momius - Fotolia

Tip

New class of cloud security suite promises next-gen protection

Nemertes analyst John Burke points CIOs to a new type of cloud security offering that combines the functions of VPN, cloud firewall, secure web gateway and cloud access security broker.

According to Nemertes Research's cloud research, 2019 is the year the average enterprise has more than half its work happening outside the data center. This ongoing shift of enterprise IT work into cloud environments -- whether SaaS, PaaS or IaaS -- puts pressure on enterprise IT teams to better manage, orchestrate and secure those workloads. Securing them is especially challenging, since IT needs to find ways to secure traffic originating anywhere -- not just within branches, but also in partner sites, in home offices, hotels and coffee shops. It is equally necessary to secure traffic bound to anywhere: trusted SaaS partners, systems running in IaaS environments and citizen-developed apps running in a PaaS.

Enter ESCAPE: Enterprise Secure Cloud Access and Policy Enforcement -- Nemertes' term for a new generation of a cloud security suite. ESCAPE offerings, which include Cisco Umbrella and Palo Alto Prisma, bring a secure access layer together with protective technologies such as malware filtering and centralized management, and enforcement of security policies. Essentially, this next-gen cloud security suite combines the functions of VPN, cloud firewall, secure web gateway and cloud access security broker (CASB).

ESCAPE cloud security offerings are not like a traditional VPN in that they secure access from any location to any destination, whether internal -- data center or branch -- or external -- the cloud -- without routing all the traffic back to and through an internal security stack in the data center. Instead, endpoints, whether they are laptop or mobile device or branch, connect to the nearest point-of-presence (POP) for the provider, and from there get routed across either encrypted tunnels or private backbones to an egress POP near the destination. Policy is applied and enforced en route.

The use of distributed POP reduces or eliminates the legacy VPN application performance hit by eliminating the need to route everything through the data center even when more direct paths are possible. As the web of ESCAPE POP spreads, putting them adjacent to more web destinations using secure access may even come to improve performance for cloud applications.

With respect to policy enforcement, a complete ESCAPE cloud security suite will provide both API-based CASB functions for use with known and sanctioned cloud destinations and in-line CASB features for protection of other cloud-bound traffic. 

Over the next few years, the cloud security suite will also come to encompass the functions of other security options. CIOs should expect an ESCAPE offering to be able to do discovery, data loss prevention and other security and risk management functions currently provided with specialized appliances in most organizations. ESCAPE could even take on SD-WAN-type functions and some already integrate with appliance-based SD-WAN.

CIOs wrestling with providing an ever-more-broadly spread population of users with secure access to internal and external resources, getting visibility into cloud-bound traffic, applying a security policy consistently across resources in multiple cloud environments or supplementing the security of an SD-WAN should begin looking at an ESCAPE cloud security suite now.

Dig Deeper on Risk management and governance