Full Report
Part 3: Security teams, it’s time to hedge “pure cloud” bets
Analysis Summary
# Best Practices: Hybrid Network Security Strategy and Cloud Risk Mitigation
## Overview
These practices focus on recognizing the strategic, geopolitical, regulatory, and complexity risks associated with a pure public cloud security model (like SSE). The core recommendation is to adopt and formally plan for a hybrid network security architecture to ensure control, risk mitigation, and business continuity, especially for large and regulated enterprises.
## Key Recommendations
### Immediate Actions
1. **Perform a Risk Assessment on Current SSE Solution:** Immediately conduct a formal risk assessment of the extant Security Service Edge (SSE) solution, focusing specifically on potential week-long outages.
2. **Identify Critical Workload Protection Gaps:** Inventory all security coverage, particularly identifying server workloads currently *not* covered by existing SSE contracts (due to historical cost models) and determine the necessary remediation path (e.g., licensing correction or hybrid placement).
3. **Budget for Continuity Planning:** Begin allocation of budget and resources for formalizing a Business Continuity Plan (BCP) specifically addressing loss of cloud security services, targeted for completion by 2026.
### Short-term Improvements (1-3 months)
1. **Formalize Hybrid Architecture Requirement:** Document the strategic decision to maintain an on-premises capability as a hedge against geopolitical and regulatory risk.
2. **Analyze Granular Policy Needs:** Review existing security policies to identify those requiring the most granular control, comparing appliance capabilities versus current cloud enforcement capabilities.
3. **Validate Hidden/Oversight Costs:** Review current SSE billing structures to ensure all traffic types (especially non-authenticated server workloads) are accounted for and budgeted for in future renewals.
### Long-term Strategy (3+ months)
1. **Implement and Test Hybrid Failover Mechanism:** Develop, document, and regularly test a clear continuity mechanism that allows critical workloads to seamlessly failover or operate via on-premises infrastructure should the primary SSE solution become inaccessible or subject to external restrictions.
2. **Diversify Vendor Strategy:** Ensure procurement strategies do not create single points of failure tied solely to cloud providers subject to foreign legislation or geopolitical leverage. Favor solutions that offer flexible deployment models (physical/virtual appliances alongside cloud services).
3. **Establish Long-term Price Stability Contracts:** Negotiate procurement contracts that explicitly lock in price stability for both cloud services and on-premises/virtualized components to mitigate unexpected cost escalations associated with data center expansion or localized regulatory overhead placed on vendors.
## Implementation Guidance
### For Small Organizations
- **Focus on Configuration Control:** Prioritize retaining critical, granular policy enforcement on-premises for core infrastructure where regulatory complexity is high, rather than migrating everything immediately.
- **Pragmatic SSE Adoption:** Implement SSE for end-user remote access, utilizing cloud benefits like on-demand features (e.g., Remote Browser Isolation), but maintain local inspection for high-risk internal traffic streams if licensing costs for server-side protection are prohibitive.
### For Medium Organizations
- **Formalize Hybrid Documentation:** Develop a clear "Hybrid Network Security Policy" outlining which security functions reside in the cloud (e.g., scale, new features) and which must remain on-premises (e.g., high-control functions, specific regulated data paths).
- **Run Pilot BCP Scenarios:** Initiate testing of continuity plans by running small-scale drills simulating a temporary loss of cloud access for non-essential traffic.
### For Large Enterprises
- **Mandate Hybrid Architecture:** Formally adopt a hybrid model as the organizational standard, acknowledging that "Pure Cloud or nothing" introduces unacceptable geopolitical and regulatory exposure.
- **Integrate Geopolitical Risk into Procurement:** Require security vendors to provide detailed assurances or architectural flexibility regarding data sovereignty compliance across all operational geographies to prevent political leverage risk.
- **Leverage Advanced Cloud Features Strategically:** Use cloud capabilities like policy-based traffic routing for optimization where they add clear value, while relying on appliance technology for core, complex, and highly controlled environments.
## Configuration Examples
While the article emphasizes strategic choice rather than specific command-line examples, the configuration guidance points towards:
1. **Policy-Based Traffic Routing (Cloud):** Utilize cloud-native features to steer specific egress traffic based on policy requirements (e.g., routing specific traffic to a jurisdiction-specific data center for compliance).
2. **On-Premises Appliance Policy Replication:** Ensure that the configuration management system used for on-premises proxies can quickly deploy or mirror critical security policies on backup hardware (physical or virtual) to support failover operations.
## Compliance Alignment
- **Geopolitical Risk Management:** Aligns with internal enterprise risk frameworks that mandate controls against vendor dependency escalation (e.g., political leverage).
- **Business Continuity Planning (BCP):** Directly addresses the need for resilience planning often mandated by regulations such as:
- **DORA (Digital Operational Resilience Act):** Requires robust continuity planning, explicitly pushing organizations to question relying solely on cloud-for-cloud backup.
- **NIST SP 800-53 (Contingency Planning):** Provides the framework for formalizing the recommended continuity plans regarding infrastructure failure.
## Common Pitfalls to Avoid
- **Adopting "Pure Cloud or Nothing" Blindly:** Ignoring the non-technical risks (geopolitics, regulation) inherent in placing all critical security bets in a single, external data center ecosystem.
- **Assuming Cloud Costs Cover All Workloads:** Failing to account for the significantly higher cost or contractual limitations associated with securing server workloads compared to only securing end-user, authenticated traffic.
- **Neglecting Continuity Planning:** Postponing the formalization of a continuity plan for primary security infrastructure, assuming cloud providers negate inherent outage risks ("Do I feel comfortable using the cloud to back up the cloud?").
- **Ignoring Granular Policy Gaps:** Assuming cloud offerings universally match the most specific, granular policy enforcement capabilities available in mature on-premises proxy technologies.
## Resources
- **Business Continuity Planning Documentation (Internal/Regulatory):** Frameworks mirroring requirements for handling significant infrastructure outages (Reference DORA compliance activities).
- **Vendor Architecture Documentation:** Reviewing vendor documentation regarding physical/virtual appliance options and licensing structures for server workload coverage.
- **SSE Deep Dives (Part 1 & Part 2):** For detailed insights on SSE capabilities and limitations beyond pure security functions.