IT and Security Executives are settling into a new reality. The Cloud is here to stay. Everywhere you turn, the advantages of cloud are being touted - to such an extent that you could be forgiven for thinking that on-premise solutions are obsolete. With the increasing complexity of software licensing, the difficulties of provisioning applications across large distributed environments, and the need to contribute to the bottom line by increasing productivity while streamlining IT administration, cloud is undeniably appealing. Yet looking behind the hype, the reality is that not every application is suitable for cloud delivery, and virtually every organization is, and will continue to operate within, a hybrid environment of on-premise and cloud solutions.
Cloud can be defined in many ways, but some of the key characteristics are that the entire application is hosted off-site – in other words, the organization doesn’t own an appliance, server or other endpoint dedicated to a particular function. And this is why network security should be considered as a category deserving different treatment from other applications. Premise based Internet and network security solutions, where the appliance lives within the confines of the organization, have a number of key strategic advantages over hosted, cloud-based security. This doesn’t mean that updates, monitoring and management can’t be taken care of by providers of managed security services who host that service remotely, from a central location. But it does mean is that the security solution is physically based within the company walls.
No Compromise
The advantages of on-premise security solution include the ability to select the optimum hardware platform for your organization’s needs. This ensures you can meet your organization’s metrics for reliability, security, and flexibility without any compromise to features, functionality, or performance.
The vast majority of companies currently moving much of their data to the cloud will still maintain local, premise-based network resources in the forms of critical data, extranets, and network segmentation for the foreseeable future. Because some of their critical data and business technology is in the cloud, they now require extremely reliable connectivity. This is of critical importance to business continuity and sustainability. The on-premise network now becomes the collection point for a variety of data from disparate sources, subject to external influences, network speeds and vulnerabilities. In this environment, only a premise-based security solution can secure all critical data coming from all connected networks and sources while also providing the most reliable connection options in the form of carrier redundancy, device fail-over, 3G or 4G connectivity and VPN/Private line fail-over.
Cloud-based security solutions offer some of the features of a premise based security platform. However, the most effective, efficient mechanisms with the highest levels of reliability are on-premise solutions. Take, for example, encryption, UTM, and DLP. On a cloud-based security platform these features suffer from lower functionality and performance. Other increasingly important and desirable features are simply not available in a cloud security platform such as Secure Managed WiFi.
For the SMB: the Mix and Match Solution
Even though many organizations are moving their business technology to the cloud, it is one step too far to ask them to give up reliability, security, flexibility - as well as accept compromises on features and performance – for a cloud-based security platform. Deploying a quality managed security service to maintain and support the security hardware provides a similar level of convenience and efficiency without relinquishing the security platform to a third party.
While many business technology needs are adequately filled by network and cloud-based products, adopting them is a very complex process. It is therefore highly unlikely that the majority of organizations – particularly small and micro organizations - will ever have a totally cloud-based business technology platform. Most business will end up with a model where the most critical pieces remain premise-based for reasons of reliability, security, and the support of vital business processes. While an external security platform can provide some of these features, large blocks of potential users will not adopt such solutions because they fail to deliver on some of these most fundamental requirements.
Perhaps the most important advantage of a premise-based solution is the ability to segment and manage customer networks. Premise-based solutions can leverage existing customer infrastructure in ways that a hosted solution cannot support. Customers have the ability to connect myriad of different network interfaces and connections into a premise-based security appliance and secure and route traffic between them. Many vertical markets such as banking, finance, and healthcare have large established extranets and intranets as well as connectivity to multiple 3rd party vendors and providers. Traffic to and from these different segments must be managed and secured in ways not possible with a hosted security solution. Any customer requiring network segmentation, extranet support or carrier redundancy must deploy a premise-based solution. This applies to large portions of the market.
Encryption
Premise-based security platforms offer a superior encryption model as it relates to site-to-site and mobile user VPN connectivity. In a premise-based model encryption is performed immediately at the customer edge ensuring that all critical data is secure before leaving the corporate network. Many businesses and regulatory frameworks require this for compliance. Network-based solutions, where data is sent offsite over the carrier network in “plain text” and encryption occurs in a remote data center, leave customers’ data as well as their compliance status vulnerable.
If critical data has left the network in a clear-text, unencrypted state, then the data is for all intents and purposes already lost. The more powerful managed security solutions provide organizations with a customizable data loss prevention (DLP) solution allowing them to define custom objects and patterns for their business critical data and build policies that prevent this highly sensitive and highly critical data from leaving the customer premise via the network. It allows for highly detailed user, group, and IP-based policies that make it easy for customers to securely manage and leverage this data in whatever ways their business requirements dictate.
Performance
It is well understood in the industry and supported by volumes of testing data that remote inspection and policy application of data introduces traffic latency and other performance issues, resulting in an inferior customer experience. While for some businesses the effect may be minimal or possibly even go unnoticed, for many others it will result in business impacting issues. A good example of this is remote (3rd party) VOIP services. Traffic such as this must arrive within very tight tolerances to maintain call quality. Premise-based solutions do not suffer from these issues. In addition, while most network security solutions can technically provide UTM and other Next-Gen firewall services they suffer from business impacting performance issues when those services are deployed en masse across a carrier’s customer base. For these reasons we believe that premise-based inspection of traffic provides a superior solution and customer experience.
Superior UTM and Content Management
Next-Gen security platforms offer a wide range of security services that can be dynamically applied to traffic entering and leaving the customer’s network. These include Content Filtering, Gateway Anti-Virus, Gateway Anti-Spyware, Application firewalls, and DLP. Premise-based security appliances can be tightly integrated with a customer’s existing network and computers. SSO and LDAP integration allows for highly customizable UTM policies based on IP, Network, MAC, User, Group, time-of-day and other parameters. As discussed above, some of these things are possible when deploying a network-based solution but they do not scale well and end up reducing performance across the security platform. This can cause performance issues for all customers including those not utilizing the services. Best in class managed security appliances can be dropped into a network in a transparent manner and provide UTM services to an established network without any impact on existing infrastructure. A premise-based solution offers the comprehensive list of services and delivers them in the most feature-rich and customizable model without any impact to performance. It is a no-compromise UTM experience.
Reliability
As with other areas, premise-based solutions offer superior models for reliability. This includes high availability (HA) appliances, carrier redundancy, VPN fail-over, and 3g/4g support. HA devices are easily deployed only where needed and can be offered as service tier upgrades for customers who demand the highest uptime. In addition, many customers served by BHN have business requirements that dictate carrier and connectivity redundancy. A premise-based solution provides them with the most flexibility and allows for multiple levels of redundancy for both general Internet connectivity as well as their site-to-site needs. Network-based security platforms are by their nature shared environments. This means that anything impacting traffic or functionality on the platform has the potential to impact all customers on that platform. Premise-based appliances are isolated, redundant and allow customers to deploy their networks and connectivity in whichever way their business dictates, without worrying about whether some issue in a remote data center caused by people, policies or issues unrelated to them is going to disrupt the flow of their business.
Regulatory Compliance
No managed solution can provide a total solution for regulatory compliance, but many frameworks require data isolation, security and encryption models that can only be accomplished by a premise-based solution. PCI, as an example, requires that databases containing credit card data be secured separately from other portions of a customer’s network so that traffic into and out of the database networks is inspected and filtered even if the traffic is the customer themselves. When selecting a managed security solution, organizations should seek offerings that include highly detailed UTM, Content Management, Bandwidth, encryption and firewall policies can be established to ensure that business critical data is secured based on the compliance requirements of the governing body.
Additionally, Secure WiFi services can be made available directly from the premise-based appliances allowing for simple deployment of any imaginable guest or business supporting WiFI topology. In addition, all the other services available on the platform such as UTM, Encryption and Next-Gen services can be leveraged to ensure that the WiFi solution deployed at a customer site is as flexible and secure as possible. All of this can be accomplished without the need to deploy any other device or solution in the majority of cases.
Off-Net Support and Centralized Control
Managed premise-based solutions can also provide for Off-Net support, allowing large distributed organizations to provide Managed Security services wherever they are located, and provide a comprehensive security solution that is connection agnostic. All sites and settings can be wrapped into a single, cloud-based portal that customers can log into to see all their security configurations and reporting. In addition, multiple account credentials can be provided, allowing customers flexibility to manage their security policies as needed. For example, divisional managers can be provided with access to view the sites they are responsible for while executives can be provided access to view a customer’s entire organization. And the service can be expanded infinitely without any constraints imposed by platform, data center, or support personnel capacity or availability.
Integration with the Cloud
The Cloud is here to stay. Moving forward, organizations will need to consider how to properly deploy and manage security across an increasingly distributed IT environment. Identity management systems are going to become critical in the quest to provide role-based security across hybrid cloud platforms. Users must be identified and secure regardless of where the application or network resource they require exists. Centralized, role-based access control solutions using a variety of technologies such as SAML, XACML, and LDAP are emerging on the market. While identity management solutions will be integrating into the hybrid cloud, many organizations will choose to keep this critical component hosted on-premise and made available to their cloud-based infrastructure. A properly managed and deployed premise based security platform is both a participant and critical component of these identity management and distribution models.
A network-based security platform makes available to customers some of the features offered by a premise-based solution, but the compromises to security, performance, reliability, features and flexibility render the solutions available on the market today sub-standard. For most businesses, a hybrid security model is the future. Certain systems, networks and data will always require a premise-based security solution. This is why there are very few purely cloud-based security providers and why most carriers offer both cloud-based and premise-based security platforms.
Edited by
Ryan Sartor
