Securing Hybrid Clouds and Multi-Cloud with Virtualized Network Firewalls

Organizations are looking to realize the promise of cloud computing, including faster time to market, increased responsiveness, and cost reductions. As part of this, many organizations use two or more clouds to meet business needs such as disaster recovery, data backup, application resiliency, and global coverage. In fact, 76% of organizations are using two or more cloud providers.² And according to the Flexera 2020 State of the Cloud Report, “93 percent of enterprises have a multi-cloud strategy” while “87 percent have a hybrid cloud strategy.” As a result, this can introduce complexities without the right cloud security solutions that can secure any cloud environment.

Hybrid cloud brings myriad challenges

Organizations consume the cloud differently as they migrate, and they can pick and choose various hybrid-cloud infrastructures and services. But implementing disparate services and solutions—such as multi-cloud, hybrid environments, Software-as-a-Service (Saas), Platform-as-a-Service (Paas), with their various applications and endpoints—introduces implementation, management, and security challenges. The biggest challenges these disparate solutions introduce is the lack of visibility and control needed to keep the applications and devices secure and connected from the user to the data center to the cloud. Network engineering and operations leaders know that the lack of full visibility into encrypted data and control of a network infrastructure that spans applications, data, users, and many network edges can open the entire organization up to vulnerabilities. Patching on disconnected point security products operating in silos across the network only makes matters worse. The average enterprise uses 75 different security solutions, many of which only address a single attack vector or specific compliance requirement. All of this results in an unruly and  ineffective security posture.

The continual rise of cloud computing providers and the exponential growth of SaaS, combined with the increase of remote work mean that the locations of data creation and its storage have moved away from the corporate data center. And with the rapid proliferation of the mobile workforce, multiple public and privateclouds, and Internet-of-Things (IoT) devices, network attack surfaces have dramatically expanded, and have created more blind spots obscuring visibility into threats.

Managing and securing all of these different private and public cloud workloads and environments is not a simple undertaking. Few IT teams have the expertise or bandwidth to manage a mixed deployment of multiple public cloud, private cloud, and on-premises environments. Many organizations connect their clouds using their on-premises data center WAN edge, using SD-WAN for example. For these cloud connections, organizations need solutions, like Fortinet Secure SD-WAN, to ensure network performance without compromising security.

Securing hybrid cloud with a platform approach

Despite the many benefits, hybrid cloud environments add extra layers of management complexity, especially with applications in motion and millions of endpoints. Security at the application level, across the network, and in hybrid cloud environments needs to be based on a modular platform approach to address each layer.

The building blocks of a successful modular security infrastructure include:

1. Visibility: You can’t detect, protect, or resolve issues if you can’t see what is going on inside your network. Isolated tools obscure this visibility. Instead, every component—whether network or security—has to work together as a single, unified solution.
2. Knowledge: Organizations are inundated with data. The best way to make use of that data, and keep it secure, is to use artificial intelligence (AI) and automation tools to gather, analyze, correlate, and make sense of it all for quick action to issues or attacks.
3. Controls: Control requires being able to take an action whenever and wherever required to minimize the impact of a threat anywhere.

But don’t ditch the firewall

Network Firewalls are a critical element of a sound cloud strategy.  They enable security-driven networking and provide broad, integrated, and automated protection against emerging and sophisticated threats and ultimately deliver protection into the cloud, with the cloud(s), and across clouds.

Virtualization/Public Cloud Support: Enterprise firewall platforms must support network function virtualization (NFV) with full feature and management parity between virtual and appliance versions. Amazon Web Services (AWS), Microsoft Azure, and Google Cloud must be explicitly supported at the IaaS level and should have support for PaaS on their roadmaps.

Application Awareness/Control: The firewall needs to be able to inspect and block individual application subcomponents/services.

Advanced Networking Support: Integrations with WAN acceleration, SD-WAN interoperability (API level), IPv6 features, app-based quality of service (QoS), and app-based performance routing.

External Threat Intelligence Feeds: The ability to ingest third- and first-party threat intelligence feeds can greatly increase the efficacy of blocking decisions.

Secure SD-WAN:  The firewall needs to be able to enable secure, seamless, and superior quality of experience of applications across hybrid and multi-clouds.  Ideally, this is supported by a cybersecurity platform that provides consistent policies and orchestration across the full range of hybrid and multi-cloud deployed on.

Deploying virtualized firewalls inside the public cloud IaaS instances can cause a unique set of challenges (scaling and high availability) due to major differences in how routing and switching are implemented inside the public cloud versus traditional IP networks. Enterprise firewalls should support the following to address this challenge.

Learn how Fortinet’s adaptive cloud security solutions provide the necessary visibility and control across cloud infrastructures, enabling secure applications and connectivity from data center to cloud.