Industry Trends

Strategies and Use Cases for Private Cloud Security

By Vince Hwang | June 23, 2021

When cloud migration originally started, some organizations often adopted public cloud services because the costs for operating, designing, and maintaining private cloud deployments seemed unsustainable. However, as cyber criminals increasingly target public cloud services, organizations have started implementing private clouds as a place to manage sensitive information. According to the Flexera 2021 State of the Cloud Report, 87% of enterprises already have a hybrid public-private cloud strategy in place; it also found that the hybrid cloud industry is estimated to grow to almost $100 billion by 2023. As organizations begin to build out their hybrid cloud infrastructures, they must understand the different strategies and use cases for private cloud security solutions to protect their most sensitive data. 

What Are the Benefits of a Private Cloud?

For years, organizations have considered private clouds cost-prohibitive. However, as the nature of both private and public cloud security evolve, many companies are beginning to understand the inherent benefits that make the cost worthwhile. Additionally, if deployed correctly, a company can reduce the total cost of ownership while gaining greater control over sensitive data. 

Some reasons organizations choose to deploy a private cloud as part of an overarching hybrid cloud strategy include:

  • Performance: Monitor application performance and prevent downtime.
  • Customization: Align more closely with business objectives, company size, industry, and technical requirements.
  • Security and Privacy: Limit external access points and manage internally.
  • Compliance: Enhance governance over security controls to meet regulatory and industry standards.
  • Business Continuity: Maintain control over resources for continued availability.
  • Geographic Availability: Ensure availability and compliance across various locations.
  • Scalability: Leverage private cloud for predictable workloads to reduce total cost of ownership.

Creating a hybrid cloud strategy gives organizations a way to have the best of both worlds. They can leverage the agility and flexibility that public clouds offer for dynamic workloads. Meanwhile, they can reduce costs associated with ownership, security, privacy, and compliance for predictable workloads managing sensitive data.

Addressing Security in the Private Cloud 

When building a networking strategy, many organizations may wonder if the private cloud is more secure than the public cloud. While the answer is yes, private cloud technology is not perfect by any means. To maximize value from a private cloud or hybrid cloud strategy, organizations must understand the associated security risks. This includes: 

  • Full responsibility for security: Unlike the public cloud, which features a shared responsibility model, the entire security burden falls to the organization in the case of private cloud use.
  • Shifting workloads: Moving workloads between private and public clouds increases security risks, including misconfigurations. 
  • Security breaches: Misconfigurations can lead to security incidents within private cloud environments, such as data breaches. 
  • Lack of east-west visibility: Inability to monitor network traffic effectively. 

Even though private clouds offer more control over security and compliance issues, that control becomes a double-edged sword when mistakes happen. To fully secure their private cloud, organizations need visibility, control, and continuous monitoring capabilities to ensure security. 

Strategies for Effective Private Cloud Security 

To create a robust private cloud security strategy, organizations need to put the appropriate technical controls in place. 

North-South Advanced L7 Security Protection

Protecting north-south traffic - the network traffic moving into and out of the enterprise or data center - is the first step to enhancing private cloud security. However, network complexity and virtualization make this challenging. As a result, security teams find themselves struggling to find cost-effective and rapidly deployable solutions to keep projects on time and within budget. 

When looking to protect north-south traffic, organizations should consider a solution that can:

  • Offer protection from a broad array of network security threats.
  • Secure applications without impacting performance with high-speed private and encrypted networks.
  • Apply identity-based segmentation, micro-segmentation, and artificial intelligence (AI) to prevent advanced threats.
  • Incorporate integrations with cloud-native scaling services to reduce operational burdens.
  • Offer licensing and on-demand usage models.

Solutions that can manage these types of controls, like the Fortigate-VM, offer the visibility and control necessary to secure private clouds. 

Intent-Based Segmentation: East-West Advanced L7 Security Protection

Malicious actors increasingly focus on credential theft attacks before moving laterally within an organization’s networks (east-west traffic). Although organizations have used network segmentation to prevent this type of movement in the past, today’s network traffic now runs on the public internet using Software-Defined Networks (SDNs). Further, private clouds are highly virtualized and lack a static IP address, meaning that organizations can no longer segment by physical servers. 

Today, microsegmentation requires creating secure zones within data centers and cloud deployments that isolate and secure workloads individually. Some considerations when deploying east-west security include:

  • Policy-based firewall segmentation and controls across the cloud.
  • Automatic scalability on hypervisors that join the security cluster.
  • Ability to apply microsegmentation and control at the application layer.
  • Packet inspection for both encrypted and non-encrypted traffic, including user traffic between virtual machines (VMs).

Gaining visibility into application-layer traffic with solutions like the FortiWeb Web Application Firewall (WAF) provides visibility into and protection for virtualized platforms. 

Form Factor Consolidation

Private clouds come with significant front-end investments when compared to public clouds. To realize the long-term cost savings that make private clouds financially viable, organizations often choose virtual machines over hardware. 

To cost-effectively secure VMs, organizations need to move away from traditional hardware firewalls and security appliances that reduce efficiency and business agility. Additionally, to optimize private cloud deployments from both a cost and operational perspective, organizations should consider virtualized versions of these traditional network security tools. 

When doing this, organizations should consider solutions that:

  • Leverage continuous threat intelligence and AI to prevent and defend against attacks.
  • Partition a single physical network controller into multiple virtual interfaces.
  • Have a small footprint.
  • Boot up quickly.
  • Provide storage efficiencies.

Security Virtual Network Function (VNF)

VNFs manage network functions that run on VMs. Often, organizations use multiple VNFs to build out a full-scale networking communication service. 

VNFs offer different value to organizations depending on the industry. For example, technology services companies often use them to rapidly deploy new network services, increasing revenue. Meanwhile, other organizations use them as a way to reduce time to market for new initiatives. 

When organizations seek solutions to address their private cloud challenges, they should consider whether a VNF technology can enable more robust security. As part of this process, they should look for those that: 

  • Connect to orchestrators, like Amdocs, Nuage, and OpenStack.
  • Use SDN capabilities to create a service chain of connected network services.
  • Connect network services chaining into a virtual chain.
  • Incorporate an intrusion prevention system (IPS), antivirus, web filtering, Secure SD-WAN features, email security, WAFs, and sandbox analysis.

Security for the Mobile Core/Telco Cloud

Service providers offering virtualized infrastructures must provide their customers with the appropriate level of security to protect mission-critical data. For example, mobile network operators (MNOs) need to secure 4G and 5G mobile networks to meet service-level agreements (SLAs). As a result, security visibility and control will become value-added services that enable MNOs to differentiate themselves. 

To maintain compliance with SLAs, MNOs need solutions that enable them to provide end-to-end security visibility and control over the mobile infrastructure. As they look for security solutions, MNOs need to consider ones that provide: 

  • Capabilities for infrastructure protection and service availability and continuity.
  • Security gateway infrastructures that enable Radio Access Network (RAN) security
  • Security visibility into Multi-access Edge Computing (MEC) sites while enabling ultralow latency applications
  • Ability to connect non-3GPP access technologies like wireless local-area networks (WLANs) to the 3GPP core network.
  • Security for the mobile core, including 4G/5G layer 4-7 security, data plane security, core-to-RAN security with VPN scalability, and control plane to data plane security.
  • Security for private cellular networks that integrates into different points of the implemented architecture to ensure service availability and user plane data integrity.

Building security services into their offerings with solutions that have these capabilities, like FortiGate and FortiWeb, means that MNOs can provide more robust offerings. 

Compliance and Regulatory Requirements

Organizations must comply with laws, industry standards, internal controls, or some combination of all three. In highly regulated industries that manage large amounts of personal data, compliance may be the primary driver for deploying a private cloud. 

For example, organizations in the European Union might deploy a private cloud to meet the General Data Protection Regulation (GDPR) geographic data storage requirements. In other cases, organizations might deploy a private cloud as a way to protect data as required by standards or laws. The financial services organizations might want to secure cardholder data to meet Payment Card Industry Data Security Standard (PCI DSS), just as the healthcare industry needs to maintain electronic protected health information (ePHI) privacy to comply with the Health Insurance Portability and Accountability Act (HIPAA). 

To secure data and document compliance activities, organizations with a private cloud often use security incident and event management (SIEM) or security orchestration, automation, and response (SOAR) solutions. When seeking a solution that enables compliance monitoring and documentation, organizations should ensure that it includes the following capabilities:

  • Unidentified data collection and analytics from diverse sources, including logs, performance metrics, SNMP Traps, security alerts, and configuration changes.
  • Machine learning (ML) for user and entity behavior analytics (UEBA) to detect anomalous activity
  • User and device risk scoring
  • Real-time event correlations
  • Real-time, automated infrastructure and application discovery for physical and virtual infrastructures.
  • Dynamic identity and access mapping that incorporates users, roles, and contextual attributes.
  • Automated incident mitigation or elimination.
  • Network activity logging and reporting.

Solutions that provide these capabilities, like FortiSIEM and FortiAnalyzer, not only enhance security but provide the documentation necessary to prove governance, ultimately reducing audit costs. 

Streamlining Security, Network, and Cloud Operations

As organizations deploy and build out their private and hybrid cloud strategies, the number of security solutions will likely grow to a point where blind spots and complexity will be introduced into the environment. Often times, organizations will take the loss of visibility, security, and operational efficiency as an acceptable trade-off for the business value gained from moving to cloud. This is an extremely risky approach to adopt as even a momentary loss of control and visibility can result in a successful compromise that can undo any business benefits an organization might have gained through their cloud migration. And worst yet, this may even result in business loss or put an organization within the cross-hairs of legal and regulatory liabilities. 

To successfully deploy private, hybrid, and multi-clouds securely with speed and agility without compromise, organizations need to adopt a broad, integrated, and automated cybersecurity platform such as the Fortinet Security Fabric. The Fortinet Security Fabric is built from the ground up to provide organizations the ability to centralize management and visibility along with automated controls and responses across all edges within an organization. 

Fortinet for Private Cloud Security

Fortinet’s varied and robust set of solutions enable organizations, regardless of size or industry, to secure their private clouds more efficiently and cost-effectively. Private cloud deployments offer a myriad of benefits. They enhance security, enable performance monitoring, and help comply with increasingly stringent privacy and security mandates. However, to leverage these environments effectively, organizations also need to effectively secure their private clouds. With Fortinet’s wide array of offerings, organizations can choose the services that align with their security needs and business goals, building security into the fabric of their cloud strategy. 

Learn how Fortinet’s adaptive cloud security solutions provide the necessary visibility and control across cloud infrastructures, enabling secure applications and connectivity from data center to cloud.