It's amazing how fast things change. It was not that long ago that cloud computing skeptics said that no one will use the cloud for business applications because of the security issues. Now we hear from customers that they are moving entire data centres — not just select applications — to the cloud. Why? Ubiquity is one reason. Reduced costs are another. Finally, they are realising that security - specifically next-generation security — can be used to protect their applications and data from advanced cyber attacks. But traditional, port-based security technologies cannot exert the same levels of control.
Here are my predictions for data centre security for 2015.
1. Cloud security will become less cloudy
With the recent release of our VM-Series for both Amazon Web Services and KVM joining Citrix SDX and VMware ESXi and NSX support, 2015 will be the year that customers can protect their public, private or hybrid cloud-based applications using the next-generation firewall and advanced threat prevention features found in our enterprise security platform. Further clarifying cloud security will be the elimination of the time-lag between virtual machine provisioning and security deployment through the use of native automation features such as VM-monitoring, dynamic address groups and the XML API.
2. The benefits of network segmentation based on Zero Trust will be realised
During a recent customer visit, a tenured networking professional challenged our discussion around network segmentation based on Zero Trust principles, stating he had been segmenting the network for security for years. "So what's new here?" he asked. Conceptually there is nothing new here; rudimentary network segmentation can be done by routers, switches and even firewalls. The key difference is in the level of granularity by which we can segment the network.
The rash of recent high profile breaches — where attackers hide in plain sight on the network — points to the need for segmentation principles that are more advanced than mere port, protocol or subnet. As the conversation with this networking professional continued, I pointed out that with the application identity, a view into the content and knowledge of who the user is, we can segment business critical data and applications in a far more granular fashion than rudimentary segmentation would allow.
Specifically, we can verify the identity of specific business applications, forcing its use over standard ports and validating the user identity. We can find and block rogue or misconfigured applications - all the while inspecting the application flow for file types, and blocking both known and unknown threats. In 2015, I expect to see many organisations continue to re-think how they are segmenting their network and applying Zero Trust principles of Never Trust - Always Verify using the application, the respective content and the user as the basis for policy enforcement. The benefits our customers will begin to realise include improved security posture with less administrative effort.
Sign up for CIO Asia eNewsletters.