In previous blog articles, we discussed the importance of using an Interconnection Oriented Architecture™ (IOA™) strategy to localize security services in digital edge nodes to govern multi-party data flows. Interconnection enables private data exchange between businesses, and an IOA Security Blueprint framework secures the interconnection of people, locations, clouds and data. Each digital edge node is a mix of physical and virtual appliances with supporting SaaS-based services that enable you to create tailored security guard rails for specific workload traffic and digital services at strategic geographic locations, placing you in control of your business flows (see diagram below):
An IOA security framework is also vendor-agnostic, which is critical to consolidating and integrating these functions, whether you are protecting data access on-premises or in the cloud.
An IOA Security framework at the edge begins with implementing the first three design patterns from the IOA Security Blueprint:
Locating identity and key management at the digital edge
The fourth design pattern in the IOA Security Blueprint describes why you should locate identity and key encryption management services at the digital edge. These are critical functions in a business environment of bidirectional workflows among dispersed users, data, applications and clouds. These services must constantly fetch credentials and decryption keys, which can cause latency delays if they are not colocated with the applications and data they are meant to protect. In addition, a multicloud environment can cause a proliferation of credential and key copies, increasing complexity and risk. Finally, the lack of integration of on-premises and cloud security services, as well as clear ownership and responsibility for them, represents a significant pain point for businesses and increases operational risk.
Other constraints and forces that affect these critical security services include:
Centrally Located Security Information
Security information has traditionally been centralized due to a natural impulse to protect data that, if compromised, could cripple a business. However, locating identity and encryption key management services at a corporate data center forces all edge security requests to be backhauled over WANs. This can degrade user experience and application performance due to delays caused by high-latency, long-haul networks. This is unfortunate because, according to the Ponemon Institute 2016 survey on encryption trends, 74% of respondents say the most critical feature for an encryption technology solution is managing system performance and latency. The balance between “trust no one” security and reasonable performance is difficult to achieve with remote critical infrastructure services—but the risks need to be mitigated, such as managing multiple identity and key management systems between the on-premises and cloud services providers (CSPs).
Cloud Provider Security Services
CSPs offer security to alleviate a business’s need to backhaul edge traffic to a centralized corporate data center or to address a lack of enterprise expertise on cloud security. However, this approach can increase risk through the proliferation of sensitive data to a diverse and dispersed cloud services landscape, where you have limited control over identity and encryption key management or where the data physically resides. A fragmented approach across different cloud services increases risk, especially when cloud security services have a shared fate with other cloud service dependencies. In addition, there’s the risk of being implicated in a government action taken against a cloud provider (or one of their other customers) resulting in unauthorized access to your data. Given these concerns, it’s no surprise that the second- and third-most important features for an encryption technology solution cited by the Ponemon respondents were maintaining enforcement policies (71%) and supporting both cloud and on-premises deployments (69%).
Costly Corruption and Downtime
When private information is compromised, data can be leaked and/or slowly corrupted over time. The impact can take months to be fully understood and often costs a company hundreds of millions of dollars in remediation. In addition, as businesses grow increasingly dependent on IT services, the impact of IT outages — especially for what is considered “critical infrastructure” (e.g., DNS, directory, identity and key management, network) — can equate to $/second in downtime and reputational damage.
What happens if you don’t address these security challenges? The worst-case scenario is that you could lose your business due to a lack of trust in your company. According to a report by McAfee, 33% of companies surveyed said they believe that accidental or malicious distribution of confidential data could put them out of business. And for small businesses, 60% could go under within just six months after a cyberattack, according to U.S. National Cyber Security Alliance. Even if these dramatic effects are avoided, security challenges slow application performance, heighten organizational risk, increase costs from data loss, corruption and unplanned downtime, and increase operational complexity.
Regaining identity and encryption key control
The IOA Security Blueprint Identity and Key Management Security Design Pattern (see diagram below) provides a step-by-step strategy for gaining greater control over security functions by deploying local, vendor-neutral identity and encryption key management services. Placing critical infrastructure services in digital edge nodes in proximity to traffic volumes and clouds, digital ecosystems and user population centers simplifies management, improves security and increases efficiency.
The steps toward greater identity and key management control include:
- Deploy security appliances (usually dedicated hardware appliances), and apply proxy/load balancing as needed.
- Configure boundary roles and inspection zone policies to further restrict access.
- Segment the network to isolate service replication / synchronization channels (closed circuit) across the edge node fabric.
- Encrypt security service data with a separate mechanism and “break-glass” procedures.
Note: Public internet applications can also use security services over an ISP link. In addition, security services hosted in a cloud can be extended to other clouds directly and securely through the edge node. There is no need to duplicate them in separate clouds.
The benefits of securing your business at the edge include:
- Security services remain in the control of the company at all times, regardless of changes in the use of cloud services. In addition, digital edge nodes enable direct and secure interconnection to CSPs for tighter integration of on-premises and cloud security services.
- Multi-tenant service attacks (e.g., hypervisor core dumps, or Linux root exploits) will not yield services or security data, as the information doesn’t reside there.
- Latency advantages mean it’s possible to add more security, governance and controls that would have otherwise damaged user experience or scale if not deployed locally.
- Overall performance and resiliency is improved, with services federated across digital edge nodes and intersection points.
- If CSPs and/or partners are compromised, they do not share the same fate because they lack the identity or encryption key management data and have no service dependencies.
- Within your firm, access to these systems must traverse the inspection zone and policy enforcement points, ensuring attempts to steal or leak security data are detected and prevented.
Learn more about these and additional procedures by visiting the IOA Knowledge Base of vendor-neutral blueprints that take you step-by-step through the right patterns for your architecture.
And watch for upcoming blogs in this series on security analytics and logging at the edge. In the meantime, read the IOA Playbook, and start planning your move to a more secure digital edge.
If you are ready to begin architecting for the digital edge now, contact an Equinix Global Solutions Architect.