Does the cloud have edges? We refer to the cloud as a perimeter-less environment, with workloads moving dynamically through various physical networks and regions. The cloud is interlinked in such a manner that there is no clearly defined edge to it. So what does it really mean to create cloud security at the edge?
To answer this question, let’s use an analogy. When the world was considered a flat landmass, humans thought it had a physical edge. Once we understood that Earth is a globe, the concept of that physical edge was no longer valid. However, from a logical point of view, the world’s landmass is divided into continents, countries, cities, neighborhoods, apartments, houses, etc. People can move around freely among these various locations. However, each area has its own rules of entry to ensure people traversing these locations are checked for positive intent and don’t have a negative impact at the location. Thus, a strong level of investigation at the port of entry becomes critical.
Similarly, the cloud environment is created by a number of networks coming together. The entry points to each of these enterprise networks become critical from a security point of view. Yes, this was always the case; however, the traditional approach to edge security doesn’t work in the cloud environment simply because the cloud requires much more flexibility in terms of allowing workloads to move around. Standard hierarchy-blocking of IP addresses or restricted entry only creates more false positives. In this new context, network security solutions that can carry out deeper inspections are vital to differentiate between a legal workload and a malicious one.
Tightening Cloud Security
A cloud security solution working at the edge needs the following capabilities:
- Visibility: It is important to provide a detailed visibility to the security administrator on the kind of ingress and egress traffic that traverses the network, specifics of the URL categories visited and their IP reputations.
- Control: Converting the visibility into relevant action is critical, so the enterprise should be able to define granular Web application policies. Also, blocking interactions with malicious URLs and allowing only the required business access to applications is important. This reduces the circumference for attacks against human vulnerabilities.
- Protection: Large-bandwidth, deep packet inspection capabilities are required to efficiently handle traffic through the entry points. In a cloud environment, the intelligence behind identifying exploits is paramount. This is done to avoid false positives, thus providing the flexibility the cloud should provide and, more essentially, to gain intelligence to stop mutated and zero-day exploits since the network is directly exposed to the global threat landscape.
- Multiple Traffic Type Inspection: The solution should be able to carry out the same level of inspection on encrypted traffic and traffic using varied protocols.
To protect your enterprise within the cloud, you need to create a strong security posture at the point of entry. This ensures that you disrupt threats at an early stage of their life cycle and that your enterprise’s cloud security strategy secures it from the edge.