Fortinet’s CISO, Phil Quade, recently sat down for an interview with Dan Woods from Early Adopter Research to discuss top of mind trends for CISOs today. Here are a few brief edited excerpts. Click here to read or listen to the entire interview.
You have next generation firewalls, which is the foundation of the company but what are the product categories that are under the Fortinet umbrella?
I put them into three main categories. The first category is your core network, the things that exist in your own datacenter, all types of firewalls and other appliances that do analysis inside your core network.
Another category would be appliances that work virtually. Whether it be visibility, analysis, integration, or automation, all the functionality that we have in physical appliances are also available in cloud-oriented appliances, whether that be private cloud, public cloud or multi-cloud. So category two is virtualized solutions.
The third category, I would call endpoint-oriented solutions. Endpoint as we’ve known it historically has been the desktop, then the laptop, then the tablet, and now our smartphones. We have a whole category of solutions that work to allow secure access and secure operations of those endpoints.
People are implementing zero trust even though they’re inside a protected network. What does zero trust mean in this current environment we’re in, where most companies aren’t completely cloud and are living in a perimeter-less environment?
I think that the marketing around zero trust has outpaced the headlights. I think the computer science and the strategy around it is actually more about segmentation. The theoretical trend behind zero trust is that you control access at the most discreet level to every single person or object. In a practical sense, the implementation of such a strategy becomes too complex and too unwieldy to achieve.
Segmentation has been around for a long time, and that’s about putting the appropriate boundary around assets and things that matter. The preeminent cybersecurity strategy of 10–12 years ago was boundary defense – we’d create a virtual and physical boundary around our networks and we would do something called active cyber defense. We would detect and mitigate in cyber-relevant time and we’d inform it by specialized intelligence or information, active cyber defense.
But mobility, wireless and some other things have meant that that physical and virtual boundary has become less apparent. The importance of segmentation has risen dramatically just in the past few years as our assets need to be protected no matter where they are, even if those assets move around. I call that particular strategy “agile segmentation” – the ability to use segmentation to protect your assets no matter where they might be. Another important component of the segmentation strategy is the granularity of how you can enforce it, including macro-segmentation and micro-segmentation.
The next question I have is about portfolio pruning, meaning the idea that at some point we should get to where there are fewer cybersecurity components, fewer cybersecurity products, and fewer vendors. Instead, it seems is that we are getting to a point where every generation of cybersecurity adds a new collection of components. Do you think we’ll ever get to where we can actually prune and shrink the size of the capabilities in our portfolios?
If you have multiple components independently trying to defend your network, you’re only as strong as your weakest component. But if they’re collaborating in defending your network, their sum is greater than the individual parts.
So what we need to prune is the complexity required to manage an integrated defense, because the complexity is causing too many errors by the operators of these defenses. And we need to prune the individualism of all these different capabilities. If I was building an architecture strategy from scratch today, I would no doubt go with a single vendor implementation of a well-integrated, single implementation based on speed and integration.
Of course, that’s not practical for most people. They’re not starting from scratch, so what they need is not just a rip and replace solution but something that can be easily and thoroughly integrated into an existing solution. Fortinet provides that in a couple of different ways. Number one, you can build out from a small core of our suite of products that work over our Security Fabric to get those products to work together. But importantly, many other vendors are a part of something we call the Fabric-Ready partner program that allows other vendor’s products to connect to the Fortinet Security Fabric and we can very richly collaborate in their defenses.
The next question I have is about cloud migration. Every component that’s on premise these days seems to have some aspect of it that does connect to a central cloud, whether to provide data that has ML learning that makes it smarter or to get access to the freshest threats or whatever. But the bulk of cybersecurity spending is on devices that are on premise. And even though we think of the cloud as a massive new trend, if you look at cybersecurity especially, the cloud-centric products are like 10% of the spending. How is this transition to cloud-based cybersecurity going to take place?
You asked an appropriate, complex question. The cloud, of course, is primarily about agility and scalability, it provides large amounts of storage or large amounts of high performance computing available to folks who otherwise couldn’t afford it. So it’s not a lower cost solution, it’s simply a flexible and agile way to get that data or compute power. But if you’re going to do data or computing in the cloud, you need to make sure you have secure solutions. We think the answer is most companies will be hybrid cloud. They’ll have some assets in their own data centers, they’ll have some assets in private cloud, and they’ll even have some assets in public cloud. Certainly, that’s where larger enterprises are. There are advantages of being in each of those places so I don’t expect a complete migration to the cloud.
You can read or listen to the entire podcast, entitled “Achieving Cybersecurity Integration: A Q&A with Fortinet’s Phil Quade” on the Early Adopter Research website here.
Find out how Fortinet’s Security Fabric delivers broad, integrated, and automated protection across an organization’s entire digital attack surface from IoT to the edge, network core and to multi-clouds.