New hybrid delivery security architecture

Secure Computing's Ken Rutsky tells how to integrate Software-as-a-Service (SaaS), virtualization and appliance security offerings to let users get exactly what they want.
Written by Ken Rutsky, Contributor on
“In the past, CIOs deployed their own self-contained application architectures on their own servers and storage systems. This old model is giving way to a hybrid application architecture that combines hosted functionality with in-house applications running on consolidated and virtualized commodity servers. We believe that this transformation will drive efficiencies across the full stack, from business processes to physical infrastructure, while increasing IT's ability to meet new demands in a rapidly changing business environment.” - Kishore Kanakamedala, Vasantha Krishnakanthan, and Roger Roberts, McKinsey Quarterly, 1

Ken Rutsky Commentary--Software as a Service (SaaS), virtualization and integrated IT appliances are creating new and powerful service delivery models for IT managers to leverage. One only needs to look at the success of SaaS companies such as Salesforce.com and WebEx, the robust growth of integrated appliances in spaces ranging from security to data warehousing, and the meteoric rise of VMware’s adoption in the enterprise to see that all these models deliver significant “utility-like” benefits and cost savings.

In the IT security space specifically – over the past decade – appliances replaced software as the dominant solution delivery mode. But what’s coming next is much more intriguing….

“We’ve seen rapid change in the enterprise security market in the last five years,” said Chris Christiansen, program vice president of Security Products and Services at the Boston, MA-based research firm IDC. “The pure security software market was eclipsed by appliances. Now, virtual environments and hosted solutions are showing strong growth as hybrid solutions that enhance existing security infrastructure.”

Publicity on the success of SaaS security by the likes of Postini (Google) and Frontbridge (Microsoft), and of virtualization by VMWare through its initiative to ensure the safety and security of such environments has been considerable. And while market penetration is still rather low, these models are growing at a rapid pace. They’re attractive to Information Technology (IT) because each model provides a beneficial combination of improved application and service delivery, flexibility, and significantly lower total cost of ownership (TCO).

However, these models still fall short of the “hybrid application architecture” vision laid out by McKinsey & Co. Today’s SaaS, virtualization and appliance security offerings are provided separately and thus require integration through both traditional and service-oriented architecture and techniques. IT security professionals are forced to make “all or nothing” choices when selecting a delivery model for their organization, else be faced with multiple incompatible policy sets, non-integrated compliance reporting and service delivery inconsistencies. These all-or-nothing choices do not deliver on the promise of the flexible, hybrid and cost-efficient model that was foretold.

Emerging architecture for security
A new technical and business architecture is emerging that provides for best-of-breed security service delivery, portability and “hybridization” across hosted, virtual and appliance platforms. This next-generation delivery system allows IT security staff to efficiently protect organizations against today’s emerging and morphing threats while simultaneously taking full advantage of all three models.

A successful hybrid delivery security architecture should be built upon six critical design pillars:

1. Availability of integrated hardware/software appliances, virtualized appliances, and hosted service delivery platforms
2. Best-of-breed, fully portable, proactive security services
3. Hybrid service deployment enabled, allowing the splitting of services across delivery platforms
4. Unified service offerings and pricing
5. Common policy definition and administration
6. Unified reporting

A flexible architecture that contemplates all of these features is needed, delivering the best of all worlds. To fully understand this, we will examine the benefits and drawbacks of each delivery model and then describe the new hybrid architecture in further detail, illustrating the benefits of this approach.

Deliving deeper: Appliances, virtualization and SaaS delivery
Today, IT security professionals must choose between four distinct service delivery platforms for messaging and Web protection: (1) appliances (integrated hardware and software), (2) virtualization (virtualized appliances), and (3) SaaS. Software is also an option, but in rapid decline it has become marginalized in relevance with appliances leading the way in most cases, and SaaS and virtualized appliances are emerging growth platforms. Each model is attractive to IT security professionals for valid yet sometimes conflicting reasons.

Let’s examine the relative strengths and weakness of each model.

Appliances (integrated hardware/software)

• Pre-tested by vendors for hardware, OS and application software interdependencies
• Components sized by vendors to meet specific performance needs
• Can perform task-specific hardware accelerations such as SSL encryption/decryption
• Easy to install and deploy; strive for plug-and-play
• Single point of support
• Typically includes best-of-breed services
• Assets, data, redundancy and availability protected and controlled within the organization
• Highly configurable to business needs

• Capacity limited by initial purchase and/or rack space
• Upgrades can be expensive and disruptive

Virtual appliances

• Pre-tested by vendors for all OS and application software interdependencies
• Easy to install and deploy; strive for plug-and-play • Typically include best-of-breed services
• Assets, data, redundancy and availability protected and controlled within the organization
• Highly configurable to business needs
• Highly flexible capacity: hardware resources can be added, swapped or upgraded
• Can take advantage of pooled resources that are typically underutilized, delivering “Green IT”

• IT must manage hardware capacity, allocation and performance dependencies
• Requires hypervisor overhead including licensing, system resources and administration
• Creates another dependency in reliable service delivery

Hosted SaaS

• Easiest to deploy, strive for configure-and-go
• Single point for support
• Scales to need, available services and capacity can be added at will
• Automated upgrades and updates
• Lowest capital expenditure and staffing

• Services are typically not best of breed
• Assets, data, redundancy and availability not protected and controlled within the organization
• Network latency effects
• Limited configurability to business needs
• Susceptible to large-scale network service outages

So you can see that while each model has its advantages and disadvantages, it’s clear that no one model is a panacea as single-model vendors may claim. It is also helpful to conduct direct comparisons of the three models to obtain a better understanding of the complexity of this question.

Appliances vs virtual appliances
Integrated hardware and software appliances and virtual appliances are both highly configurable solutions that deliver best of breed security. The key advantage of the integrated appliance over the virtual appliance is the turnkey plug-and-play nature and removal of all hardware and software dependencies within the solution. Of course, the virtual appliance—while being riskier from a dependency perspective—allows for more flexible-capacity growth and efficient use of datacenter resources. For organizations with the expertise to manage and tune virtual environments, virtual appliances may make sense. However, for organizations looking for faster plug-and-play security and a single point of support, fully integrated appliances still hold the advantage.

Appliances vs SaaS
Both integrated appliance and SaaS strive to offer plug-and-play service delivery and to grow without additional capital expenses. For organizations with no or little IT staff, SaaS holds the advantage. However, this advantage comes at the significant costs of services that are typically not best of breed and the loss of control of data, resources and availability. Many organizations simply do not want give up this level of service quality and control for the benefit of quick turn on and lower capital and staffing costs.

Virtual Appliances vs SaaS
While virtual appliance delivery offers the same advantages as above, they also offer the ability to quickly add capacity, eliminating one of the SaaS advantages over integrated hardware/software appliances. However, as noted above, virtual appliances also add another layer of management and dependency, so the nod has to go to SaaS in this regard.

Relative key advantages and disadvantages of each model summarized: Click to see the chart.

Bottom line: There is no “one size fits all” solution as many vendors claim. In addition, customers will both benefit from and prefer the flexibility in being able to choose, mix and match based upon their organization’s needs.

Next-Generation, Flexible Hybrid Delivery Security Architectures
A hybrid delivery security architecture eliminates the necessity of IT’s having to make sub-optimal decisions—a situation that’s created when they must choose just one service delivery model and stick with it.

There are times when a combination of models is best—most cost effective without sacrificing service quality, control, responsiveness or agility—and, over time, an organization may want to move from one service delivery model to another. Being able to enjoy this kind of flexibility and advantages means certain requirements must be met. Let’s look at what they are, and how such an architecture maps to them.

First, here’s what the architecture looks like:

Requirement 1: Availability of integrated hardware/software, virtualized and hosted-service delivery platforms. As mentioned, each of these service delivery models has unique benefits. There may be times when each is right for all or a part of an organization. Optimally, you want all three of these platforms to be available. In addition, there are things you should look for with each; for example, a wide range of integrated appliances should be delivered to meet varying capacity and performance needs; virtual appliances should come with documentation and guidance on resources needed to deliver adequate performance when running on a hypervisor under load; hosted services must be more than simply a pool of hosted appliances, but rather they should be built as a true multi-tenant secure architecture.

Requirement 2: Best-of-breed, proactive, fully portable security services. Any service delivery platform is only as good as the services that run on it. Therefore, the optimal solution will run best-of-breed services on all three platforms. These services should employ the latest and most proactive security threat mitigation techniques, such as the reputation- and intent-based defenses. Services should also be portable across platforms. This will ensure there is no loss of service functionality or continuity when users’ service provisioning is moved from one platform to another. It is accomplished by abstracting the service delivery platforms from the services with well-defined interfaces.

Requirement 3: Hybrid service deployment enabled to allow the splitting of services across delivery platforms. A natural extension to the availability of multiple delivery platforms is the ability to “hybridize” services across platforms. This refers to the division of a given service across two or more service delivery platforms. For example, you might have signature-based malware scanning done via a SaaS platform, and intent-based analysis done locally where more control, granularity and auditing are required. Another example is conducting first-tier spam filtering using reputation analysis on the SaaS platform, with final spam filtering and routing done locally—especially useful in environments where organizations do not want to expose user accounts to “the cloud” for security or privacy reasons. Note that some services, such as Web Quality of Service delivery, simply cannot be delivered as a hosted service.

Requirement 4: Unified service offerings and pricing. There is no doubt that IT is moving to a service delivery model. One of the business design points of a hybrid delivery security architecture is to provide unified service offerings and pricing across delivery platforms. This removes the constraint of service quality and features when making deployment choices. In addition, pricing of services should be consistent across platforms, i.e. Web filtering should cost the same regardless of which platform the service runs. This feature is the business companion of service portability and without both the system will fail to deliver the promised benefits to customers.

Requirement 5: Common policy definition and administration. Whenever services are deployed across multiple systems, common policy definition and administration are a must. An administrator should be able to define policy and deploy it for enforcement independent of the service delivery platforms used. The administrative interface should abstract the delivery platform from the user for whom the policy is applied. Look for a hybrid delivery security architecture that delivers unified policy definition and administration across integrated and virtual appliances and SaaS delivery platforms.

Requirement 6: Unified reporting. Executives, compliances officers, forensic investigators and IT security managers should not have different levels of reporting available on different service delivery platforms, nor be required to do any work to aggregate reports. However, they may want separate views based upon business requirements, and this should be a feature of the unified reporting infrastructure.

Case study: Best of all worlds
A company that looked to replace their antiquated Web filtering software with a modern and up-to-date Web security solution, wanted – ideally – control, lower costs, configurability, flexibility. They have a large VMware datacenter at headquarters, and prefer to deploy as much of their computing infrastructure as possible on VMware. In addition, they have three regional headquarters with significant staff at each location but limited IT management capacity. Also, approximately 20 percent of their staff works from home. The Web security team evaluated integrated and virtual appliance models and hosted services. They discovered for themselves the difficult trade-offs noted previously. A hybrid delivery security architecture provided them with the control they wanted, green savings at headquarters, and the ability to effectively service and add remote users to the solution. It allowed them to enjoy the best of all models without sacrificing service quality or flexibility.

Another organization uses Web security appliances to deliver robust security, however they recently acquired another company and their entire IT staff was immediately dismissed. By leveraging the power of a hybrid delivery security architecture, the Web security director simply signed up the acquired company to the Web security SaaS offering; then, he duplicated the existing policy for the new users. He can also easily deploy a virtual appliance that does nothing but direct traffic to the SaaS service. As this acquisition matures, the company has choices; they can reallocate hybridized service features, perhaps ending up with desktops configured to go directly to the SaaS, or move to a full appliance-based deployment. Most importantly, the director was able to deploy and enforce policy immediately, and provide integrated reporting to his compliance and management teams from day one.

These scenarios and many more are enabled by the power and flexibility of a hybrid delivery security architecture. Savvy CISO’s will use this robust business and technical architecture to couple next-generation security technology with next-generation delivery platforms.

Ken Rutsky is Vice President of Technology Evangelism for Secure Computing Corp.

Editorial standards