True cloud security really should be delivered from the cloud
Article by Bitglass Founder and CTO Anurag Kahol.
The impact of the availability and performance of cloud security solutions is under scrutiny.
Some SASE suppliers, and by definition their customers, have been affected by significant levels of downtime. While one service recently experienced more than 12 hours of downtime, another suffered half a dozen outages in just over two weeks.
Such events have potentially serious implications. They directly expose organizations to increased cybersecurity risks, can disrupt the normal flow of operations and even end business continuity.
For many organizations, this level of exposure is incompatible with their needs and underscores the critical nature of cloud security which upholds the core principle of continuous protection of infrastructure, services, and data.
Typically, these service disruptions originate in the underlying infrastructure upon which a vendor’s products are built. Most SASE vendors have created, and then maintain, their own private data center networks to provide their solutions.
The challenge here is that this approach essentially boils down to trying to match the level of service provided by public cloud companies who have dedicated entire companies to it.
There is a wide range of cloud security services on the market with different levels of functionality. Some operate online for real-time security, while others provide out-of-band visibility and control. In each case, the most important purchase criterion is the level of availability of the service and the performance they can offer.
In addition, some cloud security services are sold as network services with a fixed capacity at the cost of an annual fee per Gbit / s. Such pricing is suitable for network security services such as firewalls or secure web gateway proxies, while other cloud security services such as email security, DLP or CASB are billed on the basis of. an annual fee per user.
However, when there is a mismatch between the technology stack and the business model, availability and performance are compromised.
Legacy security products designed for single tenant use operate at fixed throughput loads, such as a 1 Gb / s firewall or secure web gateway proxy. When these products are offered as cloud services, vendors simply deploy existing devices in a data center and bill customers on a throughput basis.
Pricing and architecture are aligned, but if a customer overloads the network, congestion is likely to occur. In this situation, the customer may decide to purchase additional capacity to meet their needs, without affecting other customers.
However, when the legacy architecture is used for services such as email security, DLP, or CASB, availability and performance can suffer.
These services are licensed on a per-user basis, and the customer pays for performance and availability levels regardless of time of day, user mobility, or usage trends.
For example, a customer with 10,000 users expects the same performance and availability, even though half of the users meet for a remote meeting offsite. The problem is that in practice, this kind of scenario can overload the remote datacenter which has a fixed capacity, and in the process bring it down for all users and possibly all other clients as well.
Ideally, per-user licensed security services, such as email security, DLP, and CASB, will benefit from access to a wide range of technology components such as proxies, analytics nodes, Hadoop clusters, server servers. messaging, databases and research. index, among others.
Above all, these services must analyze multiple applications and protocols simultaneously to provide efficient and agile protection.
In a polyscale architecture, each component is stateless, multi-tenant, and can handle any type of application. When the load increases in a component, and for example, exceeds 50 percent during an interval of five minutes, the component clones.
In the previous example, where the user’s organization has a large offsite meeting, the remote data center responds to the increased demand and automatically scales to the required load profile at that time.
Cloud security services such as email security, DLP, and CASB are licensed by the number of users. These services also require a wide range of components that will work globally, at scale, and across hundreds of applications.
Security services built on legacy security architectures are designed for fixed capacity loads at single tenants and cannot scale with application usage. Such services suffer from long delays in out-of-band mode and impact the business continuity in real-time online operation.
But by delivering cloud security services through the public cloud, security service providers can focus on innovating their security technologies rather than managing a fleet of data centers.
It also provides an infrastructure where unmatched availability supports a large-scale architecture to adapt in real time to changing customer load profiles, ensuring maximum scalability and performance around the clock and anywhere in the world.
Ultimately, the cloud already has virtually endless redundancy, storage and computing power, and therefore true cloud security must be provided from within the cloud itself.