Migrating to the Cloud? Don’t Forget Your Firewalls
Running workloads in the cloud gets rid of a lot of work and some risk but you might be surprised how many firewalls you’ll end up with in the cloud if you follow best practice.
Running workloads in the cloud gets rid of a lot of work and some risk but you might be surprised how many firewalls you’ll end up with in the cloud if you follow best practice. Cloud providers directly make this point. Check out a couple quotes from the same Azure technical article:
Although Microsoft invests heavily in protecting the cloud infrastructure, customers must also protect their cloud services and resource groups. A multilayered approach to security provides the best defense. A perimeter network security zone protects internal network resources from an untrusted network. A perimeter network refers to the edges or parts of the network that sit between the Internet and the protected enterprise IT infrastructure.
The article describes classic network controls in an on-prem enterprise network.
As customers move their workloads to public clouds, it is critical to support similar capabilities for perimeter network architecture in Azure to meet compliance and security requirements.
When we start using the cloud, it’s up to us to address these risks:
- Direct attacks from the Internet on resources in the cloud
- Infiltration of on-prem network from compromised resources in the cloud
- Dedicated connections (e.g. Azure ExpressRoute and AWS Direct Connect)
- VPN connections
- Cloud application gateways
- Attacks on cloud-based workloads from compromised endpoints in the on-prem network
Cloud and firewall providers have been quick to identify this as a market and there is a plethora of virtual network security gear you can deploy including:
- Built-in network security controls (e.g. Network Security Groups in Azure virtual networks)
- Cloud firewalls (e.g. Azure Firewall)
- Network virtual appliances from well-known Next Gen Firewall vendors offered in cloud marketplaces. This lets you quickly spin-up a traditional NGFW product on a pre-configured VM and you can potentially use the same firewall vendor in the cloud and on-prem.
- Firewall Infrastructure-as-a-Service offerings like CheckPoint CloudGuard which are delivered and run as part of the cloud infrastructure rather than as a VM
In this webinar we will explore the expanding requirements for network controls (i.e. firewalls) as more workloads are spun up in the cloud and your network infrastructure becomes more dispersed. Here’s a few questions we’ll answer:
- Is cloud network security just a matter of more firewalls or are there nuances specific to cloud workloads?
- How to spot potential and unintended
- Pathways to vulnerable cloud resources
- Cross-premise pathways
- “worm-holes” into highly secure on-prem resources
- Ways to by-pass perimeter boundaries
- When should you implement multiple tiers to security cloud workloads?
- When are built-in security features (like Azure Network Security Groups) enough and when do you need more?
We will also discuss the need to keep all this straight, understood, consistent and the configuration accurately reflecting your security intent. Managing all your on-prem firewalls is challenging enough, let alone the cloud. And that’s where our sponsor, FireMon, comes in. Tim Woods will briefly discuss where FireMon is headed to support your cloud security efforts and how the key tenants of security intent figure into the equation.Register