Many traditional network vendors seem to share the same messaging and the same gap in vision regarding hybrid cloud security. Conventional network vendors seem too focused on abstracting the existing network constructs to enable hybrid cloud, while ignoring serverless architectures and other public cloud services.
Networking is the foundation of the enterprise data center, and the network is the first place security groups look to implement defense against intruders. Network I/O is now one of the focus areas for increased application performance, and multi-cloud architecture requires a focus on inter-cloud connectivity. Therefore, it’s critically important to have a robust approach to network design as part of a hybrid cloud infrastructure.
SEE: Network security policy template (Tech Pro Research)
To demonstrate the complexity, I’ll expand on the concept of network-based security. In the traditional enterprise network, workloads are static. Take, for example, a firewall rule stating that a database residing at a permanent network address is allowed to communicate with a set of web servers behind another group of permanent network addresses. This design has served the enterprise well over the years.
But, what happens when you move the web servers out to Amazon Web Services (AWS) and Microsoft Azure? How do you enforce the rules in AWS, Azure, and your private data center all at once? While at VMware’s Future of Network conference in 2016, Verizon articulated this challenge, and network vendors have started to address this problem.
What about serverless?
During Juniper Networks Networking Field Day 17 presentation, OpenStack pioneer and current Juniper vice president, Randy Bias, presented an overview of Juniper’s cloud strategy, wherein much of the cloud focus was on the integration with Kubernetes and the ability to run vRouter on cloud-based instances.
Juniper’s offering is similar to VMware’s NSX offering. Both offerings abstract traditional network constructs and adapt them to the ephemeral nature of cloud workloads. Both solutions support cloud services associated with operating systems. For instance, VMware NSX-T installs micro-code on AWS EC2 instances to enable enforcement of NSX Firewall rules on cloud instances. If the NSX-T code is part of an organization’s container and EC2 images, then traditional network policies apply at the OS level.
Both solutions also integrate with the Kubernetes network framework, which enables policy-driven, network-centric security. However, neither solution directly addresses services such as AWS Lambda.
Serverless and microservices are fast growing. I spoke with the CTO of the NY Times, who explained that the publication has bet big on serverless. However, I can easily see challenges associated with distributed cloud security. A fundamental challenge I’ve yet to see a network vendor solve is how to create a policy that reads as follows: Allow AWS Lambda code that transcodes video to write to a database hosted in an Azure SQL instance.
The above security policy has little, if nothing, to do with networking. The rule intends to ensure the authorized serverless code has access to resources outside its native domain. Today’s network-focused products don’t allow for this type of intent-based security policy management.
What do you think?
Maybe I’m asking too much of network vendors. Perhaps my thinking is too old school, and there’s a better place to manage hybrid cloud security centrally. If you’ve seen a hybrid cloud model that takes into account public cloud services such as Lambda, tell me in the comments or on Twitter.
- Special report: The cloud v. data center decision (free PDF) (TechRepublic)
- The top 10 security challenges of serverless architectures (ZDNet)
- Serverless computing: The smart person’s guide (TechRepublic)
- Serverless but not stress-free: enterprise computing moves outside the enterprise (ZDNet)
- What is cloud computing? Everything you need to know about the cloud, explained (ZDNet)