In the early 2000s, the network security appliance became ubiquitous. Beginning with Web application firewalls (WAFs), and eventually extending through all seven layers of the network model, security appliances were being popped into server racks like candy. "Need to filter spam? There's an appliance for that!" "Do you want to analyze the flow data generated on your firewalls? There's an appliance for that!" "Need to mitigate DDOS threats? There's an appliance for that!" ....You get the idea. By the late 2000s, hundreds of vendors were selling network security appliances for every imaginable purpose.
Then, we began to see the cloud intrude on the appliance's turf. It started with things like spam filtering: "Instead of buying an appliance with a high capital expenditure (capex) cost, why not just forward all your email to us in the cloud? We can scrub it for you and send it back to you...while saving you the need to install more gear in your data center and hire people to support it." "Need to mitigate DDOS attacks? Just have all your traffic flow through us first; we'll identify all the potential attacks and forward to you only the content that's legitimate." "Need Web content filtering and authentication that was previously provided by a WAF? No problem! Just let us host the presentation tier of your Web apps; we'll handle authentication and access control, and you can worry about the transactional stuff on the back end."
There's no doubt that this model is going to continue. There's a lot of value—in terms of both real dollars as well as convenience—in letting a trusted third-party handle some of your security controls. And the breadth of security functions that can now be addressed through a cloud provider is impressive: cloud-based identity management (including authorization, provisioning, and even periodic recertification of access), vulnerability scanning, APT detection, and risk and compliance management, to name a few. Consider the cloud-based services which claim to secure your data from other cloud providers. These are all examples of a growing portfolio of completely outsourced, zero-onsite-footprint technologies that are available through the cloud.
Of course, all this talk about ripping stuff out of the data center in deference to the cloud is enough to give any network security appliance a complex (or at least, those anthropomorphic ones). In reality, to paraphrase Mark Twain, the demise of the network security appliance is greatly exaggerated. There are many good reasons why network security appliances will continue to have a critical place in the data center:
- Some Stuff Just Doesn't "Cloud" Well. While certain functions, such as spam filtering and DDOS mitigation, are clearly well suited for the cloud (because the traffic that's being analyzed is ingress traffic originating from outside the organization's firewall in the first place), this isn't always the case with other security operations. Implementing a complete firewall in the cloud, for example, is technically possible, but bandwidth limitations would likely result in poor performance, reducing the viability of this type of security service in the cloud. Monitoring high-volume data, such as flow data, could also be prohibitive due to bandwidth requirements.
- Trust. Let's face it: Many people—especially, and understandably, within security—do not trust the cloud for data storage, let alone for security functions. For this reason, despite the cloud's capability to provide a lot of security-related services, there will be many organizations who simply defer to internal security solutions (often in the form of a network appliance) to solve the problem.
So where does that leave our good friend, the network security appliance? In most cases, these vendors will continue to see growth because enterprises will continue to buy network security appliances that provide security from within the data center, close to the core network. or because the cloud alternative is simply not trusted.
There is, perhaps, another future, too: the hybrid cloud. As organizations continue to outsource security operations to cloud providers, they're going to need to get information back from those cloud providers, and there's a definite need where administrators can collect security-related metrics from cloud-based security services (for example, from RESTful APIs), pull those metrics together into an on-site appliance with local storage, and use it as an analysis platform for security operations. Who will take over this space? Who will the leaders be?