Eeny meany miney moe Part Two… Choosing the right Deep Security option

Written by Bryan Webster

In part one we discussed how to figure out what Deep Security option is best for you from a procurement (which way should I buy it?) perspective. In part two we’ll explore the question of which Deep Security option (as a Service, AWS Marketplace AMI or software) is best from a deployment perspective (which one do I want to run?).

Which one do I want to run?

Even after identifying a preferred avenue for purchase, I’m always careful to probe a little bit about a company’s security posture, infrastructure design, and future plans before we settle on a strategy. Partially because the buying stuff bores me and I feel quite out of place without a whiteboard diagram of something in a meeting, but mostly because there are a number of ‘gotchas’ to consider.

Deep Security as a Service 

Deep Security as a Service is certainly the fastest deployment option and the least burden on IT/security staff. No servers to provision yields incredibly short build time (minutes or less for your account creation) and no server infrastructure to manage means no looking for staff on which to drop another project. Slim teams, projects with very tight deadlines, and developers who don’t really care about that security stuff but were told to ‘eat their broccoli’ latch onto these characteristics and hold on for dear life.

With great ease of management however comes some caveats. When you don’t own the server, the security data and traffic are not within your own VPC or data center. For some compliance teams, this may be a deal breaker as additional scope is brought to review time. Perhaps more feared than the auditor, some organizations find that their network design prevents communication with the outside world, including a service you don’t manage. The final checklist item for Deep Security as a Service design compatibility looks back from the cloud to the datacenter. A growing number of cloud teams seem to wind up as technology incubation for the wider IT or security groups. These roles need to be mindful of blockers for technology fit moving back into the traditional organization; while Deep Security as a Service can easily be leveraged to protect on-premise environments with agent installs, it is not the best fit for companies who want Deep Security’s agentless protection in their premise VMware environments.

Deep Security on AWS Marketplace 

From a design perspective, the AWS Marketplace AMI is truly a middle ground and great option for a wide range of organizations. Because the software is deployed in the customer environment, data custody is very possibly a non-issue. Client-Server communication can now sit squarely with the architecture team to find the most suitable configuration or just slap it in a shared VPC with Splunk, AD, and the Ansible tower, then think nothing more of it. Owing to some spectacular tooling and services from our friends at AWS, the AMI carries with it a unique benefit in the form of Quick Start Reference Deployment (with CloudFormation templates) to help organizations easily test or deploy Deep Security in a repeatable, standardized fashion including HA design and a number of licensing options. Still placed far away from the VMware datacenter, the AWS Marketplace AMI is an ideal solution for many organizations which demand in house control of their server platforms, but have no need of extension back to an virtualized infrastructure. Born in the cloud environments and cloud-first initiatives with communication or compliance restrictions are most likely to choose this platform as the best fit.

Deep Security software

With its most crucial difference being that traditional software does not have to run in the cloud, software is the most flexible by a wide margin. With Windows and RHEL support available, your support organization is certain to have an option with which they’re comfortable providing support over the long haul. Manager nodes can be hosted on-premise with internet connectivity, VPN, or Direct Connect to agents in EC2. Since you’ve already installed it on-premise, quite possibly in a Virtual Machine, someone might decide to look into that VMware integration. Let’s not forget that running an Amazon Linux server may sound great to one admin, the next might really love his Windows machines, or perhaps the Director in the next row has a standardization on RedHat Enterprise 7. No matter your design requirement, we can get it done with a Deep Security Manager software install. The easiest choice for hybrid IT organizations looking for the broadest coverage, traditional software architecture is often the winner for corporate structures with an even, measured approaches to cloud migration and integrated cloud + premise teams where significant operational efficiencies are found in running a single security platform across service boundaries.

Catch a tiger by the toe

Whether your servers are pets or cattle, your buying power a PO or credit card, 10% or 100% of your servers hosted on hardware you’ll never see – I’ve probably built a Deep Security implementation for an organization that looks quite a bit like yours. If you’ve reached the end here and still haven’t decided – we’ve tried to summarize your choices here and provided quick links to sign up for a free trial.

If this post only brought you more questions or you’d like to try and stump us with your design challenge, shoot those over to our team and we’ll get something sorted for you.

Either way I hope this will help to keep some readers from playing eeny meeny miney moe when trying to decide what choosing a Deep Security deployment model