Story image

What to consider when moving into the cloud generation… securely

21 Nov 2017

IT professionals are starting to realise just how different securing a cloud computing environment is from traditional on-premises IT environments. We’re still in an era where the term firewall is typically thought of as a tool for securing data centre architectures because that’s what a next-generation firewall is designed to do.

As we continue to inch closer to the cloud era, many organisations are still using traditional firewalls to secure cloud workloads and applications. But it’s not the best way to approach security in the cloud.

We recently sponsored a survey with Vanson Bourne, which revealed that 44.6 percent of the 100 Australian respondents already have their infrastructure in the public cloud. While 59 percent felt totally confident that their organisation’s move to the public cloud was secure, almost all report that additional security solutions are needed. Meanwhile, 64 percent state that security concerns restrict their organisation’s migration to the public cloud.

It’s worthwhile taking a step back and looking at your cloud security requirements moving forward before continuing to implement the same security tools in an entirely different environment. Find out if the firewall, for example, integrates with the cloud fabric, provides a full-featured API, or if the pricing aligns with current cloud consumption models. Ultimately, it’s about having the right tool for the job.

Consider a different set of tools

Next-generation firewalls are purpose-built for data centre architectures (on-premise) where everything is tightly coupled and traffic flows through firewalls that scale vertically. However, public cloud best practices dictate building loosely coupled architectures that scale out horizontally (elastic).

It’s critical to understand the cloud environment that your applications will be deployed in, and the native services that the infrastructure-as-a-service (IaaS) provider offers to achieve security control coverage. Then, you can instrument in your required controls that leverage the provider’s deployment best practices.

This doesn’t necessarily mean bringing in legacy data centre architectures and tools, which tend to be ‘anti-patterns’ in the cloud. Perimeter-based firewall architectures are highly effective in a data centre, for example, but can become sources of friction when deployed in the public cloud.

Instead, you should think through the actual security controls you need to cover and use tools that leverage the agility and elasticity of cloud infrastructure — both technically and commercially.

A cloud generation firewall needs to be tightly integrated into the IaaS management fabric. It must support a license-less commercial model that enables automated deployments that don’t incur licensing costs unless they actually see production traffic.

Confusion about security responsibilities

As we move further into the cloud generation, there’s still confusion about security responsibilities. We’re heading in the right direction, but we still see a lot of organisations that are just getting started in the cloud, so it remains an important part of the discussion.

All the major cloud providers clearly state the security controls that customers inherit with their platforms; however, when customers move applications to the cloud — the responsibility of securing those applications falls on the customer.

In fact, the Vanson Bourne survey revealed some interesting data related to the shared security model. The majority of the survey respondents believe that public cloud providers are responsible for securing customer data and applications in the cloud, which proves that there’s still a lack of clarity around the subject. It would be beneficial for any organisation running workloads in the cloud to have a conversation about security.

Handy hints

Look for third parties that support a wide range of ecosystems with the same or similar solutions. Organisations often end up with multiple cloud providers, as well as having an on-premises (legacy) infrastructure. This can have implications on complexity and overall costs; it's further compounded when third-party solutions such as security are added to the mix.

Consider third parties that offer equivalent licensing options to how you’re licensing your public cloud infrastructure. As organisations weigh licensing options – by usage, per hour, unlimited, etc – we see customers beginning to understand how they can leverage different ones to gain greater cost controls. This becomes more important when third-party vendors are added to the mix.

Finally, look for vendors who can provide a common management scheme – either in their products or using public cloud security infrastructures – to simplify managing and monitoring ongoing security.

Companies deploying the most common security routine – routing branch locations' traffic through a central security solution – generally find these solutions lack scale and cost benefits as their cloud leverage increases. Those that look at distributed security solutions closer to the point of access, such as next-generation firewalls and web application firewalls, reduce those issues but find new ones in managing multiple devices.

Article by Mark Lukie, senior sales engineer at Barracuda Networks.

Mozilla launches Firefox Send, an encrypted file transfer service
Mozille Firefox has launched a free encrypted file transfer service that allows people to securely share files from any web browser – not just Firefox.
Online attackers abusing Kiwis' generosity in wake of Chch tragedy
It doesn’t take some people long to abuse people’s kindness and generosity in a time of mourning.
Ransomware’s decline equals cryptomining’s rise
ESET’s Security Days Conference recently took place to go over the current threat environment and what to look out for next.
IoT and DDoS attacks: A match made in heaven
A10 Network’s Adrian Taylor uses findings from a number of reports to illustrate his point that advances in technology are facilitating cybercrime.
ForgeRock launches Sandbox-as-a-Service to facilitate compliance
The cloud-based testing environment for APIs enables banks to accelerate compliance with Open Banking and PSD2 deadlines.
Cloud application attacks in Q1 up by 65% - Proofpoint
Proofpoint found that the education sector was the most targeted of both brute-force and sophisticated phishing attempts.
Singapore firm to launch borderless open data sharing platform
Singapore-based Ocean Protocol, a decentralised data exchange that promotes data sharing, has revealed details of what could be the kickstart to a global and borderless data economy.
Huawei picks up accolades for software-defined camera ecosystem
"The company's software defined capabilities enable it to future-proof its camera ecosystem and greatly lower the total cost of ownership (TCO), as its single camera system is applicable to a variety of application use cases."