Content Security in the Cloud Era:
Are UTMs Up to the Challenge?

Download PDF

Executive Summary

The growth of cloud computing and the explosion of mobile devices are forcing dramatic changes in the way that networks are designed, conceived, and secured. Content security in particular faces novel challenges, as mobility and Web 2.0 applications make web traffic volumes highly unpredictable, with massive spikes and troughs from one moment to the next.

Traditional approaches to Unified Threat Management have typically attempted to meet this challenge by overprovisioning compute resources for content filtering, resulting in higher costs and lost efficiency, while still introducing unacceptably high latency and eroding network performance.

Emerging solutions take a different approach, by transferring content-filtering tasks to cloudhosted services where massive resources can be dynamically re-provisioned as needed to handle any volume of web traffic without bogging down the network.

In the cloud era – with cloud-based applications and resources thoroughly embedded in how organizations do business – this cloud-based approach to content filtering also brings other benefits for network users and administrators.

Content Security in the Cloud Era

The cloud era means different things to different people and organizations. For many, it is primarily about the opportunity to cloud-source technical business functions that in the past were performed in-house. The SaaS model delivers benefits including lower, more predictable costs and improved value from existing network infrastructure.

Others, with distributed networks and multiple datacenters, see even greater returns in the form of reduced overall infrastructure needs and improved productivity. For these, the cloud era is about the virtualization of datacenters and the migration of key resources and applications to the cloud.

For large enterprise organizations, the emergence of the cloud represents an opportunity to develop and deploy a new generation of applications that use the cloud’s massive computing resources to monetize big data and engage millions of users simultaneously.

Whatever the cloud era means to any particular organization, one thing is certain: It means a dramatic increase in the sheer volume of data passing into and out of networks at any given moment – a growing amount of it critical to business operations. This is partly the result of increasing dependence on cloudbased resources and applications for day-to-day business operations. But it is also a consequence of the enormous growth in the use of mobile devices in the workplace, and of the Web 2.0 applications that their users access continuously.

High Signal, High Noise

SAP, SalesForce, ERP solutions, and many other applications that businesses use every day to organize and direct their operations all use cloud-based resources and depend on a constant back-and-forth flow of information into and out of the network. In addition, many organizations use a variety of Web 2.0 and social-media applications as both productivity tools and marketing platforms, adding to the total traffic.

To maintain network security, content-filtering solutions must examine all the business-critical traffic that these activities create. This can lead to a kind of arms race, where in order to maintain acceptable network performance, organizations must purchase ever larger appliances and provision ever greater resources to content filtering.

In addition to this legitimate, business-critical traffic, the volume of non-productive traffic is also growing exponentially. Today’s smartphones and tablets – ubiquitous in the workplace – are very heavily dependent on traffic to and from the cloud for their every function. And users seldom recognize how much bandwidth they may be consuming, or how much traffic they are forcing through the content filter.

On Sept. 19, 2012, the day that Apple released iOS 6 in the U.S., corporate networks across the country experienced severe slowdowns as thousands of iPhones and iPads downloaded the 660 MB operating system update. Not only did the update consume a huge portion of available bandwidth, it also forced content-filtering solutions to scan each and every download for malware, bogging down network traffic and interfering with business productivity.

UTMs: Not Up to the Challenge

Traditional Unified Threat Management solutions (UTMs) are designed to bring a variety of security functions – including web content filtering – into a single appliance. To do their job without compromising network performance, they must support massive throughput. More important, they must dedicate massive computing power to scanning content and enforcing policies.

Unfortunately, this makes such solutions increasingly costly – and much of that cost is effectively wasted, since a large portion of the device’s processing power is used only at times of peak traffic. Furthermore, it means that as new threat profiles emerge, organizations are often required to upgrade their UTM hardware – at significant cost – to maintain effective security. Even more problematic, when the UTM is bogging down network traffic due to a heavy contentfiltering queue, it can interfere with connectivity to business-critical resources and applications hosted in the cloud – which can result in a significant loss of productivity or interruption of business.

Cloud-Integrated Protection

An emerging category of comprehensive security solution takes a different approach to provisioning resources for content filtering – one that addresses all of the challenges detailed above. Rather than regarding the ubiquity of the cloud merely as a challenge to security efforts, this approach regards it as an opportunity.

In this approach, a robust, next-generation firewall appliance is tightly integrated with a cloudhosted web content filtering service. The next-generation firewall at the core of the solution is designed at the kernel layer to support multiple, integrated security functions. This makes it far more efficient than bolted-together UTMs in which a basic firewall core is augmented with addon components that increase latency at each step of the process.

Because the compute-intensive tasks of content filtering, malware blocking, and reporting are offloaded to the cloud, even very high traffic levels do not create additional latency within the network itself. With effectively unlimited resources in the cloud, and the ability to dynamically reprovision resources as needed in real time, this approach also eliminates the cost and inefficiency of overprovisioning compute resources locally, as traditional UTMs require.

Another significant benefit of using cloud-based resources for content filtering is that as new threat categories are identified, there is no need to upgrade or replace on-premises equipment—firmware upgrades are applied automatically and transparently, ensuring the network is fully protected with no interruptions.

Because there is no on-network congestion due to content filtering, connectivity to businesscritical applications hosted in the cloud is not affected. And with a next-generation firewall core that includes capabilities to aggregate multiple uplinks and prioritize traffic based on business policies, it can dramatically increase the reliability of those connections, improving business continuity and reducing downtime.

Conclusion

In the cloud era, network boundaries are dissolving, along with the distinction between on- and offnetwork traffic. Network security solutions need to evolve, to find new ways of managing vast traffic volumes without creating bottlenecks.

Solutions that offload content filtering tasks to the cloud represent the most effective new approach to have emerged in response to the changing security landscape. By combining the integrated capabilities of a true next-generation firewall with the elastic, and practically unlimited, computing resources of the cloud, these solutions allow comprehensive, always-up-to-date content filtering of very large traffic volumes without introducing latency to the system. In addition, they promise to keep user costs low and predictable, and to improve overall business continuity and productivity

About Barracuda Networks, Inc.

Barracuda provides cloud-connected security and storage solutions that simplify IT. These powerful, easy-to-use, and affordable solutions are trusted by more than 150,000 organizations worldwide and are delivered in appliance, virtual appliance, cloud, and hybrid deployments. Barracuda’s customer-centric business model focuses on delivering high-value, subscription-based IT solutions that provide end-to-end network and data security. For additional information, please visit barracuda.com.

Barracuda Networks and the Barracuda Networks logo are registered trademarks of Barracuda Networks, Inc. in the United States. All other names are the property of their respective owners.