The new generation of Cloud native barrier controls
The present cloud market post covid-19 has experienced massive changes as well as demands for multiple new use cases. None more so that cloud barrier controls.
This is being driven by a combination of opposing factors. On one hand the one stop shops of the easy purchase of all-in-one cloud barrier controls from the Hyperscaler providers, often supplemented through their marketplace services and third parties. On the other hand the move to multi-cloud coupled with the requirement to support the needs of remote workers and branch offices.
The major cloud service providers have long been enhancing merged security barriers that offer a variety of subscriptions and service combinations. These comprise sets of pre-built services that the customer can combine as needed, just requiring their purchase and configuration to protect your cloud subscription. This has the advantage of ease of deployment, monitoring and visibility with combined billing across your subscription.
These Hyperscaler cloud barrier (or front door) services use their own backend delivery network to provide the global and scalable entry-points for their customers worldwide. These front doors are spread across hundreds of Points of Presence (PoP's) globally whereby incoming data is collected and analysed and correlated with attack signatures for the dynamic push of updates. They are multi-tenant services where the customer creates a profile containing the specific services they want as well as the configurations required. This is eased using templates, out of the box standards and best practices as well as pre-built connectors and APIs to internal services.
These front door services come in different subscriptions plans for the customer. Typically basic, standard, and premium tiers. Basic plans are often the default free ones and consist of active traffic monitoring and built-in attack mitigations. Standard tiers generally consist as Pay As You Go (PAYG) billing with the ability to change and adapt rules. Premium services include further curated and managed rulesets but are usually only available under monthly or yearly subscriptions.
The security controls that make up these subscriptions differ by provider but typically include DDoS (Distributed Denial of Service) protection fronted across global load balancers. The higher tiers provide integration with threat intelligence for learnt patterns and tuned protection settings combined with features such as the use of rapid response teams and cost protections, whereby if DDoS attacks do impact your service, then as a customer you can claim service credits for the resource costs or customer losses incurred.
The services combine with Cloud Delivery Networks (CDN’s) caching commonly used data at the edge to provide customers with application acceleration as well as the use of load balancers deployed behind the front doors for internal services and backend pools of web applications and storage. Further complementary services include Web Application Firewalls (WAF’s) with built in rules, threat intelligence, access controls and machine learning services to capture attack signatures and suggest relevant mitigation rules to be applied. They couple with third party marketplace services providing further capabilities such as real time detailed analysis and automated policies. All these services work in conjunction with application gateways to provide localised load balancing and session affinity. API gateways, identity aware proxies and centralised logging comprise further optional add-ons.
Examples of these consolidated boundary control services include Azure Front Door services and Google Cloud Armor.
Whilst such services integrate with more traditional N-Tier approaches (i.e. layered architectures to protect publicly accessible services) within cloud environments, these consolidated barrier control bundles cannot be used outside their respective cloud environment i.e. Cloud Armor protects Google subscriptions, Front Door protects Azure subscriptions. The rise of hybrid and the emerging need for multi-cloud controls as well as the fact that most users are still working from home and the need to support roaming users and remote offices call for more distributed and adaptive controls. Controls that combine different vendors and cloud providers. Controls that integrate firewall features, aggregated logging, visibility and monitoring capabilities and micro-workload and identity segmentation. They include the centralised management of policies and encompass the use of third parties and cloud provider marketplace vendors to provide holistic and integrated feature consolidation across services.
This includes services such as Secure Web Gateways (SWG’s) providing barrier controls delivered as either cloud based or as hybrid via on premise appliances. SWG's provide an additional layer of protection against destructive attacks (via URL filtering, advanced threat detection, malware blocking etc) and reduce branch office costs by using the Internet instead of backhauling traffic over MPLS links to centralised data centres, sending the data directly to requested SaaS services from remote offices. They act as a cloud-based security stack positioned between the user and the Internet.
A sister technology is Firewall as a Service (FWaaS) with multi-functional security delivered as a cloud-based service to protect small branch offices and mobile users through centralised policy. FWaaS being a simpler, more flexible architecture triggered by growth of SD-WAN / hybrid WAN architectures. It is a core component of the emerging Secure Access Service Edge (SASE) frameworks and works across a remotely distributed network for increased flexibility and in managing the bottle-neck of on-premises infrastructure initiated by the remote workforce surge. These convergent technologies encompass those of SD-WAN, CASB’s, SASE, ZTNA, FWaaS and SWG’s. They place a greater emphasis on identity protection and the verification of context-based access across security boundaries. Access being typically restricted by a trust broker which verifies identities, their context and policy adherence of a request and in dynamically shielding services from attackers.
Whilst both the Hyperscaler cloud barrier services and those fashioned for multi-cloud environments will both co-exist and will necessarily overlap in the future, either a centralised barrier model or a distributed one will eventually prevail. The Hyperscaler model being too entrenched and combining the ease of use with large scale security automation, it can be expected that these Hyperscaler models will adjust to the multi-cloud-based controls and heavily increase the use of new convergent technologies into their security offerings.
Author:
David Frith, NCC Group
Laura Foster
Laura is techUK’s Head of Programme for Technology and Innovation.