As businesses require more speed and flexibility in delivering applications and services, cloud computing has emerged as the model best aligned to meet the needs of many organizations. Data centers especially are evolving rapidly into both private and public clouds, along with customer demands for fast and secure cloud infrastructure and services. Fortinet’s Warren Wu shares more perspective on the intersection of cloud computing and security technology.
Over the past decade, enterprises have been adopting cloud computing at an unprecedented pace, with Gartner Research projecting IT spending on public cloud-based infrastructure services to surpass $24 billion in 2016, and associated management and security to surpass $8 billion. Meanwhile, private cloud infrastructures, including server and network virtualization and software-defined networking (SDN), are rapidly transforming on-premise data centers - which still host the majority of enterprise server workloads worldwide - into agile software-defined data centers (SDDC). And this is all happening as heightened awareness and concerns are growing over advanced malware and threats, making it more urgent than ever to protect end users and data, regardless of where workloads and applications reside.
Organizations need to continue to maintain a strong security posture in private and public clouds, and even increase security to deal with highly dynamic and fast-paced cloud environments, especially as compared to their previously static data centers.
With the IT efficiencies gained by pooling compute, storage, and network resources through virtualization, SDN, and other technologies, private and public clouds have become increasingly aggregated environments, where not just servers but entire data centers have been consolidated into fewer but more efficient cloud environments.
The mix of data center traffic has further shifted from north-south, which now only accounts for about 20% of data center traffic, to east-west, which represents over 70% of traffic, especially as new software-defined environments continue to optimize underlying hardware utilization and efficiency on scale-out architectures.
All of this means it is more critical than ever to isolate business units and applications, as well as segment east-west traffic to minimize the impact of a hacker or advanced threat that manages to breach the cloud perimeter via a single weak or vulnerable application.
Of course, regardless of whether an application resides in a private or public cloud, data subject to regulatory compliance needs to be properly secured according to industry regulations, such as PCI, HIPAA, FISMA, etc., with the added complication that enterprise tenants do not fully own and control the shared infrastructure in public clouds.
Organizations should employ an end-to-end segmentation strategy, starting with micro-segmentation within the software-defined data center, and complementing that with internal segmentation firewalling within and across the physical network layers of data centers, campuses, and branch offices. Within the private cloud, advances in network virtualization and orchestration mean organizations can and should consider a fine-grained micro-segmentation strategy that can uniquely firewall and secure workloads irrespective of physical network topology, even down to a single virtual machine or workload.
And now, as many organizations begin to employ hybrid cloud strategies - where public clouds are used to host more exposed public-facing workloads with less sensitive data - public clouds with persistent VPN connections should be segmented from private clouds that need to be more secured. Conversely, some organizations may use the public cloud to host some sensitive data, such as credit card data subject to PCI compliance, in order to alleviate strict industry compliance and regulations on the private cloud. Segmentation between the public and private portions of the hybrid cloud are equally important in this approach.
Finally, besides firewalling and intrusion prevention, data leakage protection (DLP) and monitoring may be important, in either or both directions, to ensure that sensitive data does not cross cloud boundaries – again, to limit the damage or loss of a breach in a single-cloud environment.
Regardless, having a comprehensive security strategy for the hybrid cloud, including a single pane-of-glass view of security management and policy across both private and public clouds, is essential for ensuring a consistent security posture for an organization, regardless of whether a given workload is running in an internal software-defined data center or on provider-hosted multi-tenant infrastructure.,
Fortinet is the only company with security solutions for network, endpoint, application, data center, cloud, and access - designed to work together as an integrated security fabric to provide true end-to-end protection. Our purpose-built cloud security solution collaborates with key Fortinet products across a variety of cloud deployment models, while allowing for centralized management, open API integrations, metering consumption, cloud platform orchestration, and automation. And as malware is detected by a FortiGate firewall in the cloud, our Security Fabric shares that threat intelligence dynamically with the rest of the interconnected security infrastructure. This reduces the need for multiple touch points and redundant policies across cloud premises, and ensures governance over multi-layered security boundaries.