Surveys say 99% of organizations use one or more software-as-a-service (SaaS) applications. The COVID-19 pandemic’s social distancing and lockdown mandates pushed more and more companies into adopting cloud services for all their business operations. However, this forced migration impacted network infrastructure and network security.
In this article, you’ll find out what network infrastructure is, what it includes, and how it has evolved with the widespread use of cloud services and SaaS applications.
What Is Network Infrastructure?
Network infrastructure refers to all the hardware, software, and services that enable an organization to connect different systems for internet connectivity, business operations, peer-to-peer communications, and user communications.
What Does Network Infrastructure Include?
All these hardware and software components constitute an organization’s network infrastructure:
- Network switches
- Wireless routers
- Network cards
- Ethernet cables
- Operating systems
- Network management system
- Router firmware
- Intrusion detection system
- Cloud security systems
- Physical and virtual networks
- Routing and switching services
- Wireless networks and wireless access points
- Voice over IP (VOIP)
Network Infrastructure vs. IT Infrastructure
Information technology (IT) infrastructure is a superset of network infrastructure. In addition to all the networking infrastructure listed above, IT infrastructure includes:
- All computers, servers, and other related hardware
- All software and applications deployed in the organization
- All the data stored anywhere in the organization
- All IT services to manage the infrastructure
How Network Infrastructure Security Has Changed in the Cloud and SaaS Age
Before cloud and SaaS became widespread, just about everything in a corporate network was on-premises — data centers, web servers, workstations, routers, other network devices, databases, laptops, and the like.
Everything was like a big local area network. Network connectivity across geographically separated sites was through a well-defined set of wide-area network (WAN) gateways. Desktop applications ran on workstations and talked to each other easily over the local area network.
Security teams had full control over every level of the network stack, from the cables to the applications. All software and hardware purchases were centrally managed, enabling security teams to control the security posture at all times.
But the advent of cloud computing and SaaS changed many aspects:
- All cloud and SaaS services now resided on the public internet.
- Desktop applications were replaced by web applications running in browsers.
- Employees started using mobile devices to connect to their corporate networks.
- Purchasing of cloud services and SaaS applications became decentralized.
- The shared responsibility model shifted many security responsibilities to the providers.
Security teams no longer have full control over every level of the network. The typical attack surface now is far bigger and more dynamic.
In the coming sections, we explore some of these changes in network infrastructure and their impacts on cybersecurity.
Cloud Security Technologies
The most significant infrastructure security change is the use of systems specializing in cloud security, like:
- Cloud access security broker (CASB): CASB mediates all network access to any cloud or SaaS service from any user or application in your organization. Its position in the network allows it to enforce a common set of security policies consistently across all cloud and SaaS services.
- Cloud security posture management (CSPM): CSPM helps you maintain your organization’s overall cloud security posture through capabilities like multi-cloud asset discovery, continuous monitoring, CASB-like access control, misconfiguration detection, threat detection, incident response, compliance monitoring, and automation.
- Secure access service edge (SASE): While CASB and CSPM become part of your existing network, SASE goes far beyond them by providing an entire networking fabric — consisting of software-defined wide area networks, content delivery networks, multi-cloud spanning networks, and more — with network security functions like firewalls, CASB, secure web gateways, and zero-trust network access.
Virtual Networks for Security
We normally think of networks as interconnected physical objects like wires and routers. But using special software, they can create virtual networks that work the same way.
Virtual networks are software-defined networks that behave like independent networks in every way. They communicate over the existing physical networking infrastructure of an organization.
Virtual networks improve network security by behaving as if they are completely isolated from each other. This limits the “blast radius” of any cyberattack. Such network segmentation is recommended by popular security guidelines like the Cybersecurity Framework, the Center for Internet Security’s Critical Security Controls, and the Cloud Security Alliance’s Cloud Controls Matrix.
Next, we’ll explore some examples of virtual networks.
Virtual Private Networks (VPN)
VPNs are probably the most well-known virtual networks. They let employees and other end-users securely connect to a corporate network from anywhere by using VPN client apps.
VPNs are not new, but the networking environment has changed. In the past, a corporate network was completely private, hidden from the public internet. To run any application there, employees needed a VPN. But now, SaaS applications are available to everybody, including employees, over the public internet.
Although the SaaS may be available over the public internet, the question is: Should the data an organization stores there also be available over the internet? When possible, we recommend making the data available only when accessed via a VPN. This is achieved using multi-factor authentication where one factor is only available over the corporate VPN, or attribute-based access control (ABAC) to verify that the connection is a VPN.
Cloud Virtual Networks
All the popular cloud service providers support virtual networks:
- Amazon Web Services (AWS) provides virtual private clouds.
- Microsoft Azure calls them VNets.
- Google Cloud also calls them virtual private clouds.
They let you create logically isolated virtual networks and limit access only to specific users, roles, or applications.
Virtual networks are also secure by default — they close all network ports, allow incoming traffic only through configured open ports, and let incoming and outgoing traffic only over permitted virtual networks.
Virtual Local Area Networks (VLANs)
VLANs are virtual internal networks configured on your routers that share the physical network’s infrastructure. Because routers treat them as isolated networks, they improve network security.
Network Security for Mobile Devices
Most SaaS applications are available on mobile devices. While great for productivity and convenience, smartphones also introduce new security threats.
In the course of a day, an employee’s mobile device that can access their organization’s data may connect to multiple networks like:
- A residential wireless network
- The corporate wireless network
- Multiple public Wi-Fi networks while traveling
- One or more 4G or 5G mobile data networks
Each of these has different vulnerabilities and threats. Plus, the variety in device brands, operating systems, and software versions creates a dynamic attack surface that can’t be easily monitored or controlled.
Example Mobile Threats
Let’s see some examples of the threats involving mobile devices:
- A threat actor can take over an employee’s phone number by exploiting telecom network weaknesses. It poses a threat to any corporate resource associated with the number, like company bank accounts or SMS-based two-factor authentication.
- Careless family members who install every app or game may inadvertently introduce data-stealing malware on the employee’s device or a network the device connects to.
Mobile Threat Mitigation
To reduce mobile threats, security teams should follow these best practices:
- Use endpoint security tools that specialize in monitoring apps on endpoint devices like smartphones and tablets.
- Implement ABAC for dynamic fine-grained control over cloud resources based on the connected network, device location, time, and other factors. For example, ABAC can allow an app to access SaaS data from the corporate network during work hours but not from any other network outside work hours.
Domain Name System (DNS) Security
The DNS translates human-friendly URLs like “threatkey.com” to the IP addresses that machines need to communicate over the internet. It also plays a key role in resolving email addresses to deliver email correctly.
Since most SaaS and cloud requests go over the public internet, the DNS is far more critical nowadays compared to the on-premises era. Many SaaS functionalities like Google Workspace services, Okta access gateway, Salesforce apps, and OAuth redirect URLs ask for your domain.