What to consider when moving into the cloud generation… securely
FYI, this story is more than a year old
IT professionals are starting to realise just how different securing a cloud computing environment is from traditional on-premises IT environments. We’re still in an era where the term firewall is typically thought of as a tool for securing data centre architectures because that’s what a next-generation firewall is designed to do.
As we continue to inch closer to the cloud era, many organisations are still using traditional firewalls to secure cloud workloads and applications. But it’s not the best way to approach security in the cloud.
We recently sponsored a survey with Vanson Bourne, which revealed that 44.6 percent of the 100 Australian respondents already have their infrastructure in the public cloud. While 59 percent felt totally confident that their organisation’s move to the public cloud was secure, almost all report that additional security solutions are needed. Meanwhile, 64 percent state that security concerns restrict their organisation’s migration to the public cloud.
It’s worthwhile taking a step back and looking at your cloud security requirements moving forward before continuing to implement the same security tools in an entirely different environment. Find out if the firewall, for example, integrates with the cloud fabric, provides a full-featured API, or if the pricing aligns with current cloud consumption models. Ultimately, it’s about having the right tool for the job.
Consider a different set of tools
Next-generation firewalls are purpose-built for data centre architectures (on-premise) where everything is tightly coupled and traffic flows through firewalls that scale vertically. However, public cloud best practices dictate building loosely coupled architectures that scale out horizontally (elastic).
It’s critical to understand the cloud environment that your applications will be deployed in, and the native services that the infrastructure-as-a-service (IaaS) provider offers to achieve security control coverage. Then, you can instrument in your required controls that leverage the provider’s deployment best practices.
This doesn’t necessarily mean bringing in legacy data centre architectures and tools, which tend to be ‘anti-patterns’ in the cloud. Perimeter-based firewall architectures are highly effective in a data centre, for example, but can become sources of friction when deployed in the public cloud.
Instead, you should think through the actual security controls you need to cover and use tools that leverage the agility and elasticity of cloud infrastructure — both technically and commercially.
A cloud generation firewall needs to be tightly integrated into the IaaS management fabric. It must support a license-less commercial model that enables automated deployments that don’t incur licensing costs unless they actually see production traffic.
Confusion about security responsibilities
As we move further into the cloud generation, there’s still confusion about security responsibilities. We’re heading in the right direction, but we still see a lot of organisations that are just getting started in the cloud, so it remains an important part of the discussion.
All the major cloud providers clearly state the security controls that customers inherit with their platforms; however, when customers move applications to the cloud — the responsibility of securing those applications falls on the customer.
In fact, the Vanson Bourne survey revealed some interesting data related to the shared security model. The majority of the survey respondents believe that public cloud providers are responsible for securing customer data and applications in the cloud, which proves that there’s still a lack of clarity around the subject. It would be beneficial for any organisation running workloads in the cloud to have a conversation about security.
Look for third parties that support a wide range of ecosystems with the same or similar solutions. Organisations often end up with multiple cloud providers, as well as having an on-premises (legacy) infrastructure. This can have implications on complexity and overall costs; it's further compounded when third-party solutions such as security are added to the mix.
Consider third parties that offer equivalent licensing options to how you’re licensing your public cloud infrastructure. As organisations weigh licensing options – by usage, per hour, unlimited, etc – we see customers beginning to understand how they can leverage different ones to gain greater cost controls. This becomes more important when third-party vendors are added to the mix.
Finally, look for vendors who can provide a common management scheme – either in their products or using public cloud security infrastructures – to simplify managing and monitoring ongoing security.
Companies deploying the most common security routine – routing branch locations' traffic through a central security solution – generally find these solutions lack scale and cost benefits as their cloud leverage increases. Those that look at distributed security solutions closer to the point of access, such as next-generation firewalls and web application firewalls, reduce those issues but find new ones in managing multiple devices.
Article by Mark Lukie, senior sales engineer at Barracuda Networks.