Digital transformation is flipping IT architectures inside out, as data and content move from the private, centralized cloud and on-premises data centers to public cloud services and SaaS providers, beyond an enterprise’s current edge. For digital businesses this means the boundary between the digital and physical worlds is blurring at the digital edge, where commerce, population centers and digital ecosystems meet. Centralized IT architectures (on-premises and cloud) cannot scale to support this massive shift to the edge and therefore are transforming into interconnection-first, cloud-centric setups. Additionally, as new technologies (e.g., Internet of Things) create more data at the edge and new data privacy regulations (e.g., General Data Protection Regulation) require stricter local data security, deploying a new, secure digital edge control framework (DECF) is critical to your digital business success.
In a previous blog post, we talked about how to segment traffic flows at the network edge to lay the groundwork for data and application access control and segmentation. In this post, we’ll dive down deeper into how to deploy these inside a DECF, which is the security framework for an Interconnection Oriented Architecture™ (IOA™), a proven and repeatable approach to directly and securely interconnect people, locations, clouds and data.
We’ll also discuss how Equinix and Palo Alto Networks are taking traditional network segmentation one step further by establishing best practices in creating various types of security zones using a digital edge control framework.
The need for control at the digital edge
As data becomes more distributed out to multiple digital edge locations, the centralized core data center model can no longer provide the security controls necessary for current or future digital business. This creates the following security challenges for today’s enterprises:
- Lack of awareness and visibility
Today’s applications are distributed combinations of interconnected and automated components from multiple sources or vendors – deployed in a central or regional colocation data center, a cloud service infrastructure and/or across a multicloud environment and within SaaS-based services. Traditional centralized IT infrastructures and siloed business processes lack the end-to-end visibility required to effectively and efficiently monitor all of the complex interactions between and among distributed applications.
- Fragmented controls and management
Converting this new level of visibility into relevant action requires the enforcement of ubiquitous security policies across all enterprise domains, including on-premises capabilities, SaaS applications, cloud workloads, network services and partner domains. And, even though you can create an unlimited number of new security policies, you need to consistently enforce them throughout the organization. As digital transformation drives more SaaS application and cloud workload usage to the edge, consistent policy design and enforcement across these new domains is critical.
- Data placement and access controls
The center of data gravity is moving. Enterprises are now placing data at the edge in order to keep it closer to the users and applications. Movement of this data to the edge requires careful design. Beyond ensuring proper management and distribution of this data, considerations need to be given to data security and privacy. Architects need to design solutions that mask data from potential exposure and ensure proper access controls to that data. Sensitive data should be moved to the edge with encryption in place, as well as access controls to ensure only authorized users and systems have access to that data.
To address all of these challenges and execute a holistic security strategy inside your IOA deployment, you need to implement a DECF security framework that spans across it. Combined with a zero-trust model, this allows for control of your business communication through traffic exchange points— with local private data repositories and multicloud application and services integration.
Establishing a Digital Edge Control Framework
A DECF contains a roadmap to implement security control functions based on digital transformation best practices. This includes all the functions and capabilities necessary for an enterprise to support cloud resiliency, agility and controls across multiple public cloud, SaaS and network service providers. A DECF enables you to establish distributed visibility and control of data at the cloud edge. It also allows you to segment and introduce boundary controls for cloud traffic and solve corporate regulation, sovereignty and compliance issues.
One of the most fundamental aspects of delivering a DECF is access control and segmentation. It is an established practice that access control and segmentation is an effective strategy for improving an enterprise’s security posture and reducing risk. As enterprises move workloads to the cloud and begin using SaaS applications, they need to consider how to re-segment their network to include these new workloads and applications.
To create new segments for cloud workloads and SaaS applications, you must move beyond the traditional and broadly defined trusted and untrusted segments you have previously constructed and apply new security policies. To accomplish this, you need to implement edge security zones. These zones take traditional network segmentation one step further, allowing you to move beyond the traditional trusted and untrusted concepts toward a more logical approach based on the specific enterprise environment.
Applying the concept of security zones to the cloud, an enterprise environment might be broken down with:
- A Public Cloud zone with access to workloads and services in cloud service providers (e.g., AWS, Microsoft Azure, Google Cloud), with multiple vNETs or VPCs coming back through Equinix Performance Hubs (where these clouds come together), via the Equinix Cloud Exchange (ECX) Fabric™.
- A SaaS zone with access to services such as email and collaboration (e.g., Microsoft Office 365), customer relationship management, corporate expense and much more. A Cloud Access Security Broker (CASB), sitting between the Palo Alto Networks Next-Generation Firewall (NGFW) and cloud services, provides visibility of traffic and user controls to set policy context on how corporate users can access those applications. Note that some SaaS applications may only be reachable via the internet, while others can be accessed exclusively via private connectivity or a combination of the two.
- One or more DMZs, which separate the internal network from the internet and other untrusted networks.
- Internet facing services are placed within the DMZ, including web, mail, DNS FTP and sometimes VoIP.
- Branch offices are often connected via a DMZ in situations where they need their own internet access but also access to internal corporate resources.
- An Extranet zone (sometimes part of the DMZ), which enables external partners and stakeholders to access the content and functions of an intranet.
- An Internet zone, which only permits inbound access to the DMZ zone(s), but never to the other zones.
- A separate zone for Management and Operations, which will include functions such as bastion hosts, jump systems, monitoring servers and patching update systems. This zone can reach everything inside the perimeter.
- Remote and Corporate User These users typically have access to not only the internet, but to a SaaS zone, to cloud service providers and to internal corporate resources.
The benefits of data and application access control and segmentation
Data and application access control and segmentation address the key security challenges facing enterprises today:
Greater visibility – By deploying dynamic and adaptable traffic monitoring capabilities and automated event processing at the edge, you will be able to gain greater visibility of all the traffic traversing across network segments, cloud services and applications, as well as within your enterprise, to derive security threats that can then be acted on in real time.
Integrated controls and management – Policy enforcement needs to take place in real time and at the closest point to where most attacks are likely to be initiated. By placing your controls and security policies at the edge, you’ll realize improved performance and scalability. In addition, they can be adjusted, also in real time, for the constantly changing nature of enterprise applications.
Greater control of data and less risk – By placing data in compliant digital edge control point nodes, you can ensure the proper management and distribution of your data complies with data security and privacy regulations. You can design solutions that mask data from potential exposure and ensure proper access controls to that data. For example, moving sensitive data to the edge with encryption and policy controls in place to ensure only the right users and systems have access to that data.
Common Deployment Scenarios
There are many different ways in which customers can leverage a DECF architecture to simplify connectivity while improving security. Three very common scenarios observed of deploying the Public Cloud zone have been validated by Palo Alto Networks and Equinix and are outlined below:
- Hybrid Cloud Connectivity Using Virtualized NGFWs
In this scenario, a pair of VM-Series virtualized NGFWs are deployed in an Equinix Performance Hub, connecting to all AWS Availability Zones required. Using AWS, this scenario was tested with an IPsec VPN tunnel over AWS Direct Connect via the ECX Fabric, terminating on the VM-Series to provide secure, end-to-end connectivity. Traffic is distributed using BGP and as new workloads are added, the VPC route table is adjusted to ensure traffic is secured. This approach uses a more cloud-centric architecture to protect your workloads but may not scale to protect many VPCs as easily as the appliance-based or Transit VPC approaches listed below. Note that this scenario can also be deployed on Microsoft Azure and Google Cloud Platform.
- Hybrid Cloud Connectivity Using Physical NGFW Appliances
In this deployment scenario, customers who are using dedicated cloud provider connections such as AWS Direct Connect, Azure Express Route and Google Cloud Interconnect (via the ECX Fabric) can terminate those connections on a pair of Palo Alto Networks NGFWs within an Equinix Performance Hub.
- Hybrid Cloud Connectivity Using a Transit VPC
A Transit VPC is a more cloud-centric approach to securing AWS deployments with many VPCs and/or accounts. A Transit VPC takes a shared services approach to security and connectivity using a hub and spoke architecture. The hub houses IPsec VPN connectivity, VM-Series for security, along with other common services, and the spoke VPCs house workloads. All traffic from the spokes to other VPCs, back to corporate, or the web will “transit” the hub.
A new digital edge has been created out of enterprises’ adoption of cloud and the need to collect, process and store data closer to creators and consumers. This has resulted in new IT infrastructure and security paradigms that allow for the control, visibility and segmentation of cloud resources, while enabling cloud agility. A digital edge control framework that leverages an IOA is necessary to implement security control functions applicable to hybrid and/or multicloud environment(s). Access control and segmentation best practices deployed in a DECF are critical at the beginning of your cloud migration. In working with Equinix and Palo Alto Networks, you will have the right set of best practices and guidelines to succeed.
Learn more by contacting your local Equinix Global Solutions Architect or Sales Executive.
You may also want to consult our IOA Knowledge Base to access the IOA Security Blueprint.