Moving to the cloud means rethinking network security

Many organizations are moving critical data and applications to the cloud, but securing them with systems built for an on-premise world. That approach comes with a warning from Paul Gampe, CTO of Console, a platform that allows organizations to connect to each other's networks without using the internet. In an interview with The Enterprisers Project, he explains the risks and how to address them.

The Enterprisers Project (TEP): What is the biggest threat facing modern enterprise networks?

Gampe: The biggest risk facing current enterprise networks today is security. Data loss prevention systems that inspect outgoing packets to look for sensitive data, and intrusion detection systems that monitor incoming packets to identify potential threats, have both traditionally been placed at the edge of the enterprise network. However, as many line-of-business applications move from on-premise data centers to cloud services, there is no traditional network edge anymore, which renders the conventional methods of securing the enterprise network edge insufficient.

CIOs and CTOs today need to carefully plan for applications migrating to the cloud, or risk being caught off guard with edge-of-network infrastructure and systems unable to secure new traffic flows outside of the enterprise network.

TEP: What are the biggest mistakes you see CIOs and CTOs making around enterprise networks?

Gampe: The most common mistake I see is a failure to plan adequately for the impact of adopting cloud services on the enterprise network. CIOs and CTOs need to monitor and understand the internal traffic patterns of the on-premise data center to appropriately plan for the change in flows as traffic destined for line-of-business applications moves from those on-premise data centers to cloud-hosted services. There are serious risks to user productivity and application availability if CIOs and CTOs have not appropriately planned for or deployed the infrastructure required to support new traffic flows to the public cloud.

The second important task is planning for the changes to line-of-business application security. Firewall rules based on address have been a standard first line of defense in the past. But as applications move to the cloud, source address-based firewalls are no longer valid. CIOs and CTOs today need to re-assess their information security management strategy to account for the fact that they can no longer rely on the assumption that applications are not internet-accessible.

TEP: What are some of the obstacles and restrictions enterprises encounter when dealing with the public internet?

Gampe: The clearest obstacle is instability, and the biggest risk is security when dealing with the public internet. It's no surprise that the public internet is not secure, but the internet's significant instability at times is not apparent until mission-critical applications are moved to the public cloud and the organization is suddenly exposed to a lack of application availability due to that instability.

A simple search for a major route leak gives a sense of how often and how significant some of these public internet outages are. Tier 1 network operators will typically off-load traffic to the lowest-cost path, often with little concern for performance. Using these public internet services for mission-critical application availability is inherently high-risk. The key to safely and securely adopting cloud services is to not use the public internet.

If CIOs and CTOs want to ensure they have the network capacity, performance, and security to safely adopt cloud services, they need to bypass the public internet and directly connect enterprise networks. Large public cloud service providers and new software defined interconnection companies now provide these direct connect services to ensure that enterprises remain in control of their network connectivity without relying on the public internet.