Security: On-premise or in the cloud?

There are many things that are easier to do in the cloud, but is security one of them?  Proponents argue that basing security tools in the cloud provide all the benefits of any cloud-based resource, including low cost of entry, simplicity of maintenance/upgrades, etc.  But critics say not so fast.  Getting security is hard enough when you control all the resources.  Moving them to the cloud just further complicates the job.

The Experts
Daniel Ayoub
Daniel Ayoub

CISSP, CISM, CISA, Product Marketing Manager at Dell SonicWALL says some security function may be fine to shift to the cloud, but the core stuff is best done on premise. View debate

Rand Wacker
Rand Wacker

VP of Products at CloudPassage argues that if the future includes cloud-based computing resources, than the tools used to secure them will need to be just as dynamic, and that means shifting them to the cloud. View debate

Daniel Ayoub

On-premise security can’t be beat

While some security solutions, such as email security, may ultimately be better suited for the cloud, network security will always be best handled on-premise.

Network security tools such as next generation firewalls and next generation IPS will remain on-premise because organizations will need to control the flow of data into and out of their networks. The latency, delays and risks associated with running confidential data to/from a cloud provider are greater than organizations will be willing to tolerate.

Further, most modern on-premise solutions automatically update themselves with the latest protection and often leverage the cloud to provide a second layer of defense against various attacks. For example, some tools block malware at the edge of the network by utilizing a cloud database with millions of signatures. However, that type of service would typically be optional so organizations can disable it if they are not willing to let confidential data leave their network. In this case, on-premise solutions provide the best possible level of protection available today.

While it is true that some things are easier to administer through the cloud, security is not one of them. By its very nature security is something most organizations will want to keep in-house rather than turning over confidential data (even if encrypted) to a cloud provider. Some services, such as distributed denial-of-service protection, can benefit from cloud deployments, but then again, this is something that would better handled at the ISP level.

Different organizations will have varying risk tolerances which will contribute to what type of solution they choose, on-premise vs. cloud. For example, a risk adverse organization such as the Department of Defense, may insist upon keeping all data internal and thus require an on-premise solution, whereas organizations with less sensitivity may favor a cloud-based solution.

In many cases these risk tolerant companies (such as small businesses) may be the niche in which cloud providers are able to scrape by and fine-tune their technology. However, it is important to note that the total cost of ownership of utilizing an on-premise solution such as an integrated unified threat management appliance will often outweigh those of a cloud environment. When one calculates the total cost of a four to five year contract with a monthly reoccurring charge, it can turn out that on-premise solutions are actually cheaper in the long run.

Dell SonicWALL currently leverages cloud technology for various aspects of protection, however our core business will remain on-premise solutions. Examples of technologies that will live in the cloud include email security, hosted management and various aspects of our gateway anti-virus. It is important to also recognize that our comprehensive data collection and update management systems can be considered 'cloud' technology.

Examples of organizations that will likely retain on-premise security deployments include:

The military will likely always opt for closed on-premise networks because they cannot risk sensitive data related to national security being intercepted and/or modified through a cloud-based solution.

And financial institutions such as banks and credit card agencies will also likely always opt for closed on-premise networks because they cannot risk sensitive data related to financial records, accounting and money transfers being intercepted and/or modified in the cloud.

Cloud-based security does offer some advantages. Placing your network security in the cloud allows businesses to free up capital and personnel because the up-front cost to deploy is less than traditional premise-based tools and the vendor provides the bandwidth, IT staff and infrastructure to secure the data. This also allows businesses to scale quickly and with minimal effort, should the need arise. And failover is generally provided by the vendor where, with a traditional on-premise firewall, redundancy between data centers can be costly.

On-premise security tools, on the other hand, offer a level of security and control that's simply not possible in the cloud. An on-premise solution provides businesses with control over all the data, managed and handled by their own dedicated IT staff. On-premise solutions also provide significantly better threat protection than that available in cloud deployments.

The right solution will be scalable to manage even rapid corporate growth while upgrades can be scheduled to minimize business disruption. The rich feature set of on-premise network security systems makes it easier to integrate and tailor features tightly to the needs of a particular industry. This includes the ability to perform network forensics quickly and easily. All things considered, the long-term costs can be greatly decreased, especially for larger organizations, with on-site network security.

Dell SonicWALL makes security a business enabler to drive employee productivity and network performance. It provides intelligent network security and data protection solutions that empower customers and partners of all sizes and verticals to dynamically secure, control and scale their networks. For more information, visit http://www.sonicwall.com or http://www.dell.com.

Rand Wacker

Cloud-based security is critical

Adoption of cloud services is happening at breakneck speed, with companies adopting everything from software to infrastructure-as-a-service because of the promise of increased agility, lower capital costs and streamlined operations. Protecting dynamic cloud resources requires security that is equally dynamic, with the same scalability and portability as the resources being protected.  This new environment demands cloud-based security.

Unlike traditional on-premise security systems, cloud-delivered security services can scale and react faster than traditional static deployments, matching costs to usage more closely than the on-premise need to build out extra capacity to meet possible future growth. Most importantly though, only a cloud-delivered security service can match the dynamic and highly automated operations model that attracts so many organizations to the cloud in the first place.

Let's look at a specific example: enabling self-service provisioning of infrastructure resources. Making it easy for a developer to spin up a virtual cloud server in minutes can result in massively reduced time required to deliver software. If the developer had to wait for IT staff to provision the system or the security operations team to make all the necessary changes for access control, integrity monitoring and intrusion detection, the benefits of self-service would wash away. On the other hand, the developers might also find ways to circumvent the established process, leaving IT and the security team out of the equation all together.

As in an on-premise data center, there are a litany of security steps that must be taken when a new server is brought online. To truly provide the benefit of the self-service server deployment described above, these security tasks must be automated as part of the provisioning process. Firewall and access control policies must be updated, the newly created server image must be verified to be in compliance with security policy, and all software packages have to be up to date.

Furthermore, because these cloud servers are directly exposed to the Internet (as opposed to being locked up in a private data center), they must be monitored constantly for compromise and unauthorized malicious or accidental system changes.

Unless these tasks are automated and delivered in a way that can keep up with the highly dynamic cloud systems they are protecting, developers will either work around the security controls, or be delayed in getting their job done.

The adoption of new security services has always lagged the adoption of new IT systems, as it takes time for security challenges to be understood, addressed and validated. While early adoption can happen in a new market without complementary security capabilities, growth of cloud adoption will hit a wall where the security problems need to be solved before the majority of adopters will embrace these disruptive technologies.

In adopting cloud computing models, operational thinking and risk management will shift from a belief that "we must control everything" to a model of shared responsibility between the buyer and their service providers. Security designs will evolve so that different parts of the stack will be managed by different entities, and a framework for attestations between the different layers will be used to achieve end-to-end compliance of the level people have in private data centers today.

For the same reasons that delivering applications and infrastructure from the cloud has many benefits over traditional on-premise delivery, cloud delivery of security offers a lower cost of entry, easier operations and improved agility. For securing the IT of organizations that employ a combination of mixed infrastructures, the use of cloud-based security services will in fact increase their protection by providing more automation and enabling new operational models that significantly improve business pace.

CloudPassage is the leading provider of security for cloud-based servers (rand@cloudpassage.com).

Want more Tech Debates? Check out our archive page

Join the discussion
Be the first to comment on this article. Our Commenting Policies