True cloud security really should be delivered from the cloud
Article by Bitglass founder and CTO Anurag Kahol.
The impact of uptime and performance across cloud security solutions is coming under increased scrutiny.
Some SASE vendors, and by definition their customers, have been impacted by significant levels of downtime. While one service recently saw over 12 hours of downtime, another suffered from half a dozen outages in just over two weeks.
Such events have potentially serious implications. They expose organisations directly to increased cyber security risks, can disrupt the normal flow of operations, and even bring business continuity to a halt.
For many organisations, that level of exposure is incompatible with their needs, and underlines the critical nature of cloud security that delivers on the core principle of continually protecting infrastructure, services and data.
Typically, these service outages find their origins in the underlying infrastructure on which a vendor's products are built. Most SASE providers have created, and subsequently maintain, their own networks of private data centres in order to deliver their solutions.
The challenge here is that this approach essentially amounts to an attempt to match the level of service provided by public cloud companies that have dedicated entire businesses to it.
There is a broad range of cloud security services on the market with varying levels of functionality. Some operate inline for real-time security, while others provide out-of-band for visibility and control. In each case, the most important buying criterion is the levels of service uptime and performance they can deliver.
In addition, some cloud security services are sold as network services with fixed capacity priced at an annual fee per Gbps. Such pricing is suitable for network security services such as firewalls or secure web gateway proxies, while other cloud security services such as email security, DLP or CASB, are priced on the basis of an annual fee per user.
However, when there is a mismatch between the technology stack and the business model, uptime and performance are compromised.
Legacy security products designed for single tenant usage operate at fixed throughput loads, such as 1GB/sec firewall or secure web gateway proxy. When these products are offered as cloud services, vendors simply deploy the legacy devices in a data centre and charge customers on the basis of the throughput.
Pricing and architecture are aligned, but if a customer overloads the network, congestion is likely to occur. In this situation, the customer can decide to purchase additional capacity to meet their needs, while other customers remain unaffected.
However, when legacy architecture is used for services such as email security, DLP or CASB, uptime and performance can suffer.
These services are licensed on a per user basis, and the customer is paying for performance and uptime levels independent of the time of day, user mobility or usage trends.
For example, a customer with 10,000 users expects the same performance and uptime, even if half the users gather for a remote offsite meeting. The problem is in practice, this kind of scenario can overload the remote data centre that has a fixed capacity, and in the process bring it down for all users and possibly for all other customers as well.
Ideally, security services that are licensed on a per-user basis, such as email security, DLP and CASB, will benefit from access to a wide range of technology components such as proxy, scanning nodes, Hadoop clusters, mail servers, databases and search indexes, among others.
Crucially, these services must scan multiple applications and protocols simultaneously to provide effective, agile protection.
In a polyscale architecture, each component is stateless, multi-tenant and can handle any type of application. When the load rises in a component, and for example, exceeds 50 percent during a five minute interval, the component clones itself.
In the previous example, where the user organisation has a large offsite meeting, the remote data centre responds to the increased demand and automatically grows towards the load profile required at the time.
Cloud security services such as email security, DLP and CASB are licensed by the number of users. These services also require a broad range of components that will operate globally, at scale and across hundreds of applications.
Security services built on legacy security architectures are designed for fixed capacity loads at single tenants and are unable to scale with application usage. Such services suffer long delays in out-of-band mode, and impact business continuity in real-time inline operation.
But by delivering cloud security services through the public cloud, security service providers can focus on driving innovation across its security technologies rather than managing a fleet of data centres.
This also delivers infrastructure where unparalleled uptime supports a polyscale architecture to adapt in real time to changes in customers' load profiles, ensuring maximum scalability and performance around the clock and anywhere in the world.
Ultimately, the cloud already has virtually infinite redundancy, storage, and compute power, and as a result, true cloud security should be delivered from the cloud itself.