Protecting your data in the cloud, with FortiGate in the cloud
Fortinet
A Next-Generation Firewall (NGFW) is the cornerstone for securing your cloud workloads and data. A true NGFW must provide the necessary security tools to ensure that legitimate traffic is properly routed and illegal traffic is blocked. It must also be able to scan traffic for attacks, identify malware, block phishing attempts and prevent data loss. Whether an organisation's computing is on-premises, in a cloud or across multiple clouds, a next-generation firewall is essential to building a strategy to defend against cyberattacks. And for businesses operating a hybrid network, choosing an NGFW solution that provides consistent protection across the distributed network is especially important.
Of course, a firewall, however powerful, is only one component in building a secure infrastructure. However, this infrastructure must at least be able to provide comprehensive visibility and control. For this reason, companies that want to stay ahead of cybercrime should not focus on buying more point products and services, but rather develop a platform approach that supports consistent and clearly defined security policies across clouds and data centres. A suitable platform approach, such as the Fortinet Security Fabric, should support all the security tools needed to implement system-wide policies, such as Zero Trust Network Access, along with centralised management, monitoring and analysis of security policies and events.
Microsoft recently recognised the need for a next-generation firewall and introduced its latest security offering, Azure Firewall Premium. However, customers who want to protect their applications and data in the Azure cloud should think carefully before using Microsoft's latest offering.
The cloud does not exist in a vacuum - neither should your firewall.
Gartner famously predicted that by 2023, 99% of security failures will be due to human error. While this figure may seem high, the point is well taken. Whether 99%, 75% or 50% of security failures are due to human error, security is a difficult, often complex endeavour where mistakes are easily made. For this reason, most security experts argue against the proliferation of individual security tools, preferring the use of an integrated and interactive security framework that provides unified security management and consistent visibility across clouds and data centres.
Organisations should consider the bigger picture and require security tools that work across platforms and clouds to secure computing across all platforms - whether on-premises or in the cloud. This is where Fortinet's industry-leading NGFWs - as part of the Security Fabric - stand out from other firewalls in the industry that are just another point product that does not provide end-to-end security, such as the recently released Azure Firewall Premium.
Who do you trust with your most valuable assets in a cloud?
Your business lives on data and applications. Even a simple security breach can cost millions. So when it comes to security, reputation and experience should play an important role in choosing the tools that protect your most valuable assets. Third-party testing, analyst reports, customer reviews and leadership quadrants help companies distinguish real functionality from marketing hype. And seasoned developers with years of experience can ensure that a solution is sufficiently mature. In addition, most leading NGFW vendors complement their solutions with threat intelligence feeds and partnerships with third-party developers. They participate in threat development and sharing forums and work closely with law enforcement and threat researchers. The preeminent vendors offer a portfolio of solutions enhanced with features such as artificial intelligence and machine learning, as well as advanced services such as access control and traffic shaping, and are designed to work together regardless of their deployment location or form factor.
This raises the serious question of whether an organisation should entrust its critical data to the fledgling version of a point-based security product that has yet to be tested by most independent labs and analysts. Azure Firewall Premium was not included in Gartner's Critical Capabilities for Network Firewalls, and its ranking in Gartner's most recent Magic Quadrant for network firewalls was hardly stellar. Beyond that, there is little to go on. If your data and workloads are truly mission-critical, you should rely on better-established products that have proven themselves in years of real-world testing on the front lines of today's cyber battlefields.
What sets the NGFW Enterprise Class apart?
An NGFW is only as good as its ability to deliver the wide range of tools organisations need to protect their business. And in today's rapidly evolving threat landscape, that means advanced technologies that keep your business one step ahead of cybercriminals. Below are just some of the technologies Fortinet provides that have become critical to many businesses:
TLS inspection: with TLS inspection, you can decrypt TLS traffic to examine it for hostile actions, malware or sensitive data. To support evolving business innovations, inspection should support both TLS 1.2 and 1.3. And inspection should also be two-way. While inspection of outbound encrypted traffic is essential, inspection of inbound traffic is equally important. For example, scanning inbound SSL/TLS traffic can detect malicious content sent from a client to a targeted network server - a common step in many cyberattacks. Azure Firewall Premium, for example, does not support TLS 1.3 nor can it inspect incoming traffic.
Intrusion Prevention Service (IPS): IPS is critical for detecting attacks and malware used by cybercriminals to steal data, disrupt operations, infect systems and transmit malicious payloads. The first IPS systems did this by matching attack patterns to a list of known signatures. But sophisticated attackers learned that they could modify attacks to achieve their goals without triggering an IPS signature. So IPS vendors developed the ability to monitor behaviours and added key application awareness and application control services to detect new malicious activity. Other industry-standard firewalls, such as Azure Firewall Premium, only offer signature-based IPS capabilities, meaning that more sophisticated attacks cannot be detected and blocked.
Sandboxing: A true enterprise-class NGFW solution requires a fully integrated sandboxing solution to provide real-time analysis of unknown or untrusted programs and traffic and prevent zero-day attacks. Although sandboxing has been an essential component of any NGFW solution for years, many firewalls, such as Azure Firewall Premium, do not offer integrated sandboxing.
Secure SD-WAN: Many organisations rely on SD-WAN to allow remote users to access critical data and applications in the cloud. But that's just one use case for SD-WAN. SD-WAN is also used to create dynamic intra-cloud, cloud-to-cloud and cloud-to-data centre connections. However, adding security to these connections as an overlay is often expensive and time-consuming. The most effective SD-WAN solutions address this challenge by including a fully integrated suite of advanced security solutions so that protection can be adapted to the dynamic nature of most SD-WAN use cases. Secure SD-WAN running on an NGFW platform is an ideal solution. However, other vendors, such as Azure Firewall Premium, do not offer a Secure SD-WAN option, although SD-WAN is often used to access and connect to services on vendor platforms.
Bot protection: Anti-botnet services prevent botnets and other threats from communicating with command-and-control servers. They also identify specific strings, sensitive data (e.g. project code names) or data match patterns (credit card numbers, driver's licences, passports) that could indicate the exfiltration of sensitive data.
Data Loss Prevention (DLP): The ability to identify sensitive data in transit and block its extraction is critical for many organisations to meet certain internal security and compliance requirements. Most native cloud firewalls, including Azure Firewall Premium, lack DLP functionality.
Today's NGFW - Good enough is never good enough
This is by no means a comprehensive list of the critical NGFW features and functions that today's NGFW solutions must provide. However, it is sufficient to illustrate the challenges of using immature, unproven and isolated stand-alone solutions to protect your critical digital assets. Any solution that lacks the essential features and functionality required for comprehensive security is also likely to miss the threats that are targeting your workloads and data. And that is never good enough.
If you are interested in a Fortinet FortiGate Firewall, we would be happy to advise you. Contact us for a free initial consultation via our phone number, email address or contact form.