructures to accelerate digital transformation and place IT back in control using detailed interconnection blueprints and design patterns modeled off hundreds of successful deployments. We can see an example of a well-architected inspection zone in an Equinix customer in Singapore’s public sector. This customer, accessing cloud services via the Equinix Cloud Exchange, deployed a network firewall and intrusion protection system for inspecting traffic to detect and prevent network attacks. This created an inspection zone for traffic leaving the corporate network and heading into the public cloud. The inspection zone ensures that corporate users can securely access public cloud services while also complying with internal security standards and audit requirements.
Watch for upcoming blogs in this series on deploying security services at the edge. In the meantime, read the IOA Playbook, and start planning your move to the digital edge.
If you’re ready to begin architecting for the digital edge now, contact an Equinix Global Solutions Architect.
You may also enjoy reading the following articles:
Securing Clouds, Apps and Data Without a Performance Hit
Establishing Boundary Control at the Digital Edge