Bridging the gap between cloud vs on-premise security

With the proliferation of SaaS applications, remote work and shadow IT, organizations feel obliged to embrace cloud-based cybersecurity. And rightly so, because the corporate resources, traffic, and threats are no longer confined within the office premises.

Cloud-based security initiatives, such as Secure Access Service Edge (SASE) and Security Service Edge (SSE), comprising Secure Web Gateway (SWG), Cloud Access Security Brokers (CASB), Data Loss Prevention (DLP), and Zero Trust Network Access (ZTNA), effectively push security to wherever the corporate users, devices, and resources are – all via the cloud. With all security functions now delivered over the cloud and managed through a single pane of glass, the incoming and outgoing traffic (aka, the north-south traffic) is all but secure.

However, the east-west traffic — i.e., traffic that traverses the internal network and data centers and does not cross the network perimeter — is never exposed to these cloud-based security checks.

One way around it is to maintain a legacy data center firewall that monitors and controls the east-west traffic specifically. For starters, this hybrid security architecture adds up the cost and complexity of managing disparate security solutions, something organizations desperately attempt to overcome with cloud-based converged security stacks.

Secondly, the absence of unified visibility across cloud and on-premise security components can result in a loss of shared context, which renders security loopholes inevitable. Even Security Information and Event Management (SIEM) or Extended Detection and Response (XDR) solutions can’t address the complexity and operational overhead of maintaining a hybrid security stack for different kinds of traffic. As such, organizations still need that single, integrated security stack that offers ubiquitous protection for incoming, outgoing, and internal traffic, managed via a unified dashboard.

Extending cloud-native security to east-west traffic

Organizations need a security solution that offers both north-south and east-west protection, but it must all be orchestrated from a unified, cloud-based console. There are two ways to achieve this:

1. Via WAN firewall policy

Cloud-native security architectures like SASE and SSE can offer the east-west protection typically delivered by a data center firewall by rerouting all internal traffic through the closest point of presence (PoP). Unlike a local firewall that comes with its own configuration and management constraints, firewall policies configured in the SSE PoP can be managed via the platform’s centralized management console. Within the unified console, admins can create access policies based on ZTNA principles. For instance, they can allow only authorized users connected to the corporate VLAN and running an authorized, Active Directory-registered device to access sensitive resources hosted within the on-premise data center.

In some cases, however, organizations may need to implement east-west traffic protection locally without redirecting the traffic to the PoP.

2. Via LAN firewall policy

Consider a situation where a CCTV camera connected to an IoT VLAN needs to access an internal CCTV server.

Given the susceptibility of the IoT camera to be compromised by a malicious threat actor and controlled over the internet via a remote C2 server, the camera’s internet or WAN access should be disabled by default. If the data center firewall policy is implemented in the PoP, the traffic from internet-disabled IoT devices will naturally be exempt from such policies. To bridge this gap, SASE and SSE platforms can allow admins to configure firewall policies at the local SD-WAN device.

Typically, organizations connect to the SASE or SSE PoPs through an SD-WAN device, also known as a socket, installed at the site. The centralized dashboard can allow admins to configure rules for allowing or blocking internal or LAN traffic directly at the SD-WAN device, without ever sending it to the PoP over WAN.

In this scenario, if the traffic matches the pre-configured LAN firewall policies, the rules can be enforced locally. For instance, admins can allow corporate VLAN users to access printers connected to the printer VLAN while denying such access to guest Wi-Fi users. If the traffic does not match pre-defined policies, the traffic can be forwarded to the PoP for further classification.

Cloud-based east-west protection is the way to go

As security functions move increasingly to the cloud, it’s crucial not to lose sight of the controls and security measures needed on-site.

Cloud-native protections aim to increase coverage while reducing complexities and boosting convergence. As critical as it is to enable east-west traffic protection within SASE and SSE architectures, it’s equally important to maintain the unified visibility, control, and management offered by such platforms. To achieve this, organizations must avoid getting carried away by emerging threats and adding back disparate security solutions.

As such, any on-premise security measures added within cloud-based security paradigms should maintain a unified dashboard for granular policy configuration and end-to-end visibility across LAN and WAN traffic. This is the only way organizations can reliably bridge the gap between cloud and on-premise security and enable a sustainable, adaptable, and future-proof security stack.