It seems hardly a week can pass without some cloud-based security service provider announcing the latest expansion of their cloud infrastructure. The cadence has turned into something of an arms race mentality on the part of these providers, perhaps in response to a sense that’s what the market wants to see in a service provider. After all, X+1 number of Points of Presence (POPs) is better than X, right?
Well, the real answer is that most confounding of answers: it depends. In this case, the dependency is a question of what specific problem you’re trying to solve.
A number of the recent announcements regarding new POPs have come from Content Distribution Network (CDN) providers. We’ve written in this blog before about some of the deficiencies of CDN-based security protections. In this case, we’re not calling out deficiencies of security functions, but rather pointing out that the network architecture that’s ideal for content optimization may not be the right architecture to most efficiently or effectively handle certain security challenges.
Operating a global CDN, by its nature, means replicating a single design into as many POPs as can be supported by the business. With POPs closer to the intended end-users of the web application, the CDN is in an ideal position to optimize the performance of that application for a global user base. In particular, this can improve the users’ experience for rich, static content elements of the application. However, this strength from an optimization standpoint becomes a liability in terms of providing response to a global threat.
One does not have to dig too deep into the news feeds around cyber-attack service provider failures to find scenarios where providers combine cloud scrubbing services with cloud-based web attack or CDN services, all on the same infrastructure. This creates significant risk and has resulted in some high profile outages. Spreading attack traffic across a large number of POPs (or nodes) creates an attack that cascades across the infrastructure, causing disruption and outage to not only the attack’s target, but also other applications leveraging those POPs. As CDN nodes start to reach capacity, they fail and pass traffic over to the next node. The network as a whole sustains itself by distributing the attack across a large number of nodes, but as a result they won’t see the problem until it materializes at the origin servers supporting the web application. For the customer it creates un-forecastable latency and potentially availability issues of the application itself.
The ideal architecture features a separate, scalable infrastructure specifically for volumetric DDoS attack mitigation where attacks can be rerouted when they reach predetermined thresholds. This would include separate GRE tunnels.
In addition to the physical separation, the location of scrubbing centers important. Unlike the CDN POP that benefits from close proximity to the end user, a DDoS scrubbing center is ideally located close to a major peering point, providing the distinct advantage of not having to having to backhaul large amounts of traffic across a network backbone.
Another important consideration here is the possible impact on security compliance requirements (e.g., PCI DSS) where a service provider with a very large number of POPs is terminating sessions. Customers of such services should be inquiring as to whether or not every POP has been certified. This would seem to be a requirement to maintain compliance of the overall application given these POPs effectively act as a network segment.
This is a very different level of traffic interaction than transit oriented services, or services inspecting traffic in a more limited context, such as DDoS attack detection. By limiting the inspection of the traffic to headers and other data elements useful for attack detection, and by not requiring a sharing of private keys for encrypted traffic, separate DDoS cloud scrubbing services can support attack detection and mitigation without compromising compliance.
So, for organizations looking for a service provider to deliver a combination of cloud security services, the ideal architecture is a diversified topology that includes not only a large number of POPs around the world, but also the ability to redirect large attacks to separate scrubbing centers.
To help you focus your search, here are some questions to ask a cloud security service provider:
1. Where do you mitigate large volumetric attacks?
2. Are these separate networks from where you deliver always on services (CDN or security)
3. What technology are you using to scrub traffic? More than routers?
4. How do you manage encrypted attacks? Do I need to give you my private keys?
5. How do you maintain my PCI compliance if your acting as a full proxy and terminating sessions?