Security has to be at the start of every cloud conversation

NetFoundry’s boss shares his thoughts on how an expanding attack surface requires starting with security

The cloud has left us all massively exposed. And, according to NetFoundry CEO Galeal Zino, who spoke at a NetEvents roundtable in January, secure networking needs to be a software function.

In a distributed computing world, it makes sense to take the cloud as close as you can to the customers. The downside is that every time a network expands and changes shape, there are huge growing pains and stretch marks as a result.

The expansive hyperscaling of the cloud has been great for developers, but a nightmare for the people who have to manage the supporting network and secure all the joints. Every interface, gateway and firewall has to be accounted for by some network manager or security expert, and sadly their security job is a lot harder and more fiddly than it is for a developer to spin up a server. All those new virtual servers multiply the attack space for criminals. It’s as if they are building whole new estates without locks on the doors or windows.

The good news is that NetFoundry has solved this problem – and now it needs channel partners to present the solutions to their clients.

It has an eclectic list of prospective partners – value-added resellers (VARs), systems integrators, and every kind of service provider (such as managed, comms and infrastructure), so options for partnership are quite varied. The unifying quality is the belief that the cloud has to be secured at inception.

Zino is excited that secure networking has turned into a software function. Monolithic applications have been broken down and put into containers, microservices and lambda functions, so it only makes sense to do the same thing to the network, he says.

“That means you have an opportunity to orchestrate secure networking, the way you orchestrate software, and that’s really exciting,” adds Zino.

The so-called “shift left” in the industry heralded a new massively distributed and very fast world that has left secure networking in the dust and every cloud user massively exposed. Still, never mind the threat, what an opportunity!

Zino is very excited at the prospect because he’s invented the answer: “We’ve reinvented secure networking to fit this hyperconnected world.”

So, what is the shift left? “We must move networking and security into the heart of the development delivery lifecycle, or it’s too late. Otherwise, I don’t believe in this kind of hyperconnected, massively distributed world we’re talking about,” says Zino.

NetFoundry is working with ARM and CapGemini to secure connected cars with what it calls “confidential compute with SSA confidential networking”.

“We designed the solution from the ground up. We put security and networking right into the application,” says Zino. “It’s a lot simpler in the greenfield.”

Edge computing will be hard to secure, though. “You need an environment where you can iterate and experiment,” says Zino. “Therefore, you need a certain cost and simplicity. I’m not sure we’re there yet for the edge, or that mainstream developers can tinker at the edge. I think the cost and the complexity aren’t quite there, but we have made tremendous progress.”

Zino adds that security should be sold as an enabler. “Security’s traditionally been an obstacle to velocity and agility. The magic of cloud was that as a developer, or an engineer or a business person, I could go to AWS [Amazon Web Services], enter my credit card, and have access to world-class compute, rather than submit a ticket to IT. So, AWS and [Microsoft] Azure democratised computing,” he says.

That doesn’t sound like democracy, where everyone gets a say, but there are still rules for proceeding with decisions, such as elections every four years. Democracy moves slowly. What AWS did was allow everyone to ignore the rules, which is arguably closer to anarchy.

Still, as Zino points out, innovation flourished. But now IT has to put secure networking into the hands of the coders and into the heart of the development delivery lifecycle.

“Then they can innovate, whether it’s edge, cloud or both. So that’s what I’m looking for,” says Zino. “We call it application-specific networking, right? You put the capability into the application code to generate a secure-by-design overlay, specific to its session.”

The SolarWinds incident last year proves that attackers are spoilt for choice in the world of the cloud.

“The only way you’re ever going to prevent those attacks is to shift left and put secure networking into the heart of your development lifecycle. It’s the only way, and I believe that log for SolarWinds opened our eyes to that,” says Zino.

The size of the blast radius needs to be minimised, Zino continues, suggesting it’s time to put wide-area networks (WANs) in a museum.

“The WAN needs to be retired, needs to be killed, needs to go away. We need to go in the opposite direction,” he says. “The WAN gives them [the hackers] the connectivity and the path to get the data and infiltrate it.

“So there’s an argument that we need to minimise the blast radius, because we’re always going to have vulnerabilities and they’re always going to get exposed to some extent. The only way to do that is to kill the WAN and have a secure-by-design architecture – quite the opposite of the ‘One Ring to rule them all’-type approach,” he adds.

I think I know what he means, but I’m sure you will understand a lot better than I do.

Read more on Data Protection Services