Applications no longer fit neatly within easily defined boundaries that can be protected from external threats. They now live anywhere—on-premises in a private, public, and/or hybrid cloud environment. Ultimately, this creates a distributed IT environment and turns outside providers (e.g., your infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS) providers into internal, trusted entities. In the age of cloud, all traffic looks like web traffic, which means that enterprises can no longer secure traffic based on IP addresses. Further, all traffic is encrypted, which means it is not visible to the network inspection layer.
Applications in the cloud are often connected directly to the heart of the data center through encrypted VPN tunnels that completely bypass the advanced (and expensive) anti-malware, DLP, threat prevention systems and next-generation firewalls in the traditional network edge.
And next-gen firewalls are rapidly losing visibility into SSL traffic between your network and the cloud as application and service developers are adopting certificate pinning. Next-gen firewalls normally gain visibility into encrypted SSL traffic by essentially staging a man-in-the-middle attack where the firewall acts as a certification authority and reverse proxy so that web clients on the internal network are “tricked” into establishing an SSL connection with the next generation firewall which in turn establishes a second downstream SSL connection with the actual website or cloud. This enables the nextgen firewall to decrypt, inspect and apply policy to traffic between internal network and the Internet even when it’s encrypted.
With certificate pinning however, application developers essentially hardcode the certification authority into their client or application gateway running on your network which defeats the benevolent man-in-the-middle feature of the next generation firewall.
The implications for hybrid cloud connections though should give one pause. When we connect our data center to the cloud we are giving any party with legitimate access to that cloud (or someone who compromises that cloud) access to the heart of our network. And with certificate pinning we can’t even look at the traffic carried by this connection.
In this webinar, we will examine the current and future ways that hybrid clouds establish connections between your on-prem network and applications and services hosted elsewhere. We’ll help you understand what makes these connections different and the special risks and security challenges they present.
Dan Backman and Michael Beesley from our sponsor, Skyport Systems, will join me and briefly show you how their hardened but easy-to-use Hybrid Cloud Edge security architecture helps you address these risks without re-designing your network.