Cloud Security and Governance – Mind the Security Gap Workloads are migrating to the Cloud with…
A business’s network edge or perimeter was once upon a time easily defined. Everything was neatly aligned with Head Office and Branch office egress points and that was defined as the network edge. Traditionally a Firewall would be deployed at the edge egress points and you’re done, Network Edge or Perimeter protection was in place.
With the advent of a Cloud Computing, an increasingly mobile workforce and choice of device and consumerisation of applications, the perimeter of a network now looks very different.
Nowadays the edge is very difficult to define for most businesses and edge protection has changed forever with the proliferation (and consumption) of cloud technologies. It’s no longer a traditional boundary. This however doesn’t mean that the traditional Firewall is dead.
The traditional perimeter
Securing the traditional perimeter or edge of the traditional network is still a core security requirement. The deployment of Next Generation Firewalls (NGFW) on these egress points is still considered an essential component of a defence in depth strategy. The Firewall these days has developed with the times and these are now aggregation points for Cloud and SD-WAN services in addition to the threat prevention and detection components included
There are a number of differentiating factors when evaluating NGFW including:
- Intrusion Prevention System (IPS) Effectiveness
- Policy Management (Features and Granularity)
- Application Visibility
- User Visibility
- Integration and Aggregation capability and features for Mobile workforces
- Integration and Aggregation capability and features for SaaS, IaaS and other CLOUD Services;
- SSL Decryption options
- SD-WAN features and capabilities
- Security Orchestration and automation capabilities.
- Threat Intelligence ingestion
Multiple Vendors and the “platform” sales pitch
Having multiple firewall vendors in a business can add to the complexity of the overall infrastructure and erode any savings initially delivered by the hardware mix. In most respects Secure-ISS recommend that businesses focus on one or two vendors for ease of management, monitoring and orchestration.
Having said that we would also caution business in relation to the current platform pitch. Many vendors now look to sell an entire security operations platform. From a marketing and operational sense this is a great goal, however the reality at the present time is that not all components within the platform are best of breed and have been bolted onto the platform.
How many Next Generation Features do you use?
Sales pitches aside, how many features are applicable to your businesses workloads and use cases. When considering a Firewall vendor be sure to document your use cases and overlay the requirements with the remainder of your security architecture and solution set. In our experience businesses are not using all of the Next Generation features and should ensure that they are not purchasing subscriptions or features that have little or no value to the business or that are not understood by the team deploying, managing and monitoring the solution.
Firewall as a Service
A trending approach to firewalls for branch, small offices and remote/ mobile workers is a “Firewall as a Service” approach. This service provides a similar consumption based model (with little or no physical hardware) with the goal to provide simple and more flexible architecture, leveraging centralized policy management, multiple enterprise firewall features and traffic tunnelling to partially or fully move security inspections to a cloud infrastructure.
When evaluating these services, organisations should note where the services are delivered from as some vendors still don’t deliver services out of Australia or the greater Asia Pacific region.
Firewall Management Services
Including Firewall management within a Managed Security Services framework provides a number of advantages to businesses of all sizes. These include access to skilled resources (addressing the current Cyber skills shortage), ensuring that your infrastructure is protected, that the solutions are working effectively across the business, monitored, maintained and incidents responded to on a timely basis. Secure-ISS provide a range of managed services for your edge and permitter protection requirements.
To discuss your Edge protection requirements or overall security strategy, reach out to one of our team today.