Posted on Nov 13th, 2020 by Sattwik Gavli

The market has moved beyond discussing the benefits of Kubernetes or the potential growth. There are solid proofs to substantiate the adoption of Kubernetes because companies across all verticals are convinced about its benefits. Now that we are in the deployment and production phases in the Kubernetes world, people have started realizing some of the gaps that exist in cloud security solutions in the market, causing major unexpected economic impacts.

Most cloud security solutions are not capitalizing on the great advancements that have taken place in the cloud-native deployments. This means the overhead of running these solutions is going to add huge costs to the overall compute and operational costs of the Kubernetes environment - Cluster Economics!

A true cloud-native security approach should take full advantage of the cloud platform and its available controls.  However, almost all security solutions add huge overhead by simply cloud-washing their traditional on-prem security stack - adding new control planes and inserting agents in the path. There are fundamental issues with that approach. Security vendors using proprietary standards for deployment and using their own enforcement agents in the cloud essentially lock customers in an architecture which inhibits them from embracing newer technologies.

One of the major reason enterprises have adopted Kubernetes (K8s) is to accelerate their ability to react to the dynamic business opportunities and push digital transformation forward. Another key reason for K8s adoption is the ability to achieve network segmentation policies for maintaining compliance and supporting zero-trust architectures in the hybrid and distributed networks with automation. However, if achieving that comes at the cost of adding a new management plane, getting locked-in to a single security vendor and opening the floodgates to deploying a significant, unplanned number of pods just to run your cloud security solution - this cloud security strategy falls in the face of economic reality and common sense.

Let’s consider a typical deployment in an enterprise - in a typical enterprise cluster deployment:

-Each node using 100 pods (industry best-practice)

-Let’s assume the cluster has 50 nodes

The requirement of massive number of agents and side cars for heavy lifting, instead of using the native controls causes a massive compute hog. The fundamental flaw of this approach affects the wallet in multiple ways. The following analysis shows how your environment gets taxed significantly causing major economic impacts.

Based on the numbers we have seen so far in the above deployment - each node will need to restrict 20 pods for the vendor A agents.

If the scoping for the business application cluster required a single m4.xlarge, the overhead above will cause the requirement to jump to a m4.2xlarge configuration. This is a 20% tax for using the security solution with agents – clearly a flawed architecture.

And if you have a cloud-native strategy and plan to invest in adding more nodes in the future, you will quickly realize that the number of pods you have within the next few years could be in hundreds or even thousands. A 20% tax on such an environment can be millions of dollars.

Considering the above example, if the overhead cost for 100 nodes today is $400,000, the following graph shows how this will quickly balloon into a huge cost for the organization.(Assuming 25% growth in cloud infrastructure, which is a conservative estimate for most companies).

To avoid getting locked-in with a flawed cloud security strategy, we recommend choosing a solution which:

  • Doesn’t introduce a new control plane using proprietary firewalls
  • Doesn’t use agents or proxies to gain visibility into the environment
  • Uses native controls available on the cloud platform
  • Is platform and vendor agnostic
  • Supports hybrid cloud environments

The benefits of choosing the right solution are:

  • Lower total cost of ownership (very significant as it scales)
  • Prevent vendor lock-in
  • Faster adoption by cloud and DevOps teams, who always favor a cloud-native approach

Tufin SecureCloud is built on the above-mentioned principles:

  • True Cloud-Native
    • The architecture doesn’t introduce any control planes or agents - ensuring lower total-cost of ownership
    • Leverages native controls of the cloud platform by adhering to cloud-native best practices
  • No Vendor Lock-in
    • Future-proofs investments made today by having the flexibility to use and leverage capabilities coming to market from cloud platform vendors and other firewall vendor offerings
  • Accelerate digital transformation and cloud adoption without compromise
    • Enhance DevOps processes without compromising the security team’s requirements
    • Compliments cloud platform and K8s offerings, and enables customers to always stay current with the latest cloud and K8s features

To get a free cloud security assessment in minutes for your cloud network, try the SecureCloud Assessment.

Get a Free Cloud Security Assessment