A few weeks back we released the report, Firewalls and the Cloud — a report that details many of the feelings that IT security pros have about deploying security tools in cloud environments. Cloud security is always top of mind at Barracuda, so we thought it would be great to catch up with our VP of Public Cloud, Tim Jefferson for his take on some of the topics covered in the report. Here’s what he had to say:
After taking a deep look at the findings, what stands out to you?
Customers are acknowledging that they’re experiencing friction when they go to deploy their data center network security tools in the cloud. Typically, data center architectures facilitate their policy enforcement capability, but in public cloud a lot of the policy enforcement comes from the native services offered from the provider. For example, segmentation policies are created and managed by the native fabric services via route tables, subnetting and Security Groups, so the security tools being deployed in the cloud have to work in conjunction with these services to ensure compliance.
The report mentions how the cloud is redefining the role of the firewall, is that the case?
In many ways it is. It’s not uncommon for customers to experience friction because the architecture in the cloud is different than in a data center. Firewalls were designed for protecting data center architectures, meaning tightly coupling all the traffic back into a central policy enforcement point that scales vertically. This ends up being a real anti-pattern in the cloud, where you want to build loosely-coupled architectures that scale elastically. This is why we’ve re-architected our Barracuda CloudGen Firewalls to better align with IaaS platforms like AWS, Azure and GCP.
Should we still be using the term “firewall” in the cloud?
As long as you don’t think of it in terms of a perimeter in the cloud—it’s fine. And this is mainly because you don’t want to architect in a tool that creates tightly-coupled systems. The word “firewall” is definitely expanding and we’re certainly seeing more and more customers embracing web application firewalls because the applications being developed are public-facing web apps. On the network side, next-gen firewalls still provide the policy management that the native cloud platforms don’t offer, so they’re important tools to use for compliance and policy enforcement. However, it’s important to think through the controls that you’re trying to implement, and then architect the solutions to embrace the cloud where they’ll be deployed. Both AWS and Azure have programs that highlight vendors who have well-architected their solutions for the specific platform. In our case, we have certifications in both:
Are there any common surprises that come up for security teams when deploying in the cloud?
There are so many services offered by the providers—it can be overwhelming. And for network security professionals, a lot of the tools that are a best fit for public cloud are targeted at software developers with APIs. So, if you’re not from that world or familiar with software development tools, it can be a challenge to learn how to architect in controls and leverage all the available native services that are tied together in the cloud. It comes down to bridging the software development and security teams in a way for them to collaborate. Teams would be at a huge advantage when they start working together at the beginning of a project, so they understand each other’s needs and objectives right away.