Cloud computing platforms and services have come a long way in the last few years. In 2010, the Cloud Industry Forum (“CIF”) found that just 48 per cent of UK-based organisations had consciously adopted a Cloud service1. That figure now stands at 84 per cent, with more than three quarters (78 per cent) of users having adopted two or more Cloud services.
Many benefits can be achieved by moving data towards the Cloud and it’s no surprise that most organisations are beginning to realise its potential. However, for public Cloud services in particular, the key sticking point remains security. For the most part, Cloud vendors have taken care of the network hardware security, but they have been slower to implement sophisticated security solutions that provide protection at the application layer. The dearth of application-layer support has left tenants somewhat exposed if they place data-driven applications within virtual machines in the Cloud.
The Cloud security headache
Typically, whatever threats you face in your physical data centre will be present in a Cloud-based one, but with the added complexity of the remote link between the two, plus the lack of direct ownership and control. Thus, as you extend your applications to the Cloud, you are also extending your notions of identity, network and access control, information protection and endpoint security.
As an example, for tenants of Microsoft Azure there are numerous security controls that protect the infrastructure, Cloud fabric, hypervisors, services and tenant environment. However, when it comes to workload-specific security, such as protecting application traffic from exploits and implementing anti-malware solutions, Azure and its peers fall somewhat short. This is primarily because Cloud service providers have no knowledge of what constitutes a customer’s normal operations versus malicious traffic.
In the public Cloud model, the loss of direct control means you can’t rely on the physical infrastructure to protect applications and data. While on-premises security devices such as firewalls, VPN, IPS and so on provide a strong security exterior, Cloud-based environments have only the basic protections afforded by the shared services, or those included in the server operating system. As a result, the role of the network and application firewall in the Cloud context becomes even more critical.
Enter: the virtual Cloud firewall
Cloud security needs can be addressed by deploying new layers of protection through a virtual security device, which can sit within your tenant environment and utilise application visibility and user awareness to manage traffic and bandwidth intelligently.
A Cloud-based virtual firewall can meet a number of security requirements in the Cloud, including:
- Secure Data Centre:a virtual firewall can filter and manage traffic flowing to or from the Internet, between virtual networks or between tenants, to secure the virtual data centre. It can also securely extend a physical data centre to the Cloud, which is particularly relevant if you are migrating solutions to the Cloud and therefore require secure connectivity between the Cloud environment and local infrastructure.
- Secure Remote Access:while the standard tunnels used to configure VPN gateways are certainly secure from an encryption and privacy standpoint, they do not provide the level of control that many IT groups have come to rely on through their hardware-based firewall. A virtual firewall can provide the advanced access policy, filtering and connection management necessary to provide client access to the Cloud. As for encrypted content, the virtual firewall can ensure that all data (regardless of source or destination) is subject to the same protective measures that would be in place with an on-premise hardware-based firewall.
- Identity:since most Cloud platforms are not designed to intercept malicious intent, the virtual firewall is crucial in maintaining integrity and confidentiality of apps and data. It should integrate with most well-known access control providers and offer a broad range of granular, policy-based filtering tools.
- Management:while Cloud vendors typically provide tenant isolation and security, the virtual firewall is needed to provide a comprehensive set of tools for managing performance, usage, visibility, reporting, configuration and the other capabilities that are normally associated with virtual networks running within your on-premises LAN.
A tool dedicated to the task
Cloud-based network and application security can be viewed in the same way as physical data centres: the capabilities provided by the platform and those that the application architecture must provide. Securing applications and data in the Cloud is far easier with tools that are dedicated to the task. A Cloud-based virtual firewall will provide protection where the application and data reside, merging the capabilities of on-premises data centre network protection, with security needs in the public Cloud.