Security Performance in the Cloud: Not All Solutions Are Created Equal
An assumption made by many security professionals is that any performance differences between physical security devices are eliminated when those security software images are run on identical cloud hardware. But the truth is, there are still significant performance differences between solutions, and those differences can be critical both from a processing perspective as well as cost.
Because cloud performance is a baseline requirement for competing in the digital marketplace, organizations cannot afford for security to be a bottleneck. Transactions need to be inspected at digital speeds. Of course, elastic scalability helps eliminate such bottlenecks, which is why the cloud is such an ideal platform. But scalability comes at a cost. Spinning up additional firewalls unnecessarily, for example, can have a real impact on your cost of doing business.
Part of the challenge is that performance scaling is more complex than it might seem. For simplicity’s sake, let’s divide scalability into two functions: scaling out and scaling up.
Scaling Cloud Resources
When we talk about cloud scalability we are usually referring to the idea of scaling out. This function allows you to meet performance demands by increasing the number of separate virtual instances of a solution. For example, it allows you to automatically spin up and deploy more firewall instances as traffic loads spike, and then discard them when traffic returns to normal.
Scaling out is not just about performance, however, but the price of performance as well. For example, a higher performance solution means you don’t have to purchase additional firewall instances out of the cloud marketplace as often as you would with a slower solution. This can be critical for managing expenses while still meeting capacity requirements. And performance, even on software running on identical hardware, can be affected by two things: design and software optimization.
Architectural Design Impacts Performance
The other kind of scalability that we often overlook is scaling up. This refers to the size of the virtual hardware that a software solution runs on, measured in the number of cores a VM uses. Simple VMs utilize a single core, and they scale up from there by doubling the number of cores a VM uses (1, 2, 4, 8, etc.) Determining how large a VM you need in order to effectively run your security solution is one of the more important considerations an organization makes when designing their cloud environment. However, scaling up can be significantly affected by how efficiently a solution is able to use available processing power, often referred to as performance per core. If you require a large, multi-core CPU VM, for example, it is vital to understand how much throughput a software solution is actually able to provide for each core you are paying for.
Scaling up is a perfect example of how things that may look the same on the surface—i.e. all vendors may run their solutions on the same VM—can really be quite different in their practical application. The truth is, not all software is architected the same.
Running software on a VM requires an architecture built around a management plane and a data plane. The way different vendors architecture how they distribute those requirements can vary widely. For example, the architecture of many vendors requires that they dedicate an entire core for management—usually, one in four. So, if you buy a two-core system to run their service on, only half of those resources are available for processing traffic and data. And as you scale up, never less than 25 percent of core resources are available for processing data. Vendor software that uses this one-in-four architectural model can have a significant impact on performance. Likewise, many vendors have engineered their software to pin a single session (IKE SA) to a single core rather than being able to distribute IPSec traffic across multiple cores. This architectural design approach also results in diminishing returns for every additional core beyond one.
Basically, all computing prefers a parallel architecture built around factors of two (2, 4, 8, 16, 32…) This enables maximum efficiency and impacts potential performance. Effectively using parallelization is an important reason why one vendor is able to achieve greater performance than another in the same cloud environment. However, because of software architectural choices, often made by vendors without experience in the development of custom hardware, many vendors assign a dedicated core to control plane management.
This design strategy breaks the parallelization model and reduces efficiency and performance. Not only do you have fewer cores available for inspection and processing, but only having three or six cores available for data inspection, rather than factors of two, seriously impacts the software’s ability to efficiently distribute and process that data, which erodes performance even further.
Not all cloud software is created equal
Some argue that specialized hardware vendors lose their performance advantage in a cloud environment. But full stack optimization can provide a significant boost in performance, even when all other factors are identical. Engineers have to dramatically optimize their software in order for it to achieve necessary performance in a chip. Unfortunately, that sort of optimization across the stack is something that many software vendors never do. Instead, they tend to address the problem by throwing more off-the-shelf CPUs at the problem. Full stack-optimized software can significantly differentiate one vendor from another in the cloud because it directly affects efficiency and performance.
Choosing scalable and high-performance security solutions enables organizations to meet the growing performance demands of today’s digital marketplace. And performance is a critical consideration even when selecting a cloud-based security solution. Higher performing solutions not only enable you to effectively meet growing consumer demands at digital speeds, but they are also more cost-effective. However, not all cloud security solutions are the same. Careful analysis of a vendor’s underlying design and optimization approaches will enable you to select the solution that best meets your organization’s performance and budgetary requirements.