By Patrick MeLampy
This blog was originally posted on Revation’s blog.
As the COO and co-founder of a networking company, I’m often asked, “What are the best network security practices for cloud-based services?” There isn’t an easy answer. Many cloud service offerings take months to implement because at each deployment they have to negotiate with the customer’s security and networking teams.
What I can tell you, however, is that they break down into two types of services: Simple outbound browser-based services, and complex multi-protocol services.
For simple outbound services like Salesforce.com or Office365, the best option is to route them directly over the internet. Microsoft has been very outspoken about how their services are 100 percent secure, and there is no security benefit to running this traffic through firewalls. In fact, firewalls and outbound proxies often interfere with Office365 features, especially the Skype for Business or multi-media extensions. So in order to operate efficiently, they require that the edge networking equipment has the intelligence to know what traffic should go through a state full firewall and what traffic can go directly to the internet. This kind of intelligence just doesn’t exist in hardware routers. Thus, the best practice for simple SaaS applications is to use a router capable of identifying specific cloud services and route them directly over the internet.
Sadly, this best practice contradicts most companies’ security policies. For internal employees accessing the internet, organizations are mandating outbound proxies for ALL traffic, which cloud service providers say is unnecessary and possibly harmful to their service offering. Changing a company’s hardened security policies is challenging and can take lots of time — measured in months or years.
A second option for large customers is to establish some form of “direct connect” to their cloud service — tunnels to establish a “meet-me” arrangement via major data centers like Equinix or AWS. This can involve a lot of steps, including WAN engineering, IPSec Tunnels with IKE, router deployment, BGP configurations and testing. It ultimately creates a full bi-directional connection to your SaaS provider’s network, which then must be carefully secured with ACLs and reverse-path forwarding protections. In most cases, this can take a very long time.
For services that have multiple protocols, there really are no available best practices due to a multitude of issues including:
- Non HTTPs Traffic — No outbound proxy options
- Multimedia Traffic Requirements (QoS)
- Multitude of dynamically changing IP addresses on network side
- Multitude of users on the customer side
The state-of-the-art solution for these types of services has been private link/MPLS type connectivity, which is expensive and can take months to implement. This type of solution requires a coherent address space, which means the service provider has to establish a completely different set of equipment and resources for each customer, which increases costs. And customers have concerns about bridging their networks to SaaS networks that require study, application of controls (ACLs) and monitoring because the process can take four to six months.
Some multimedia services just try to use the internet as is. This can be effective for work-at-home networks, or very small offices, but tends to fail rather consistently in medium-size or larger branch offices due to:
- Backhaul to datacenters for outbound security scrubbing
- Congested internet connectivity
- Security scrubbers adding latency
What is needed is a new kind of solution. Revation was the first company in the world to use Session Smart™ software to connect their cloud-based service, Revation LinkLive, to customer premises. Revation developers embedded the Session Smart™ software into their existing product to help create their LinkLive offering. LinkLive’s use of Session Smart technology solves the following problems:
- Isolates the customer’s address space and local changes
- Isolates the cloud server address space, and local changes
- Reduces the number of IP addresses to two
- Reduces the number of protocols to two
- Reduces the number of ports to two
- Provides authentication on every application session
- Provides encryption when needed
- Provides service provider with real-time performance measures
- Doesn’t require direct connect or MPLS
- Doesn’t rely on tunnels
With this solution, the customer still uses all of the security equipment without change, and the security people only have to deal with a limited set of requirements that do not change over time. The intelligent operation of Session Smart software stops the outbound proxy from being used, which greatly improves voice quality. The Session Smart™ software also supports session-by-session authentication, where each and every unique application session is signed and checked — something that isn’t done in today’s networks. Furthermore, Revation has discovered that by requiring every unique multimedia session to have an individual port address, the routed network provides much better quality as opposed to using some form of tunnel or aggregation.
Using this type of connectivity, Revation’s LinkLive can claim PCI compliancy, FIPS 140-2 certification and HIPAA compliancy for every aspect of their solution. It also helps Revation’s support team understand network issues that are occurring between their cloud location and the customer’s premise in a very intelligent and real-time way.
Call me biased, but for the above reasons I believe that adding Session Smart technology to your cloud service is the best practice. Your deployment timeframe will be reduced by orders of magnitude, and you will have insight into how the service is operating all the way into the customer premise. You will eliminate complexity and reduce costs substantially. To put it another way — do what Revation did.
Patrick MeLampy is the COO and Co-Founder at 128 Technology.
Revation Systems is a 128 Technology customer.
Learn how Revation relies on 128 Technology: