How hybrid Cloud is hastening the demise of traditional firewall security

"Identity is the new perimeter"

It's not a new notion, but one that is gaining adherents: Perimeter-based security options like firewalls and access controls just will not cut it for new technologies that expand beyond corporate networks.

"Identity is the new perimeter," said Andi Mann, a vice president at CA Technology, during a Google Hangout with other cloud experts sponsored by Datamation recently. "You can't lock down by firewalls any more you can't even really lock down by application access anymore because you're getting portions of an application from different services and different providers."

[RELATED:Gartner's 7 major trends that are forcing IT security pros to change 

MORE CLOUD:Why Netflix is one of the most important cloud computing companies]

Users are accessing these beyond-the-firewall services without IT knowing about it (shadow IT), employees are using their mobile phones to handle corporate information (BYOD). Those use cases and more are causing a rethinking of security approaches. "It's much more complex," said David Linthicum a vice president at consultancy Cloud Technology Partners, who also sat in on the Hangout.

Migrating to an identity-based security approach will be better for most organizations in the long run because it can be cheaper than investing in hardware and allows more flexibility, Mann and Linthicum agreed. Using an identity-based approach allows organizations to focus on who the person is and what they are allowed to access, rather than are they allowed through this barrier point. "It's a whole different mode and one that opens you up to be able to use multiple services from multiple providers, to take a best of breed public plus private approach," says Mann.

Take hybrid cloud computing: Many define it as any combination of on-premises and off-premises cloud resources. So, a database that's serving information to a cloud-based customer relationship management tool, or a virtualized environment in a company's data center drawing on spare storage capacity in Amazon's cloud could be considered hybrid clouds. But when developers are spinning up virtual machines in the public cloud, the traditional firewall may not protect against corporate data flowing back and forth unprotected.

And hybrid cloud is where organizations are looking. Linthicum, who consults with customers on cloud adoption strategies, says most customers see hybrid cloud as an end goal. They want to retain their legacy installations, while moving hesitantly toward using outsourced options because of perceived lack of security and privacy.

"Pretty much everyone has it on their radar screens now," he says.

Mann says it's even more widespread. A recent CA study, he said, found that 94% of respondents from around the globe reported they're already using a combination of both on-premise and off-premise resources to create a hybrid environment. "This is even sooner than the near future, it's right now," he says.

Federated identity access management is not new, but the move to using cloud-based services makes the need for these systems greater, says IDC security analyst Sally Hudson.

"The traditional IT perimeter no longer exists, hence neither does the traditional perimeter defense posture," she wrote in an e-mail. But, that doesn't mean implementing these systems is just a plug-and-play and you're ready to go. "Next generation security monitoring, maintenance and management is expensive and requires highly skilled professionals," she says. "It will rely more on real time information profiling and back end analytics and less on passwords and simplistic access methods."

Vendors in this market include IBM, CA Technologies, RSA the security division of EMC, Oracle, Covisint, NetIQ and Ping Identity, among other newer companies like Okta, OneLogin, ForgeRock and Symplified, she says.

Network World senior writer Brandon Butler covers cloud computing and social collaboration. He can be reached at and found on Twitter at @BButlerNWW.

Join the CSO newsletter!

Error: Please check your email address.

Tags Configuration / maintenanceFirewall & UTMhardware systemsnetflixData Centercloud computinginternetGartnerGoogleTechnology PartnerssecurityCloud

More about Amazon Web ServicesCA TechnologiesCovisintEMC CorporationGartnerGoogleIBM AustraliaIDC AustraliaMannNetflixNetIQNetIQOktaOracleRSASalesforce.comSymplifiedTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Brandon Butler

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place