Strategic Security – Cloud-based MSS

Posted by Gunter Ollmann on July 14, 2008 at 8:33 AM EDT.

Last month I covered how I’m expecting protection technologies to increasingly become embedded deeper in to the applications and platforms we rely upon– rather than the way in which security currently encases (or should that be ‘entombs’?) those very same applications. Today I’m going to cover how the third-party management of perimeter security devices will likely change over the next few years.

Or more precisely, why many organizations won’t have to continue to invest in purchasing their own perimeter security appliances in the future…

Today’s MSS

In the traditional layered-defense model, organizations deploy their primary network protection systems at their exposed Internet perimeter. There you’ll find the big firewalls, IPS and IDS appliances, Web proxies, mail security gateways, etc. protecting their denizens from the barrage of cyber-threats.

At some stage, many of those organizations will decide that it’s more efficient and cost effective to have an external Managed Security Services (MSS) company take over the daily management of those protection systems – hopefully picking up 24x7 monitoring along the way, complete with an event ticket management framework and multi-tier support structure delivered by trained security professionals (and, if they’re an IBM MSS customer, access to the X-Force’s threat expertise).

In order to provide continuous monitoring and management of those perimeter protection systems (located at the organizations hosting facilities), the MSS Company must be able to manage them remotely – typically relying upon secure VPN tunnels and occasionally out-of-band technologies (for high-availability and delivering more comprehensive SLA’s) to do so.

As the client organization expands or replaces its perimeter protection infrastructure, the MSS company is simply passed the additional cryptographic access keys to the new devices, and takes remote control of them.

Protection Evolution

While the current remote management model has been working pretty well for quite some time, I’m expecting to see changes as confidence grows and the trust relationship strengthens between client and MSS provider. In particular, one of the critical changes we’re going to see happen is for the requirement to actually have the protection devices physically located at the client organization to largely disappear. That’s to say, I expect those hardware assets to disappear from the clients perimeter and for their virtualized protection capabilities to reappear within their preferred MSS provider’s network.

After all, why purchase the physical equipment outright (e.g. a capital expense) and then set about having to host it at your own facility, when the technologies can operate just as efficiently from the other end of the organizations link to the Internet? Given the advances in network segregation technologies, secure VPN tunneling and scalable security performance, and the ability to manage multiple disparate network security configurations within a single – centralized – “cluster” of protection devices, there’s very little reason to stick with this legacy perimeter protection strategy. 

Granted, for many organizations this concept may be as sacrilegious as the thought of using plastic corks in a bottle of good French wine, but time and technology moves on; having to own the assets and needing to physically wrap your hands around your protection appliances will harken back to an older period of security thought.

Clean pipes or in-the-cloud?

For most of this decade we’ve heard about the concept of “clean pipes” – i.e. the removal of malicious or unwanted network traffic by your ISP. Unfortunately, while we’ve all been yakking about it, very little has actually been done – in fact, many ISP’s are more nervous than ever in promoting services that automatically remove suspicious content (largely spam, port scanning and probing traffic).

Unlike the traffic scraping proposals of “clean pipes”, what I’m talking about for the future of perimeter protection is the delivery of traditional protection technologies by your MSS provider from within their protection cloud.

By way of example, consider the following diagram…

Rather than the client organization hosting the protection appliances and technologies at the perimeter of their enterprise (as well as every remote office location), the same protection technologies are effectively transplanted to the MSS services operation “in-the-cloud”.

All outbound office traffic passes through a secure VPN (or equivalent secure pipe) directly the MSS providers in-the-cloud protection framework (The network traffic can't go anywhere else). The management portals with their configuration and reporting options all look the same, and effectively the client organization notices no difference in service delivery capabilities.


The provision of “in-the-cloud” protection will have a number of critical advantages:

  1. The client organization only needs to make sure their ISP-supplied border router (or DSL modem) is capable of making a secure tunnel to the MSS in-the-cloud environment. This greatly simplifies configuration of new offices (or access by home-office users).
  2. The out-right purchase of costly physical Internet security infrastructure are negated. Instead, those protection capabilities are provisioned as an in-the-cloud service; delivered on a subscription basis. For example, consider a high-street retail chain with 300 stores nationally. Instead of procuring and installing a separate firewall, IPS and anti-virus gateway at each site (costing several thousands of dollars each time), their ISP-provided router is simply configured to create a VPN tunnel to the MSS provider’s network, and they are charged an agreed monthly fee for their in-the-cloud protection services.
  3. The provision of additional or more advanced security options can just be “turned on”, rather than “purchased and installed”. For example, an organization may be using the firewall and IPS protection service suites, but would now like to add data-leakage and Web application firewalling protection to the mix. The MSS provider would just turn on those additional protection features, and the client would have immediate portal access to the new functionality.
  4. Scaling protection becomes much easier. As the client organization grows – increasing the number of remote offices or data volume – instead of having to purchase additional equipment (probably having to replace less-capable appliances and adding additional power or cooling to their hosting site), any additional capacity requirements can be met by the MSS provider centrally.
  5. By coalescing all the protection in to one place (I say ‘place’ rather than ‘location’) it becomes much easier for the client organization to view security events and manage security policies through a single portal – regardless of the protection technologies being used. This holistic view is actually pretty important in order to meet many compliance and governance requirements.

And there are lots of other services such as vulnerability scanning, event log management, remote backup storage, etc. that would be just as easily supplied in such a framework.

The death of stand-alone security appliances?

I guess some readers may question whether this vision of the future means that stand-alone security appliances will perish if in-the-cloud MSS services prevail, and that won’t bode well for IBM’s existing security appliance range.

There will always be a market for specialized stand-alone protection appliances. Some organizations will never relinquish day-to-day control of their perimeter security to a third party (you can lead a horse to water etc.). And don't discount the fact that most large organizations have protection appliances deployed deep within their internal networks and it would be a complex procedure to replace them with an in-the-cloud service (at least not until there is a major adoption of cloud-based computing).

That said, ISS’ X-Force have always excelled at “big” security – i.e. the kinds of protection technologies the biggest and most sophisticated organizations deploy (such as ISP’s, telcos and global financial institutes).

As the MSS market migrates to “in-the-cloud”, the types of security technologies they need in order to provision their services will need to be “big” and bigger than ever before, but that’s what we’re working on. New advances in the wire-speed of protection, deeper and more efficient inspection of traffic, increasingly reliable and preemptive detection of new families of malicious content, and massively scalable platforms - are all areas X-Force has (and continues to) research and innovate in.

    Copyright 2001-2008 © Gunter Ollmann