Fortinet Questions Cloud Security

Organizations migrating to the cloud should not assume that the hyperscalers being used by them are appropriate security. This was brought out by Fortinet Consulting Cloud Architect John McDonough during a recent webinar, where he pointed to Microsoft as a major example of offering capabilities that may not really be good enough. 

An article published in SDXCentral quotes McDonough to suggest that it is a misconception among those moving to the cloud that it’s a secure place as a large company is providing it as a service. However, that isn’t always the case as these big companies only provide building blocks that need to be put together by the enterprise itself. 

He pointed out that Microsoft offers firewalls for its Azure cloud and these come with some major capabilities such as intrusion detection systems, transport layer security and URL filtering for web categories. However, the Azure firewall often needs add-ons for capabilities to be activated and its tools are just okay compared with solutions from pure-play security vendors. 

There are a few missing elements

McDonough believes that intrusion prevention, botnet protection, SD-WAN support, data loss prevention, and virtual patching are among the other critical capabilities organizations should be looking for in a firewall product, which currently doesn’t come as a package. 

To maintain a good security posture, enterprises need to not just protect what’s behind the firewall, but also stuff that goes to and fro as well as the folks who’re connected to the firewall. Which is why businesses need all the above elements to feature in their cloud security framework and to keep all users safe.

There’s more to a firewall than…

In fact, one of the critical considerations to be kept in mind while choosing a firewall relates to application awareness. And usually, this goes way beyond identifying an application’s traffic pattern. Aiden Walden, senior director for consulting systems engineering at Fortinet says enterprises need to learn about the foundational components of an application as well as the patterns that evolve over time over their use. 

For example, layer-four firewall protection uses ports like transmission control protocol ports to manage virtual connections between the host (where the browser is) and the host where a server application is running. However, for mission critical applications such as ERP, security based on ports may not be enough. 

Both Walden and McDonough believe that because SAP has constantly changing dynamic ports, the application does not really work great via the Azure firewall. Microsoft has a document on what to expect while using SAP and how to incorporate more utilization of network security groups, which needs to be studied well, they say. 

McDonough believes that though network security groups are a good foundation for a firewall, totally relying on them could be like attempting to carry water in a basket. These groups contain security rules that allow or deny inbound network traffic to or outbound traffic from several types of Azure resources. Each rule can have a specific source and destination, port and protocol. 

This is where SASE could be impactful

The two officials refer to Gartner’s terminology of secure access service edge (SASE), used to define the convergence of networking and security as a cloud-delivered service, as a possible impact solution of the future. This comprises a security service edge, a cloud-delivered security suite that packs zero-trust network access, cloud-access security broker, secure web gateway, and firewall-as-a-service.

Walden believes that companies must think beyond their choice of a firewall and include the whole security fabric of their business. SASE could be an all-in-one-solution but the architecture may be defined by the organization’s needs. In case, SaaS services usage is high, then SASE could be a great solution as it optimizes access to other SaaS services, he adds.