In 2017, we collaborated on a study of over 300 Industry IT professionals, asking them about cloud adoption, and the benefits of maintaining the deployment of data and applications in the cloud. Our study found that on average, respondents ran 44% of their infrastructure in the public cloud, and intended on increasing that to 75% over the next five years. From a 2017 McAfee study, organizations reported that they are using almost 80% of their IT budgets for cloud services and security. With adoption and growth this rapid, it is clear that firewalls specifically engineered for cloud deployment are essential to modern network security.
The Purpose of This Guide
We built this buyer’s guide to direct you towards an effective cloud-deployed firewall. We know how difficult it can be to understand the ins and outs of cloud security – our guide will educate you on the features you should look for when deciding on a network firewall deployed in the cloud.
Understanding Cloud Firewall Technology
Cloud firewalls are software-based, cloud-deployed network devices, built to stop or mitigate unwanted access to private networks. Being a new technology, cloud-deployed firewalls are designed for modern business needs like easy scalability, high availability, far-reaching extensibility, and versatile data migration. They integrate directly with modern security use-cases like SaaS protection and can secure data migration to cloud platforms like AWS, Azure, or GCP.
Cloud Firewall Deployment Options
The three major platforms for cloud services, AWS, Azure, and GCP, all have benefits and drawbacks. Each offers largely similar capabilities around computing, storage, and networking while sharing the most popular elements of a public cloud such as self-service, autoscaling, and integrated security features.
All of them operate under a shared security responsibility model, wherein the cloud provider is responsible for protecting the infrastructure they provide, and users are responsible for protecting their data and applications as they move to and from the cloud. As such the need for a cloud firewall becomes apparent: with little exception, you are responsible for the protection of all your digital assets within any of the cloud provider's network.
Here is a brief overview of each of the most popular cloud providers:
AWS (Amazon Web Services)
Amazon’s strength lies in its popularity – with 60% of the market share, AWS holds a strong lead over its two competitors. Amazon provides a large variety of services and the strongest network of data centers worldwide.
Azure (Microsoft Azure)
Even though Microsoft arrived on the cloud market a little later on, it’s success (Azure boasts a 20% share of the market) stems from it’s translation of integral enterprise services to the cloud. Azure’s deep integration with Microsoft applications makes it an obvious choice for businesses with strong ties to Microsoft services.
GCP (Google Cloud Platform)
Even though Google has the smallest share of the market at 12%, they still have a strong offering, built around their knowledge of data and analytics.
When looking for a cloud firewall, you should consider one with the ability to integrate with each service, letting you centralize your security when deployed across multiple cloud providers. This is due to the fact that overtime many companies will choose to utilize two or more cloud services and securing them each individually can become challenging.
Shortcomings of Traditional Network Firewalls
If you’re transitioning from an on-premises infrastructure to one situated in the cloud or even a hybrid environment, you should understand exactly why a cloud-deployed firewall is the most effective solution for your needs. To start, there a several reasons why traditional network firewalls are not properly designed to protect your cloud or hybrid migration:
Poor Remote Connectivity
Even though firewall architectures based on custom hardware can provide high performance on large, centralized appliances, it’s very difficult for the features and performance of this hardware to effectively scale out to branch office firewalls while maintaining effective functionality and uptime during high network moments. That means even the most capable (and expensive) on-premises network firewall infrastructure will have trouble guaranteeing the security of your network across large geographic regions.
Lack of Scalability
Traditional network and data-center firewalls have considerable trouble when placed in a cloud environment. You'll find that there are vendors adapting existing firewall technology to build virtual deployments, but these systems come with significant performance and feature limitations. It's difficult to directly integrate them into cloud-platforms, and they fail to take advantage of the many benefits received from deploying in the cloud. In addition, they lack features like auto-scaling, high-availability, and central monitoring which all allow for easy scalability as a business grows.
Cloud firewalls were designed in part to mitigate the complexity of managing and maintaining distributed firewalls deployed across multiple regions. The benefits of cloud platforms are nullified by the IT overhead required when maintaining parity between traditional network firewalls – modern cloud firewalls are capable of being controlled through a central management system. This way, the complexity of your environment, whether hybrid or entirely cloud-based, doesn’t bog down your IT administrators, and absorb value resources away from other important parts of your organization.
Choosing the Right Cloud Firewall
Cloud firewalls are designed to protect your users and data regardless of what your infrastructure looks like. You need a cloud solution that can provide secure connections across multiple sites (on-premises or in the cloud) and a flexible pricing model, letting you save on infrastructure costs. While all cloud-deployed firewalls provide the same major benefits, there are numerous features that you should look for, so you can trust that your security infrastructure is doing everything it can to safeguard your network:
Intrusion Detection and Prevention
These detection systems are designed to enhance network security by providing complete and comprehensive real-time protection against a broad range of network threats, vulnerabilities, exploits, and exposures in operating systems, applications, and databases.
A modern intrusion detection system will protect your servers at the network layer, and scan for threats such as stealth port scans or SQL injections. They should also be capable of comparing suspicious activity against an updated database of known threats. A highly effective intrusion prevention system takes everything a step further by automating the isolation and protection of known threats, so you don’t have to wait for your IT administrator to take action.
DoS and DDoS Protection
The growth of malicious network activity and efficacy has made Dos and DDoS protection not only necessary but paramount for organizations that require high availability for their services. An example of just how disruptive a DDoS attack can be is in the last year, the longest DDoS attack lasted 297 hours.
If you’re at risk, you need to know your cloud firewall is capable of protecting against denial of service threats while also maintaining mission-critical network services and allowing approved data communication. A robust solution should provide an active monitoring system that automatically updates when new DDoS attacks arise.
By blocking access to malicious sites and servers, and detecting potentially infected clients, security threats can be blocked and infected clients can be isolated for remediation. A cloud firewall with effective protection can determine what domains are accessed by clients in the network, and monitor that traffic for suspicious activity. If you have a large organization, you can’t rely on filters to catch all malicious traffic – automated botnet and spyware protection can safeguard your network activity without major IT oversight.
Your cloud firewall should provide highly granular, real-time visibility into network activity, so you can create and adjust content and access policies. This level of security control protects user productivity and blocks malware downloads and other web-based threats.
With networks under constant threat from malware and other cyber attacks, it’s important that you’re shielding your internal network from malicious content, whether it’s email, web, or file related. Your system should be capable of detecting known threat signatures since you can’t always rely on your employees to recognize malicious files until it’s too late.
Remote Access Support
Modern organizations have employees working all over the world and on various devices. With BYOD policies enabling employees to use their personal devices away from the office, it’s important that your cloud firewall is capable of supporting robust remote access system. The benefit of using cloud-platforms is built on the idea that your data and infrastructure is accessible from anywhere, but this is only true when you’re security solution provides adequate protection to remote access.
An increasingly popular and cost-effective alternative to hardwired network connections and MPLS infrastructures, SD-WAN's still require firewalls to secure network connections. You should look for a cloud firewall with built-in SD-WAN functionality, that way you don’t need to support a separate system in order to guarantee fast, reliable connectivity across distributed networks.
The complexity of business networks requires a firewall solution capable of managing bandwidth resources while constantly checking for possible threats. A sophisticated cloud firewall should be capable of balancing existing session activity, so that network bandwidth usage isn't throttled.
The Importance of Cloud Firewalls
A modern and appreciable approach to data and application security in the cloud is complex. To start, you should look for a cloud firewall designed to optimize the performance and management of your network and to effortlessly scale across any number of locations and applications. It should provide full protection for your entire network perimeter, and maintain the same level of protection while your operation grows.
Barracuda Products for Cloud Firewalls
Barracuda CloudGen Firewalls are a family of hardware, virtual, and cloud-based network firewalls that protect and enhance your dispersed network infrastructure. Designed for the cloud integration, it provides VPN clients for both desktop and mobile users. In addition, highly granular access control--which can be defined both by users and applications--hardens your organization's security when running mission-critical apps in the cloud.