Redefining firewalls for the cloud generation

Cloud computing has become the new normal in IT, especially with public cloud functionality growing tremendously in 2017, and is still advancing.

“2017 took us well into the cloud generation, and as we look at 2018, it will become more critical than ever for organizations to understand public cloud environments in order to keep workloads and applications secure,” said Tim Jefferson, VP of Public Cloud at Barracuda Networks.

Spurred by this trend, more attackers will be drawn to explore cloud deployments for weaknesses to exploit. Capturing this reality in today’s environments, Barracuda Networks’ Firewalls and the Cloud report, released in March 2018, highlighted the experiences and attitudes of IT professionals in regards to cloud security based on survey data collected from over 600 respondents worldwide.

An overwhelming 83% of the survey participants are concerned about deploying traditional firewalls in the cloud, citing “pricing and licensing not appropriate for the cloud,” and “lack of integration prevents cloud automation” as their top pain points.

For 74% of respondents, “integration with cloud management, monitoring, and automation capabilities” is the most beneficial cloud-specific firewall capability while 59% cite “easy to deploy and configure by cloud developers”.

Meanwhile, among organizations that have adopted DevOps, DevSecOps, or continuous integration and continuous deployment, 93% faced challenges integrating security into those practices.

“For organizations that are used to operating under traditional data center architecture, moving to the cloud will require a new way of thinking when they approach security,” said Jefferson. “Using security tools specifically designed for the public cloud can actually make a business more secure than they were when they operated purely on-premises.”

Perilous paths

This assurance is timely given that today’s  sophisticated cyber threats use advanced techniques to avoid detection and they’re able to employ multiple vectors to penetrate the network.

For example, ransomware may be hidden in a file downloaded from the internet, exploiting the network vector, or it could be delivered via email as an attachment, exploiting the email vector, or triggered when a user clicks on a typo-squatted URL, exploiting the web vector. Multi-vector attacks mean that it’s no longer enough to secure each vector in isolation or to rely just on signature-based detection.

More dynamic security is needed. In the cloud era, the firewall designed to secure data center architectures might not be suited to secure cloud workloads and applications.

Jefferson highlighted specific examples such as how perimeter-based firewall architectures, while highly effective in a data center, can become sources of friction when deployed in the public cloud. And while offering customers agility, the public cloud is consumed differently from traditional IT. Put simply, firewalls have to keep up with the cloud generation.

“A cloud generation firewall needs to be tightly integrated into the IaaS management fabric, and support a license-less commercial model that enables automated deployments that don’t incur licensing costs unless they actually see production traffic,” he explained.

Meanwhile, DevOps teams, who are building in the cloud, seek agility when deploying security controls — specifically for ways to consume and deploy third-party security tools via API. For example, the Barracuda Web Application Firewall’s (WAF’s) integration with Puppet Labs’ REST API framework within AWS, which allows DevSecOps teams to integrate security controls into their cloud-native applications on the platform and then automate application tests and integrate security directly into the code building process.

Know your responsibility

As new malware variants emerge – at a rate of more than 200 per quarter, according to some predictions – and modern and traditional attacks like the OWASP Top 10 rapidly growing in volume and sophistication, security measures must continue to evolve.

This is where the Barracuda CloudGen Firewalls leverages an advanced and integrated set of cloud-based security technologies – known as Barracuda Advanced Threat Protection – that lets organizations deploy advanced protection across multiple threat vectors that share information through the Barracuda Threat Intelligence Network.

These advanced technologies provide multiple layers of real-time detection and protection, including signature, static, behavioral analysis, all the way to comprehensive, cloud-based sandboxing to accurately detect polymorphic attacks without impacting network performance.

Barracuda CloudGen Firewalls can be deployed across physical locations as well as in Microsoft Azure, AWS, and Google Cloud Platform with centralized single-pane-of-glass management to maintain a consistent security posture across the entire network perimeter.

This supports a fundamental need for organizations running workloads in the cloud to understand their cloud provider’s shared responsibility model to facilitate a meaningful conversation about security.

“All the major cloud providers clearly state the security controls that customers inherit with their platforms,” Jefferson pointed out. “It’s important to understand that if your data and applications are in the cloud, it’s your responsibility to secure them.”