Securing network automation
Barracuda Networks’ Dr Klaus Gheri talks to Digital Bulletin about securing network automation, the pros and cons of 5G, compliance in the cloud and Firewall-as-a-Service
Dr Gheri, thanks for joining us. Could you tell us a bit about yourself and your role at Barracuda Networks?
I’m the VP & General Manager, Network Security at Barracuda Networks, which means I head up the new network security part of our business, and I’m responsible for the cloud generation and firewall product line. I’ve been with the company for nearly 10 years.
Could you tell us a bit about Barracuda Networks?
Barracuda is a pretty unique animal. We started 17 years ago with email and have progressed to networks and applications, which are three areas that all customers have a need for. The network backbone, which is my domain, is something that is getting increasingly important as things get more dispersed, which is also true of data protection. We specialise in providing protection in these various areas, with a strong emphasis on cloud connected environments.
What security considerations must enterprises take when they’re thinking about their strategy for network automation?
I think it’s fair to say that cloud is the new data centre, and one of the nice attributes of cloud is automation. Network assets on public cloud can easily be automatically created and destroyed. Some of this is doable in the physical data centre by way of virtualisation but increasingly so, this is actually happening in the cloud.
The problem for customers is security is not necessarily an integral part of it so you can do many things with automation, but security stays within the responsibility of the subscriber or the organisation using automation. Operators or admin have to be aware of this and actively make security plans.
Where does network security automation fit into this conversation?
I think that security needs to become scriptable. We try to be really flexible with our architecture, making it scriptable, enable policy through APIs from the outside, making it DevOps friendly. It might be a new paradigm for some vendors and something that will take a while to get their heads round, but it’s something we’ve been doing for more than six years.
Another really important element is security posture monitoring of these new cloud assets. Everything that is stored in the cloud needs to fall in line with compliance, and that is where the security industry can help both in terms of just getting a grip on the current inventory, visualising it and then benchmarking it against some complaints and baselines.
We can take it even further, so that rather than just alerting a customer when there is a deviation, the system can take control and tell me when it has sorted the issue. These highly automated environments make a tonne of sense in environments where so much is going on. It’s so transparent and offers an extra layer of monitoring and control to see what’s going on.
How are technologies such as AI, ML and 5G impacting network automation and network security?
AI and machine learning can help detect anomalies and deviations from baseline. We use some of that technology in email security products, for instance, trying to see subtle deviations in communication patterns. The systems, after having learned for a little while, can detect those and then basically raise an alarm or quarantine the email before it can do any harm.
I think this is an ongoing process where AI and machine learning technologies just grow into the product. 5G is a different topic. That’s high performance, new access technology that will massively affect the way things will communicate.
Could tech such as 5G result in new network vulnerabilities that enterprise needs to guard against?
Yes, every new communication technology has new vulnerabilities. You’ll find there’s a flaw in the protocol, IoT will be layered in on top because through 5G, IoT will be able to communicate to an unprecedented extent. And that in itself creates problems because it’s a tech surface that is accessible from the outside.
The other thing that I consider an issue around 5G is a little bit like MPLS. MPLS is deemed by many people like private networks, which it is not because of shared infrastructure and it’s as secure as your telco makes it. You’re actually handing over your privacy to the telco. 5G has similar elements to it. It has baked insecurity.
We’re getting requests around 5G already to layer in security as companies do not necessarily trust the providers. From a personal point of view, I would always just like to control my own fate and just add encryption. Again, that is something that’s sometimes challenging because especially at the low end of things like devices communicating with some cloud service, the device may in itself not be capable of providing good enough cryptography.
Could you speak about how you are enabling automated security compliance in the cloud?
We launched Cloud Security Guardian about a year ago, which works with AWS and Microsoft Azure. It’s a cloud service we provide that points the cloud service to your cloud assets. That means what happens then is we deploy a little agent in a container to your cloud subscription. That’s the anchor point through which our service can actually retrieve information. Basically it pulls in telemetric data about the assets, the setup, which cloud components talk to which other cloud components, what are the security settings etc..
It actually depicts the whole thing. You get a mentor diagram, which is something that normally blows people away because they’re super hard to come by otherwise. That’s an immediate benefit and you can also test drive that for free and just see for yourself whether you can make sense of what you’re getting. In addition to that, you can actually then enforce compliance controls.
One of the main networking trends for 2020 is predicted to be ‘Firewall-as-a-Service’, what is your opinion on this?
I actually think the new acronym that’s getting a lot of traction is SASE, which stands for Secure Access Service Edge. It will terminate in the cloud. The configuration will all be cloud-centric and inspection will then take place. The heavy lifting will take place in the cloud.
The IoT connecting that I talked about before, it’s actually pretty much in line with that model because the heavyweight components, they run on cloud. They do the inspection. The low end trims down little hardware contraption that goes next to the machines on-prem. Basically all it does is try to be as resilient as possible in terms of making a connection back home into the cloud. But the same thing, of course, works for office networks and that’s now increasingly getting referred to as the SASE model.
This is the way it’s going. Conflict in the cloud, termination into the cloud because the bulk of your assets is going to be in a cloud and then dark breaker locally and of course layered in on top of the smart routing, state-of-the-art SD-WAN technology. This is where we are heading and this is sometimes summed up as firewall-as-a-service or some of these elements would also be found in the firewall. But this is where the industry is heading slowly and steadily.
What other trends will we see over the next 12 months?
I think SD-WAN of course is a macro trend that will continue. For us, we’ve been having data in the product since 2005 when it was not called SD-WAN, just multi-transport VPN. More lately this became super popular especially in conjunction with cloud. I think this will continue and what was known as a firewall will become a kind of a multifunctional product with those elements added.