Over 60% of Meraki customers today are using remote access VPN solutions like Cisco AnyConnect to provide secure connectivity to a distributed workforce. Moreover, 50% of Meraki customers are already adopting Amazon Web Services (AWS), Azure, or Google Cloud Platform (GCP) solutions. We are also seeing rapid growth in customers managing more than 100 branch locations across their organization. This escalating complexity, driven by the distributed nature of the perimeter, presents new challenges for security administrators. 

User experience and compliance requirements weigh heavily on security teams, too. Employees expect low-latency, high-performing, secure connectivity to an increasingly distributed set of applications that live in data centers, across public cloud services, and as applications on the internet. Additionally, compliance standards such as Payment Card Industry Data Security (PCI), HIPAA, or GDPR require robust visibility, reporting, and accountability across all of these environments. 

It is increasingly clear that a cloud-enabled approach to security is the best way to address these challenges, both for ease of management and to ensure a resilient security posture that can dynamically adapt to the ever-increasing number of threats on the internet.

On-premises vs. cloud security

Cloud-enabled doesn’t mean cloud-only. The increasing convergence of networking, security, and cloud, along with the rise of new architectures like Security Service Edge (SSE) and Secure Access Service Edge (SASE), leave today’s security practitioners wondering if they should run security on premises or in the cloud. In practice, it will be a combination of both. 

Let’s start with some definitions:

  • When we talk about cloud security, we are referring to security enforced in the cloud through platforms like Cisco Umbrella 
  • On-premises security refers to security enforcement that happens on the local network through devices like the Cisco Meraki MX security and SD-WAN appliances  
  • Finally, when we talk about cloud-enabled solutions, we refer to security enforced across cloud and on premises but managed from the cloud; this approach increases simplicity, scalability, and automation through dynamically updated security signatures and enforcement engines 

Outside of security, both local on-premises and cloud processing have become quite popular for their own use cases, and neither is the answer to every problem all the time. Security is much the same. There are advantages to being able to run some of your security on premises while offloading other security needs to the cloud. But what security should be run where?

User location, location, location

The short answer: it depends on where your users are located. The goal in security is to block undesired traffic as close to the source as possible. After all, why send all of your traffic to the cloud just to get dropped if you can do it just as effectively at the edge? 

Most organizations have some core security requirements like firewall, web filtering, intrusion prevention, and malware protection. If your users are located in the branch then it’s optimal to run these protections in the branch as well, since they not only protect traffic going to the internet but also east-west traffic between networks, sites, and private applications.

For more processing-intensive inspections, such as traffic decryption or data loss prevention, these are best to offload to the cloud where there’s more compute capacity to do the heavy lifting at a lower performance (and user experience) impact.

Branch use caseIdeal security
East-west firewall (ex. guest to IoT)On-premises
Identity-based access controlOn-premises
Secure internet accessOn-premises
Intrusion preventionOn-premises
Malware protectionOn-premises
SSL decryptionCloud
Data loss preventionCloud

When your users are remote, where you run security depends on the needs of the remote worker and the scale of your remote worker population. If remote users are generally located near their branch sites and primarily need access to on-premises applications or resources, users can be connected to the secure SD-WAN fabric via a dedicated gateway, software VPN, or a zero-trust solution.  

On the other hand, if you have highly distributed remote users that only require secure internet connectivity for internet-based apps and workloads, connecting those users to cloud-hosted security services is the ideal solution. Again, this could be achieved using a dedicated gateway, software VPN, or a zero-trust solution.

A platform strategy for better protection

In today’s highly distributed environment, with workers dynamically moving between home, office, and mobile, IT teams need a more agile model for security. Very rarely will one solution or another meet all requirements. A single unified platform strategy provides better protection for organizations than a complex web of loosely connected point security solutions.

We believe the 2022 Gartner® Magic Quadrant™ for SD-WAN focused even more on security, breaking out on-premises and cloud security and taking into account whether it is natively integrated or reliant on third-party integration. Check out the report to see why Cisco was recognized as a Leader for the third year in a row.

Gartner does not endorse any vendor, product, or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

GARTNER and Magic Quadrant are registered trademarks and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.