Level 3's Richter: Security Is Better & Cheaper in the Cloud

When it comes to cloud-based security, Level 3 Communications has turned a triple play. Last year, network provider Level 3 introduced a DDoS Mitigation service. That service was joined this year by Adaptive Threat Intelligence and Adaptive Network Security offerings for cloud-based commercialized security services that are available to its subscribers and non-subscribers alike.

The key, according to the company, is to offer an answer to an increasingly vexing question: How can organizations keep up with the bad guys as security technology grows more sophisticated and expensive?

Level 3's idea -- which is part and parcel of the cloud concept -- is to offer flexible, sophisticated security and let customers focus on their core businesses. Telco Transformation recently chatted with Chris Richter, senior vice president of Global Security Services for Level 3 Communications Inc. (NYSE: LVLT), about the initiative.

Telco Transformation: Why did Level 3 start offering Adaptive Network Security in the cloud?

Chris Richter: The impetus of that service was complaints we were hearing from around the world about the rising costs of security, specifically the rising cost of next-generation firewalls. They are getting very sophisticated and companies are spending [a lot of] money on them because they have to defend themselves. And the hardware vendors are really capitalizing on this need. Part of the budget crunch is not just in buying the hardware but also the maintenance. It can run from 50% to 70% of the purchase price per year. Plus you have subscription fees that are in addition to the maintenance fees and then you've got the personnel and staff. Those individuals tend to be expensive and there are more positions open and there are people to fill them. That compounds the problem.

TT: What is the offering, from the high-level view?

CR: So what we've done is we've taken that next-generation firewall platform and put it up on our backbone. We also offer it in a gateway model. We have gateways all around the globe and we're building more. Those gateways replace the expensive on-site dedicated next-generation firewall and malware sandbox. We push [traffic] up in a shared virtualized model to our backbone. So each customer gets a dedicated instance of a next-generation firewall, but it's virtualized. It’s on our backbone so the costs are dramatically less. They don’t have to provide staff.

TT: Are you using a network functions virtualization (NFV) approach?

CR: We launched the service in May. There were 20 gateways at first and we will have 40 by the end of the year. Those initial gateways are, in fact, not NFV. NFV by our definition is truly and thoroughly virtualized. Even though the firewall instances are virtualized they operate on dedicated hardware from a vendor. But down the road we will layer in additional services and additional capabilities that will be fully virtualized.

TT: What is the transition like for customers from doing it themselves to doing it in the cloud?

CR: Our security professional services group developed what we call transformation workshops that help customers carefully plan the migration. And we can do it in pieces. They don't have to remove everything and move up to the cloud all at once.

TT: What happens in the workshops?

CR: The first thing we do is understand the data flow and the customer's organization -- what are their current firewalls doing today? The very first step is to determine how we replicate those rule sets and features in our cloud. Will there be any performance impacts? What sort of subnets and VLANs are set up on their premise-based firewalls that we can replicate in our cloud? In some cases it may not be possible to replicate them all in the same way. Some customers may choose to leave some of their firewall infrastructure behind on-prem because it's performing very specific subnet functions. So we do a complete inventory assessment and data flow analysis and a risk assessment. And then we figure out which sites and which gateways to use. We determine how long it's going take to translate the rules sets that's on their prem to the virtual firewalls on our backbone. And then we schedule a live test cutover. It's very methodical and very well thought out.

TT: It's not an overnight thing, is it?

CR: But it can be a very easy service to provision for customers who have small pipes because we don't install any hardware. It's just basically pointing their traffic through a secure network to our gateway. In other cases we have customers with thousands of firewalls. Those are a bigger deal.

TT: How much can savings be?

CR: We've had some customers say they spend upwards of $1,000,000 a year per site. Those are pretty heavily dense security environments. We believe in some of those sites we can reduce their cost anywhere from 30% to 50% and in some cases up to 70% a year. It all depends on how much infrastructure they have on site, how much personnel is on site. The cost savings are very dramatic. When you think about it, it just makes sense.

TT: How does this relate to software-defined networks?

CR: We've got a number of the customers that we're working for already that have an SDN solution in place. But they still have a firewall at their prem or the SDN device might have a little firewall in it, but it's not at the next-generation level. So they're asking us to come in since we're network agnostic and will work with any carrier's network and simply push the Internet traffic up to our gateway. And that becomes the perimeter firewall, the ingress and egress point for all things to and from the Internet. When we introduce true NFV in our gateway we will also introduce service chaining so you can buy a little bit of the security capabilities in our gateway and over time add additional virtualized security functions via our portal. True service chaining is enabled by NFV.

TT: What is Level 3's sweet spot for this service?

CR: We don't really know what the sweet spot is. We have small retail outlets buying very low bandwidth and services-based priced by a combination of bandwidth and the number of features turned on. So we could have little retail sites but there may be thousands of them. And then we have very large mega global enterprises that are using it and need to push three to five gig of data traffic per location through. In the smaller sites they may have a need to push 30 Megs.

It's all over the map, which is exciting for us. These small organizations can get world-class, next-generation firewalling in our cloud and pay a relatively small amount of money because they are pushing just a little bit of traffic. You also have large enterprises that are now paying a million dollars per year per site pushing to our cloud seeing their costs greatly reduced. So we still are figuring out what that the sweet spot is.

— Carl Weinschenk, Contributing Editor, Telco Transformation