Most organizations have and are shifting a substantial portion of their workloads to the cloud. Tzury Bar-Yochay, CTO and co-founder of Reblaze addresses how in this environment, the need for web security is more important than ever, but traditional efforts are no longer useful. Thus, alternative approaches are necessary and costly.
Cloud adoption continues to rise, and securing cloud infrastructure is essential for organizations that have migrated to the cloud. According to Gartner, annual information security spend recently rose to over $123 billion.Â
Many organizations consider the line-item price of their security technologies to be their whole cost; however, there are more aspects to consider. There are also opportunities for savings that are usually neglected; and ways to reduce costs, while manifesting a more robust security posture.
Optimize Security Architecture for Cost and Performance
Many organizations have moved a substantial portion of their workloads to the cloud. In this environment, the need for web security is more important than ever, but traditional on-prem appliances are no longer useful. Thus, alternative approaches are necessary.
Many web security vendors offer traffic filtering in a SaaS (software as a service) delivery model, in the form of a ‘scrubbing center’, to which all incoming traffic is routed. There it is scrubbed and verified before being forwarded to its original destination.Â
Almost all vendors maintain their own infrastructure for this purpose (whether in physical data centers or on-cloud); it is separate from, and external to, their customers’ cloud environments. Generally, this infrastructure is multi-tenant, shared by several customers.
Alternatively, organizations can consider running security on a virtual machine within the customer’s Virtual Private Cloud (VPC) environment. Here the traffic flow is different; incoming traffic flows directly to the VPC without being diverted elsewhere.Â
These two architectures (external versus internal) have substantially different cost structures. All else being equal, the external security solution is more expensive than the internal solution.
Identify Costs Common to Both External and Internal Security Architectures
Cloud usage usually incurs data egress fees; the cloud providers charge these fees when traffic leaves the customer’s cloud environment. These will occur under both security architectures. However, the external ‘scrubbing center’ architecture includes an additional, separate environment that the traffic must enter and leave before being forwarded to the customer’s environment.Â
Therefore, using an external security solution will double the amount of traffic egress that occurs (or, in the case of physical data centers, adds additional bandwidth/transit costs). There are also additional overhead costs for the vendor to manage the multi-tenant infrastructure. Usually, many (or even all) of these costs are not directly visible to the customers. Nevertheless, customers pay them anyway, in the form of higher rates charged by the vendor. Note that these additional costs are all avoided by the internal security architecture, because incoming traffic flows directly to the customer’s environment, and is processed within it.
Don’t Become Collateral Damage in a DDoS Attack
Modern distributed denial-of-service (DDoS) attacks can occur at dramatic scales. If your organization becomes the target of such an attack, and your security solution is unable to defeat it, the loss of revenue can be substantial. Even during normal business hours, many organizations can experience a loss rate of six figures per hour of downtime; during the most critical periods (such as Black Friday weekend for ecommerce stores), a large-scale DDoS event can be ruinous. Clearly, it is imperative to maintain robust defenses against these attacks.
However, while DDoS solutions might seem to be a ‘dime a dozen’, there is a crucial distinction that can affect the bottom line. Many of these services are provided as external, multi-tenant solutions; they serve a large number of customers in the same infrastructure.Â
This creates an inherent vulnerability to DDoS attacks, because an attack on one customer will affect all customers sharing that same infrastructure. In other words, customers of these multi-tenant solutions have inherent exposure to receiving “collateral damage†during a DDoS event. Selecting a dedicated, single-tenant solution will help to avoid these vulnerabilities.Â
Summary
In the modern threat environment, cloud workloads require effective protection. The major cloud platforms operate under a “shared responsibility†model; they provide secure infrastructure, but your workloads’ security is your responsibility alone.
Web security can be expensive, but it doesn’t need to be. Organizations that perform their due diligence can enjoy substantial savings while simultaneously maintaining a robust and more performant security posture.
Let us know if you liked this article or tell us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!