Make sure you pick the right security tools for the cloud

Organizations must evolve beyond on-premises security mentalities and address the emerging demands of the cloud. Not doing so will hinder migration, deteriorate security posture and cost money and time.

Tools on wood table
Thinkstock

Thousands of organizations today are reaping the benefits of downsizing their on-premises infrastructure by using Software-as-a-Service applications like Office 365 or moving their network and application workloads to public cloud infrastructures like Amazon AWS, Microsoft Azure or Google Cloud Platform.

I’ve talked with numerous information security teams about their security architecture for cloud environments, and come to understand that the cloud demands a very different set of requirements compared to traditional on-premises security. Let’s talk about some of these requirements and recommended approaches for customers to fully leverage the benefits of the cloud while maintaining effective security.

Obviously, the decision to migrate workloads, applications, and data to the cloud brings intrinsic security concerns. According to a recent report by my company Barracuda, “Unlocking the Public Cloud,” 74 percent of respondents stated that security concerns restrict their organizations’ migration to public cloud. Public cloud adoption is growing rapidly, but security is now the largest area of resistance when moving to the cloud.

Most information security teams have experience and expertise securing data-center environments, and therefore naturally try to carry over the same, familiar approaches to the cloud. The mentality of attempting to use tightly-coupled perimeter firewalls in loosely-coupled cloud environments where no perimeter exists—results in a marked loss of scalability, flexibility, control and visibility. Ultimately, this will lead to configuration headaches and overpaying for features that are not relevant in the cloud because traditional perimeter-based firewalls are simply not engineered for the cloud’s elasticity, scalability, and consumption models.

Cloud-connected network topologies involve many globally-dispersed locations and remote users directly connected to public cloud and SaaS based applications. This imposes new requirements on firewalls. They need to horizontally scale to secure hundreds of discrete workloads, be deployable through automation and orchestration tools, and should support distributed workload specific policies.

To make matters more complicated, as most organizations migrate to the cloud, they often make the mistake of blindly carrying over their old on-premises firewalls. They end up paying for features that don’t apply in the cloud and worse, waste time and money just trying to make the firewall work in cloud environments.

Rigid, monolithic and hardware-centric firewall architectures designed for centralized networks just don’t work when deployed in public cloud infrastructures. As the public cloud guys call it, they are an anti-pattern.

Leveraging the benefits of cloud computing raises a whole new set of requirements around connectivity, scalability, security, integration, deployment and pricing.

 Some of the things that cloud generation firewall architectures must address include:

  • They must provide capabilities that satisfy the most demanding cloud specific use-cases without carrying the overhead of legacy on-premises architectures.
  • They should provide rich API interfaces that can be easily deployed in public cloud environments through commonly used automation and orchestration tools like Puppet. They must be deployable in high-availability clusters, auto-scaled using cloud templates, and also managed and monitored from a single pane of glass.
  • They must directly integrate with native public cloud services like Elastic Load Balancing, AWS CloudWatch, Azure ExpressRoute, Azure OMS and more.
  • They should provide complete licensing flexibility including pure consumption based billing, allowing you to deploy as many firewalls as needed and require that you only pay for the traffic that is secured.

Ultimately, migrating to the cloud means shifting the way you think about security, and it’s important to take a strong look at the security technology stack before migrating. Instead of struggling to control all traffic through the network, organizations should look to focus on protecting each application and workload with the right level of security. This means deploying security in alignment with your current cloud consumption model and leveraging tools that allow you to build security controls into the development and deployment process. When these requirements are met, organizations can migrate successfully without compromising their security posture.

This article is published as part of the IDG Contributor Network. Want to Join?

NEW! Download the Winter 2018 issue of Security Smart