Critical Security Analysis: Platform vs. Fabric

istock 694553584

One of the challenges of building a security infrastructure often involves sifting through the marketing language security vendors and manufacturers use to describe their technologies and strategies. Far too often, security tools are wrapped in marketing vernacular that sometimes intentionally obscures what a device or tool can actually do.

Visit any security trade show and you are going to be overwhelmed by devices claiming to be “cloud enabled” or that offer “advanced threat intelligence,” with little information about what those terms mean. Sometimes, these new marketing terms take on a life of their own. For example, in spite of all of the hype, there is really very little difference between an NGFW (Next Generation Firewall) and the thousands of UTM (Unified Threat Management) devices that had been around for years when that term was first coined. But once the idea of a “Next-Gen Firewall” began to grab media attention and market share, vendors began to jump on the bandwagon.

The challenge with such a marketing trend is that there are no standards. Since no one had actually prescribed what constituted an NGFW, pretty soon there were dozens of devices, from a variety of vendors, all claiming to be one, ranging from sophisticated systems of integrated technologies to what were essentially traditional firewalls with a shiny new Next-Gen Firewall label slapped on the box. How to tell them apart was anyone’s guess.

A similar challenge now exists for two new ideas competing for mind share: the Security Platform and the Security Fabric. Each claims to be the next evolution of network security, and on the surface, both seem to try and solve the problem of expanding network environments and increasingly sophisticated threats. But in reality, they are very different approaches. 

A Security Platform

It always helps to start with some basic definitions. A platform is usually a single environment, usually hardware, on which different point products have been deployed or different applications can be executed. Ideally, it also claims to include a single interface through which everything can generally be managed. A smartphone or a laptop, for example, can be a platform.

A security platform is no different. In reality, a standard Next-Gen Firewall with some added interoperability is almost always what organizations really mean when they claim to have a security platform. It usually includes loosely integrated functions such as firewall, IPS, anti-virus/anti-malware, application controls, and VPN solutions – often from a single manufacturer – into a single device. These platform devices are deployed in a discrete physical location, where they usually can only see and secure the traffic that passes in front of or through them. Just like traditional NGFWs, security platforms are usually deployed at the edge of the network, and control traffic moving north and south past a predefined perimeter, demarcation point, or security zone.

Sometimes, individual security platforms can communicate with each other to share basic management and threat information, which allows vendors to claim that they are an adequate solution for extended networks.

A Security Fabric

A security fabric is fundamentally different from a platform. Rather than being a device with a collection of products wrapped together in a box, a fabric isn’t actually a product at all. Instead, it is an adaptive, architectural approach to security, enabled by open standards and protocols, that allow you to connect different security devices – including security platforms – into a single, integrated system that is actually able to span across your entire ecosystem of networks.

In addition to integrating all the technologies traditionally included in a platform, a security fabric can also include endpoint security, access points, network segmentation, third-party security devices and technologies, SIEM and other management tools, advanced threat protection solutions, and even the security built directly into network devices.

A fabric-based security framework comprised of such a breadth of solutions enables you to actually connect security tools deployed anywhere across your dynamic and distributed environment into single, integrated security ecosystem. It ties together security at the perimeter, in the data center, on the campus, in the cloud, and at branch offices, across parallel networks (IT, OT, and IoT), and even IoT and end user devices. The ability to distribute security tools wherever they are needed, anywhere across the entire network, and connect them together into a single security framework allows IT teams to see and control their networks in a way that has never been possible before.

A Fabric vs A Platform

Many platform security vendors inaccurately claim to have an end-to-end solution. One of the challenges of security platforms, however, is that they start with a specific security element, such as a next-generation firewall, bolt on other security tools on an as-needed basis, and position it in a static location on the network. This leads to some challenges and gaps in security, such as: 

  • Cost: A platform-based approach means that, regardless of which technologies you want to deploy, you have to purchase hardware designed to accommodate all of them. Which isn’t cheap. It either means that you are paying for processing power that is lying dormant when a particular function isn’t needed, or that drops to its knees during traffic spikes and surges.

A security fabric, on the other hand, allows you to leverage existing security technologies from a variety of vendors through a system of open APIs. It also allows you to correlate and coordinate threat intelligence between devices deployed across your distributed ecosystem to expand visibility without the cost of acquiring additional tools. And because a security fabric is built on a common framework that works across physical, virtual, and cloud networks, you can easily coordinate different devices across your various network ecosystems to reduce operational overhead and reduce capital expenses through consolidation. 

  • Protection Across all Threat Vectors: Networks are increasingly dynamic, distributed, and interconnected, and security technologies need to be just as elastic and adaptable. In addition, security solutions also need to see and address all threat vectors in a holistic and integrated fashion.

All-in-one platforms are built around a static hardware and feature configuration, which means you only have visibility into and protection for those threat vectors that are preloaded into the box. However, because network functions are highly integrated, threats entering the network through an unprotected vector can have a devastating affect. As a result, blind spots created by the limitations of nearly all security platforms, and their inability to seamlessly coordinate and share threat intelligence with other solutions, actually introduces risk into your network security strategy.

A security fabric approach, however, enables organizations to tie together security technologies that span the entire spectrum of threat vectors. A security fabric includes collaborative protection for endpoints, including IoT devices, wired and wireless access points, networks and data centers, including both perimeter and segmentation strategies that drive security deep into the network infrastructure regardless of whether it is local or distributed, custom and pre-built applications, and the full range of cloud environments. 

  • Single Management Console:  Because platforms are made up of pre-defined bundles of technologies deployed in a single location, they often have blind spots. For example, specialized security technologies from other vendors that are not included in the platform’s bundle often see and collect data that can’t easily be shared with the platform.

Furthermore, the “bolt together” strategy of most platforms rarely provides a holistic and integrated internal management interface, let alone one that can span across the distributed network ecosystem. The secret reality is that nearly all platforms still require the deployment and use of a variety of dashboards and methodologies to collect data, analyze threats, and deploy and enforce policy. As a result, such an approach is really not much different than the traditional deployment of siloed, piecemeal security devices because it limits the availability of real-time visibility and requires threat correlation and policy orchestration to be managed by hand.

By comparison, a security fabric integrates all deployed devices, even many of those from third-party vendors, into a single management, orchestration, and response strategy. This enables rapid peer-to-peer threat and mitigation intelligence sharing and coordination, from IoT to the cloud, through a single console. Open standards and APIs enable data to be easily collected, shared, and correlated. They also enable policy changes and threat responses to be automatically synchronized between devices, even across multiple vendors, that have been deployed across the distributed network ecosystem. 

  • Open/Closed: Third-party integration with a platform is especially difficult because it is often built around proprietary protocols and interfaces. In spite of marketing language to the contrary, such an approach actually limits visibility, control, orchestration, and response, especially when considering the larger networked environment.

Because the security fabric is designed around a series of open Application Programming Interfaces (APIs), Open Authentication Technology, and standardized telemetry data, organizations are able to actually integrate many of their existing security investments into a unified, holistic strategy.

Unlike platforms, a framework-based approach to security, like the one provided by the Fortinet Security Fabric can leverage and integrate the best of security technologies. In plain language, it is the first approach that is actually able to defend, protect, and automatically adapt to today’s increasingly complex and distributed networks.