How To Converse in Cloud

How to Converse in Cloud: Cloud Security Controls

How to Converse in Cloud: Cloud Security Controls

As clouds become more ubiquitous in the enterprise, traditional on-premises security solutions need to be re-architected to protect businesses as they make their journey to the cloud. When compute processing, content and data move to the cloud and data sources become more geographically dispersed, protecting those assets can be a challenge. Security controls need to extend out to the edge to deliver robust and reliable data and application privacy, protection and compliance.

However, distributing security to the edge brings a new set of challenges that enterprises must consider:

  • Lack of visibility of server-to-server data (i.e., East-West traffic) within a data center
  • The need to implement consistent security policies across on-premises, hybrid cloud and multicloud environments
  • The steady increase of attack volume, depth and breadth from moving traffic to the public cloud
  • Data loss control and detection in SaaS applications
  • Data collection and analytics for threat detection, as well as data-driven business decisions

It is increasingly important for IT organizations to address these challenges head-on as the cost of data breaches continues to rise. According to the Ponemon Institute’s 2018 Cost of a Data Breach Study sponsored by IBM, the average total cost of a data breach rose 6.4% from $3.62 million (M) in 2017 to $3.86 M in 2018.[i]

Creating agile, cloud-neutral security control points

These challenges can be met by leveraging Interconnection Oriented Architecture™ (IOA™) best practices for distributing networks, data, security and applications at the edge. By taking the following steps, you can create agile, cloud-neutral security control points across a globally distributed colocation and interconnection platform. Security control points are where you deploy security applications and access security services from cloud and SaaS providers at the edge, proximate to users, end points, data and applications. Here is a quick summary of the three key steps.

1. Expand your security perimeter to the edge

The outer perimeter is where networks and resources, which are under an enterprise’s domain of control, interface to networks and resources that are under the control of others (where “ours” connects to “everyone else’s”). It’s the outer wall and the first line of defense where you should place your cloud security controls. Due to the increase of distributed and mobile applications and data sources at the edge, this outer wall is moving out beyond on-premises security controls. This is why placing security controls in an edge-based vendor-neutral colocation facility, where you can leverage private, fast and low-latency connections via an interconnection hub, is critical to maintaining end-to-end data and application security and compliance.

These edge-based security controls typically include capabilities such as DDoS, next-generation firewalls (NGFWs), web application firewalls (WAF) and key management systems. Moving security controls to the edge can take place at the initial stage of your cloud transformation journey, when web content and other public-facing services are being migrated to the cloud. At this stage you can also terminate corporate WANs and remote access in multiple regional colocation facilities for greater network optimization.


Edge Network Optimization and Security Control via Colocation and Interconnection


2. Create core security control characteristics

As enterprises continue their cloud transformation journey, they often move more enterprise applications and data to the cloud and SaaS providers, which are located OUTSIDE of the traditional data center and its control mechanisms. In addition, applications and their associated data may be distributed regionally, as they need to be located closer to the end-user/consumer, to improve performance.

As this transition to cloud and SaaS providers takes place, the enterprise should consider deploying additional security control functions like encryption of data at rest, cloud workload visibility and web security to the same vendor-neutral colocation facility where interconnection hubs can be leveraged.


The Security Edge Accumulates “Core” Characteristics


3. Creation of cloud-neutral, cloud-agile security control points

Each CSP has a different set of security features native to their platform. If you use all of their controls, without having a master controller of your own, then you’ll have to construct your security controls multiple times, once per CSP. That’s a lot of work. Ideally, you’ll want to architect your security controls for your cloud instances. This will allow you to move a set of workloads from one cloud to another without needing to change how you implement the security controls or configuring and applying policies all over again (or needing to use a whole different set of software).

To avoid these time-consuming and complex measures when migrating workloads between clouds, you can make the colocation site a forward operating base (FOB) that supports your cloud security goals. In an IOA strategy, FOBs are called “security control points.” Security control points act as a cloud-neutral “space” from which you can apply and manage security controls across multiple clouds for greater agility. It is where tools, logs, storage, etc. can be housed to pull back data, investigate and remediate issues in the event of a cloud breach. You can run and manage tools from these security control points to provide greater visibility, whether it be enterprise-to-cloud or cloud-to-cloud. It is also where the systems upon which you define, author and apply your security policies reside, so those policies can be easily applied to any cloud (see diagram below).


Cloud-neutral, cloud-agile security control points


Gain greater security for distributed, hybrid IT environments

Placing cloud security controls at the edge enables greater performance, visibility and agility when securing multiple workloads across on-premises, hybrid cloud and multicloud infrastructures. A global, vendor-neutral colocation and interconnection platform, such as Platform Equinix®, allows you to deploy robust security control points along the perimeter of your digital business for the highest-level of data security, protection and compliance.

To learn how to place your cloud security controls at the edge using IOA best practices, read the Distributed Security Playbook.

You may also want to read: RSA 2019: Distributing Security to the Edge.

[i] IBM and Ponemon Institute, “2018 Cost of a Data Breach Study,” 2018.



Subscribe to the Equinix Blog