Before the "cloud-ification" of IT, firewalls managed most security issues. Putting in a firewall to allow insiders access to data inside the company, while keeping outsiders out, covered most bases. But when companies use a combination of virtual servers in a third-party data center, mobile devices with access to company data, and an infrastructure-as-a-service arrangement to handle peak traffic loads, do firewalls still make sense?
Yes, but they need help. "Firewalls only protect things inside the perimeter," says Carson Sweet, co-founder and CEO of San Francisco-based CloudPassage Inc., a cloud security and compliance automation provider. "They can't do anything for systems running outside that firewall." CloudPassage protects about 10,000 new devices per month, says Sweet, by "deploying security within individual devices like cloud servers, Web servers, and even hardware in the data center." Identity-based security options, such as two-factor authentication and intrusion prevention systems, must be put to work alongside firewalls.
"Traditional firewalls are a challenge to be integrated appropriately today," say Pete Lindstrom, principal and vice president of research for Spire Security, an analyst firm. "Identity-based security, virtual private networks, and encryption have become more important in the cloud-based architecture."
Sweet agrees. "Security used to be relatively static and all behind the firewall," he says. "But there's been a huge change in the last five years, and change is the enemy of security and compliance. Companies now have multiple applications that spin up at Amazon and Rackspace, often by business units [creating] their own virtual servers rather than IT."
A Complicating Factor
The rise of bring-your-own-device programs further complicates security. Internally, those using Wi-Fi will be inside the firewall. Mobile devices used outside the company connect by default to cloud-based resources, completely bypassing firewalls. "Firewalls do more these days, with universal threat management, Web application firewalls, and network layer firewalls," says Lindstrom. "These are incredibly useful in cloud-based and hybrid environments."
To keep information safe, plan your data locations, suggests Lindstrom. "Don't use the cloud as a data repository for sensitive data," he says. "Moving intellectual property files into the cloud makes me nervous. Understand the flow of data, where the users are, and where the data is stored."
"Consider the way companies use configuration management automation tools," says Sweet, "and look for a security automation tool." CloudPassage's Halo product builds security into master virtual machine images so security "rolls out automatically, all within 60 seconds of booting up. Then you can manage by exception. Administrators and database admins can't touch anything until the two-factor authentication process finishes. The goal is to take the emotion out of this, make it economically feasible, and build in automation and compliance."
Advice for Resellers
"Understanding what products to put in front of customers is important for resellers," Sweet says. Clients wanting to leverage third-party cloud providers such as Amazon and Rackspace need identity-based security for those hybrid clouds, he says. Financial services firms and pharmaceutical companies, for example, rely on hybrid clouds to add or decrease capacity during projects while they avoid buying hardware. Likewise, software companies often use hybrid clouds to scale as their customer base grows. Such "cloud disruption" means resellers must be ready to secure hybrid cloud projects for their customers.
A variety of vendors provide identity-based security tools, including Covisint Corp., NetIQ Corp., The Dot Net Factory LLC, OneLogin Inc., and Ping Identity Corp. In addition, IBM, RSA, CA Technologies, and Oracle include identity-based management tools in their catalogs.
"No one thinks firewalls aren't fading," says Lindstrom, "but few folks would take firewalls out of their network. Firewalls are protecting systems talking to systems and all the other back-end activity. Bottom line, we talk about portfolios of security controls. You need to take into account distributed access and trust-based controls. Identity-based security tools give you more flexibility for protection."
Lindstrom adds, "Resellers should be boning up on security architectures so they can give good advice to their clients. They need to be thinking more about integration than just selling products."