Fortinet questions cloud security

Organizations migrating to the cloud should not assume that the hyperscalers they use are security appropriate. This was highlighted by Fortinet Consulting Cloud Architect John McDonough in a recent webinar, where he cited Microsoft as a prime example of offering features that might not really be good enough.

A article published in SDXCentral quotes McDonough to suggest that it’s a misconception among those migrating to the cloud that it’s a secure place because a large company provides it as a service. However, this is not always the case as these large companies only provide basic components that must be assembled by the company itself.

He pointed out that Microsoft offers firewalls for its Azure cloud and these come with some major features such as intrusion detection systems, transport layer security and URL filtering for categories. website. However, Azure Firewall often needs add-ons for features to be enabled and its tools are just fine compared to solutions from pure-play security vendors.

A few things are missing

McDonough believes that intrusion prevention, botnet protection, SD-WAN support, data loss prevention, and virtual patching are some of the other essential features organizations should look for in a firewall product. fire, which is currently not provided as a package.

To maintain a good security posture, organizations must not only protect what is behind the firewall, but also what comes and goes and who is connected to the firewall. That’s why companies need all of the above to be part of their cloud security framework and to keep all users safe.

There’s more to a firewall than…

In fact, one of the key considerations to keep in mind when choosing a firewall is application recognition. And usually, this goes far beyond identifying an application’s traffic pattern. Aiden Walden, senior director of consulting systems engineering at Fortinet, explains that companies need to learn more about the fundamental components of an application as well as the patterns that evolve over time as they are used.

For example, layer four firewall protection uses ports such as transmission control protocol ports to manage virtual connections between the host (where the browser is located) and the host where a server application runs. However, for critical applications such as ERP, port-based security may not be enough.

Both Walden and McDonough believe that since SAP has ever-changing dynamic ports, the application doesn’t really work well through the Azure firewall. Microsoft has a document on what to expect when using SAP and how to further integrate the use of network security groups, which should be well studied, they say.

McDonough thinks that while network security groups are a good foundation for a firewall, relying on them completely could be like trying to carry water in a basket. These groups contain security rules that allow or deny inbound network traffic to or from multiple types of Azure resources. Each rule can have a specific source and destination, port and protocol.

This is where SASE could make an impact

Both officials refer to Gartner’s terminology of Secure Access Service Edge (SASE), used to define the convergence of networking and security as a service provided by the cloud, as a possible impact solution of the future. This includes a security service edge, a cloud-delivered security suite that contains zero-trust network access, cloud access security broker, secure web gateway, and firewall as a service.

Walden believes companies need to think beyond their firewall choice and include their entire enterprise security fabric. SASE can be an all-in-one solution, but the architecture can be defined by the needs of the organization. In case the usage of SaaS services is high, then SASE could be a great solution as it optimizes access to other SaaS services, he adds.


Source link