We’re still in an era where the term firewall is typically thought of as a tool for securing data center architectures because that’s what a next-generation firewall is designed to do. However, as organizations continue to inch closer to the cloud era, many are still using traditional firewalls to secure cloud workloads and applications. Is this the best way to approach security in the cloud? It might be worthwhile to step back and take a look at the cloud security requirements moving forward before continuing to implement the same security tools in an entirely different environment. For example, you need to find out if the firewall integrates with the cloud fabric, or provides a full-featured API, or if the pricing aligns with current cloud consumption models? This all depends on if the firewall is engineered for the cloud — ultimately it’s about having the right tool for the job. But don’t take my word for it, let’s ask someone who spends a lot of time in the cloud.
Q & A with Tim Jefferson, VP Public Cloud, Barracuda
Q: Does the cloud require a different set of security tools?
A: It’s critical to understand the cloud environment that your applications will be deployed in, and the native services that the IaaS provider offers to achieve security control coverage. Then, customers can instrument in their required controls that leverage the provider’s deployment best-practices. This means not necessarily bringing in legacy data-center architectures and tools, which tend to be ‘anti-patterns’ in the cloud. For example, perimeter-based firewall architectures are highly effective in a data center, but can become sources of friction when deployed in the public cloud. The public cloud also offers customers agility, while being consumed differently than traditional IT. Those who are building in the cloud, like DevOps teams, for example, are looking for the same agility when deploying security controls — specifically for ways to consume and deploy third-party security tools via API.
Q: You mentioned DevOps teams, are they looking for specific security controls in the cloud?
A: Security is one of the most challenging pieces of application development, and it often catches blame for slowing down the process due to the friction it introduces. However, we’re seeing demand from the DevOps community to automate security controls into the CI/CD process, which allows for security controls to be pushed deeper into the development process. The best example of this at Barracuda is our WAF integration with Puppet Labs’ REST API framework, which allows DevSecOps teams to include application security architectures into their CI/CD workflows.
Q: What are some of the major differences in deploying a firewall in the public cloud versus on-premises?
A: It all comes down to having the right tool for the job. Next-generation firewalls are purpose-built for data-center architectures where everything is tightly coupled and traffic flows through firewalls that scale vertically. However, public cloud best practices dictate building loosely-coupled architectures that scale out horizontally (elastic). So, instrumenting in legacy data center perimeter security is actually an ‘anti-pattern’ in public cloud. Customers should instead think through the actual security controls they need to cover, and use tools that leverage the agility and elasticity of cloud infrastructure — both technically and commercially. A cloud generation firewall needs to be tightly integrated into the IaaS management fabric, and support a license-less commercial model that enables automated deployments that don’t incur licensing costs unless they actually see production traffic.
Q: What is needed for security to adapt to the current public cloud consumption model?
A: I think if we take a look at how the public cloud is being consumed, security needs to reflect that model. For example, AWS Marketplace Metering Service is a pricing and metering feature that AWS marketplace sellers can use to directly charge for their software using one of four usage categories: users, data, bandwidth, or hosts. In Barracuda’s case, our firewalls are available as a metered billing service, which allows customers to scale elastically along with their cloud demands while being billed for the traffic that is secured as opposed to individual licenses. In the cloud, it doesn’t make sense to require customers to purchase more firewall licenses when their network experiences a traffic increase because when the network scales back down to normal levels — they are burdened paying for unused licenses.
Q: As we move further into the cloud generation, is there still confusion about security responsibilities?
A: We’re heading in the right direction, but we still see a lot of organizations that are just getting started in the cloud, so it’s still an important part of the discussion. All the major cloud providers clearly state the security controls that customers inherit with their platforms; however, when customers move applications to the cloud — the responsibility of securing those applications falls on the customer. In fact, we recently ran a public cloud survey and came away with some interesting data related to the shared security model. We discovered that a majority of the respondents believe that public cloud providers are responsible for securing customer data and applications in the cloud, which proves that there’s still a lack of clarity around the subject. It would be beneficial for any organization running workloads in the cloud to have a conversation about security.
Q: What makes Barracuda’s approach to security the right fit for the cloud generation?
A: I think if you take a look at our latest announcement, “Barracuda Announces New Cloud Generation Firewall Capabilities,” we’re able to continue to address some important cloud use cases that can really help customers handle security needs in the cloud. Our firewalls are engineered to be tightly integrated into the public cloud providers’ management fabric. This all comes from having a great understanding of the unique technical and commercial requirements that security and development teams need in order to migrate security controls into their applications in a way that’s consistent with the cloud providers’ development best practices. Specifically, by making our firewalls available as a metered billing service in the AWS Marketplace, we’re ensuring that all provisioning is done entirely within the AWS Marketplace, which removes any licensing friction because pricing is based on the actual traffic secured. Secondly, we’re supporting an important use case for DevSecOps teams with the REST API framework that can be used to automate the orchestration and configuration of the Barracuda Web Application Firewall, which now includes Puppet Labs’ integration within AWS, making it easier for customers to integrate security controls into their cloud-native applications on AWS. With this integration, application developers are able to automate application tests and integrate security directly into the code building process.
If you’d like to learn more about Barracuda Cloud Generation Firewalls, visit our corporate site here.
We hope to see you there.