A decade ago, countless single-purpose appliances cluttered enterprise networks. Network engineers created complex high-availability architectures to accommodate the firewalls, intrusion detection systems, secure web gateways, anti-virus gateways, anti-spam appliances and more that safeguarded network traffic.
When new attack vectors emerged, security vendors responded with "there's an appliance for that," introducing new point products for every threat. Over time, to prevent the proliferation of appliances in customer networks, security vendors began to consolidate these capabilities into integrated security appliances.
While these integrated security appliances drew on external sources for threat intelligence, signature updates and other data feeds, the appliances still made all the security decisions. The "brains" of the security architecture was on-premises.
Bumps in the roadmap
The on-premises security model worked for many years, but it too is reaching its limit. While organizations will always need physical or virtual appliances on-site to enforce security policies, the following challenges are forcing organizations to re-think how they prevent threats:
Over the years, threat intelligence feeds have grown exponentially. In 1995, the World Wide Web contained less than 20,000 websites; in 2017, there are over 1.7 billion, according to Netcraft
. The number of malware variants also exploded from tens of thousands in 2005 to hundreds of millions now.
It is difficult for appliances to store and look-up this ever-increasing data set of threats. Plus, more advanced security techniques are required to detect attacks and malware that can mutate dynamically. Now, every URL, every file, and virtually every type of communication must be analyzed for malicious content and this complex analysis requires much more intensive computing resources than simple hash or IP address comparisons.
Just as threats and malicious actors have evolved rapidly, security defenses must keep pace. The best way to fight cyber adversaries is to continually develop and release new protections against threats in the form of software updates -- and then analyze their efficacy and refine them. Agile development is not possible for organizations if it takes months or years to install software upgrades to their on-premises appliances.
Preventing advanced threats requires more in-depth analysis than a typical physical or virtual security appliance can provide. To detect and stop a malicious insider, risky user behavior, or a sophisticated attacker operating in the network, security products must examine multiple attributes of behavior across protocols and over time.
Security products also need to compare user activity to expected behavior to detect anomalies and analyze traffic from multiple sources. All this analysis requires reams of data -- or at least metadata -- which calls for additional servers or appliances and introduces hefty capital and operating costs.
Navigating privacy concerns in the cloud
Cloud-based security, working in conjunction with on-premises security and enforcement, provides the scale, agility and analytics needed to fight modern cyber attacks. But if not handled properly, it can also pose challenges associated with privacy and compliance. Though ensuring that their data is secure is an obvious priority, organizations also need to comply with government and industry regulations, such as EU data protection laws that govern where and how user data can be stored.
To allay these security and compliance concerns, organizations can look for cloud security services that document what data is stored in the cloud, where it is stored, how it is secured, and who can access it. In addition, cloud security service providers should offer granular controls to configure which data is sent to the cloud and how long the data is retained. They should also engage a third party to review and certify the security, availability and privacy of their service.
When public cloud computing first burst onto the scene over a decade ago, many business and IT leaders were reluctant to adopt these services because of security and privacy concerns. Over time, they realized that cloud computing was not only more scalable and efficient, but it was often more secure than their on-premises systems.
Cloud-delivered security offers the same advantages. The benefits in terms of security innovation, operating cost efficiency, capex savings, and cross-technology integration are too great to return to older, on-premises-only architectures.
Organizations that are reluctant to use cloud security services can consider technologies where the benefits are the most compelling. These include:
- Security analytics: Cloud-based analytics eliminates many of the headaches associated with the management and maintenance of on-site data repositories by leveraging the power of distributed and on-demand computing to tackle scaling limitations. More importantly, cloud-based logging is a foundation on which organizations can run analytics, orchestration, data visualization, reporting and countless other apps. Security analytics in the cloud unleash a new way to develop, deliver and consume innovative security applications from any provider, without additional complexity or infrastructure.
- Advanced threat analysis: Cloud-based advanced threat analysis empowers organizations to perform in-depth analysis of suspicious files and communications without compromise. No longer encumbered by the performance and system restraints of an appliance, a cloud-based service can perform dynamic analysis, static analysis, machine learning and even bare metal analysis of suspicious files to detect attacks and defeat evasion techniques.
- URL reputation services: The sheer number of domains and unique URLs demonstrate the need for cloud-based reputation scoring of URLs. Cloud-based URL look-ups, in conjunction with a local cache, maximizes speed and accuracy and ensures that URL classification data is current. Cloud-based URL reputation services really outshine static URL classification databases -- when users attempt to access URLs that have never been seen before, they can perform on-demand automated analysis to determine if the URL is malicious.
As the traditional network perimeter fades away and organizations face the task of protecting distributed networks and a growing workforce of mobile users, cloud security services -- combined with on-premises policy enforcement -- provide an easy and integrated way to monitor, protect, analyze, and report on the security of the entire organization, including all its users, applications and data. A hybrid cloud and on-premises security architecture is the only way to achieve the best security outcomes at scale
— Giora Engel is vice president of product management at Palo Alto Networks