|Strategic Security – Cloud-based MSS : 2008 : Frequency-X Blog : Blog : Home|
Strategic Security – Cloud-based MSS
Posted by Gunter Ollmann on July 14, 2008 at 8:33 AM EDT.
Last month I covered how I’m expecting protection technologies to increasingly become embedded deeper in to the applications and platforms we rely upon– rather than the way in which security currently encases (or should that be ‘entombs’?) those very same applications. Today I’m going to cover how the third-party management of perimeter security devices will likely change over the next few years.
Or more precisely, why many organizations won’t have to continue to invest in purchasing their own perimeter security appliances in the future…
In the traditional layered-defense model, organizations deploy their primary network protection systems at their exposed Internet perimeter. There you’ll find the big firewalls, IPS and IDS appliances, Web proxies, mail security gateways, etc. protecting their denizens from the barrage of cyber-threats.
At some stage, many of those organizations will decide that it’s more efficient and cost effective to have an external Managed Security Services (MSS) company take over the daily management of those protection systems – hopefully picking up 24x7 monitoring along the way, complete with an event ticket management framework and multi-tier support structure delivered by trained security professionals (and, if they’re an IBM MSS customer, access to the X-Force’s threat expertise).
In order to provide continuous monitoring and management of those perimeter protection systems (located at the organizations hosting facilities), the MSS Company must be able to manage them remotely – typically relying upon secure VPN tunnels and occasionally out-of-band technologies (for high-availability and delivering more comprehensive SLA’s) to do so.
As the client organization expands or replaces its perimeter protection infrastructure, the MSS company is simply passed the additional cryptographic access keys to the new devices, and takes remote control of them.
While the current remote management model has been working pretty well for quite some time, I’m expecting to see changes as confidence grows and the trust relationship strengthens between client and MSS provider. In particular, one of the critical changes we’re going to see happen is for the requirement to actually have the protection devices physically located at the client organization to largely disappear. That’s to say, I expect those hardware assets to disappear from the clients perimeter and for their virtualized protection capabilities to reappear within their preferred MSS provider’s network.
After all, why purchase the physical equipment outright (e.g. a capital expense) and then set about having to host it at your own facility, when the technologies can operate just as efficiently from the other end of the organizations link to the Internet? Given the advances in network segregation technologies, secure VPN tunneling and scalable security performance, and the ability to manage multiple disparate network security configurations within a single – centralized – “cluster” of protection devices, there’s very little reason to stick with this legacy perimeter protection strategy.
Granted, for many organizations this concept may be as sacrilegious as the thought of using plastic corks in a bottle of good French wine, but time and technology moves on; having to own the assets and needing to physically wrap your hands around your protection appliances will harken back to an older period of security thought.
Clean pipes or in-the-cloud?
For most of this decade we’ve heard about the concept of “clean pipes” – i.e. the removal of malicious or unwanted network traffic by your ISP. Unfortunately, while we’ve all been yakking about it, very little has actually been done – in fact, many ISP’s are more nervous than ever in promoting services that automatically remove suspicious content (largely spam, port scanning and probing traffic).
Unlike the traffic scraping proposals of “clean pipes”, what I’m talking about for the future of perimeter protection is the delivery of traditional protection technologies by your MSS provider from within their protection cloud.
By way of example, consider the following diagram…
Rather than the client organization hosting the protection appliances and technologies at the perimeter of their enterprise (as well as every remote office location), the same protection technologies are effectively transplanted to the MSS services operation “in-the-cloud”.
All outbound office traffic passes through a secure VPN (or equivalent secure pipe) directly the MSS providers in-the-cloud protection framework (The network traffic can't go anywhere else). The management portals with their configuration and reporting options all look the same, and effectively the client organization notices no difference in service delivery capabilities.
The provision of “in-the-cloud” protection will have a number of critical advantages:
And there are lots of other services such as vulnerability scanning, event log management, remote backup storage, etc. that would be just as easily supplied in such a framework.
The death of stand-alone security appliances?
I guess some readers may question whether this vision of the future means that stand-alone security appliances will perish if in-the-cloud MSS services prevail, and that won’t bode well for IBM’s existing security appliance range.
There will always be a market for specialized stand-alone protection appliances. Some organizations will never relinquish day-to-day control of their perimeter security to a third party (you can lead a horse to water etc.). And don't discount the fact that most large organizations have protection appliances deployed deep within their internal networks and it would be a complex procedure to replace them with an in-the-cloud service (at least not until there is a major adoption of cloud-based computing).
That said, ISS’ X-Force have always excelled at “big” security – i.e. the kinds of protection technologies the biggest and most sophisticated organizations deploy (such as ISP’s, telcos and global financial institutes).
As the MSS market migrates to “in-the-cloud”, the types of security technologies they need in order to provision their services will need to be “big” and bigger than ever before, but that’s what we’re working on. New advances in the wire-speed of protection, deeper and more efficient inspection of traffic, increasingly reliable and preemptive detection of new families of malicious content, and massively scalable platforms - are all areas X-Force has (and continues to) research and innovate in.