10 Criteria to Evaluate Your Cloud Network Security Solution
As organizations expand their cloud adoption and business-critical use cases, security of their cloud infrastructure often becomes more complex. For this reason, analysts and advisors recommend that organizations take a unified, multilayer approach to protect their cloud deployments and ensure a robust cloud security posture. Approaches like the one just mentioned have eased security concerns, as cited in a recent Forrester study that stated cloud security confidence is a leading driver for adopting more cloud services.
Figure 1: The Multiple Layers of a Unified Cloud Native Security Platform
Based on the shared responsibility model, at the infrastructure layer (IaaS), cloud providers are responsible for securing their compute-network-storage infrastructure resources. This leaves cloud users responsible for protecting the data, apps and other assets deployed on the infrastructure. Cloud providers offer a number of tools and services to help users uphold their end of the shared responsibility model, and they are important elements of any cloud network security solution. However, cloud providers are not security specialists, nor do they address multicloud infrastructures, therefore additional security solutions beyond those tools and services are required to achieve enterprise-grade network security.
A key foundational layer is cloud network security. Here, organizations often deploy virtual security gateways to provide advanced threat prevention, traffic inspection and micro-segmentation. These solutions include multiple layered security technologies such as firewall, intrusion prevention system (IPS), application control, data loss prevention and others.
This article describes 10 criteria that are essential when examining and choosing a cloud network security platform for your cloud deployment. It explains how you can ensure that vendor solutions have the capabilities that are important to your organization’s success and security.
1. Does It Offer Advanced Threat Prevention and Deep Security?
Threat detection is not enough to effectively protect cloud assets in today’s complex cybersecurity landscape. This is because detecting a threat after it has breached the corporate network exposes the organization’s assets to unacceptable levels of cybersecurity risk.
You need multilayered, real-time threat prevention for both known and unknown (zero-day) vulnerabilities. The solution must deliver deep security through features such as granular and deep traffic inspection, enhanced threat intelligence and sandboxing that isolates suspicious traffic until it is either validated or blocked. This will allow you to capture and neutralize the threat before penetrating the network. In addition, these advanced capabilities must be deployed on both north-south (incoming/outgoing) and east-west (lateral) traffic.
2. Is the Solution Borderless?
Security teams cannot deliver enterprise-grade protection with a fragmented stack comprised of vendor-specific or environment-specific security tools. The solution must run transparently and consistently across even the most complex multicloud and hybrid (public/private/on-prem) environments. A unified management interface, sometimes called a “single pane-of-glass,” should provide a single source of cloud network security truth, as well as a centralized command and control console.
3. Is There Granular Traffic Inspection and Control?
Without deep traffic inspection, organizations are easy prey to evasion techniques that attempt to carry out unauthorized actions through seemingly legitimate access points. Look for next-generation firewall (NGFW) capabilities, such as fine-matching granularity that goes beyond basic whitelisting, deep inspection to ensure that traffic matches the purposes of the allowed ports, advanced filtering based on URL addresses and controls at not just the port level, but the application level as well.
4. Is There Automation?
Any cloud solution that does not enable high levels of automation will be impossible to support, and customers will abandon it. To match the speed and scalability of DevOps, the solution must support high levels of automation, including programmatic command and control of security gateways, seamless integration with CI/CD processes, automated threat response and remediation workflows, and dynamic policy updates that don’t require human intervention.
5. What Is the Integration Experience and Is There Ease of Use?
Integration is critical to a number of other considerations described here, such as enabling borderless operations and increasing visibility. It plays an important role in creating a cross-functional cloud security platform that addresses not only infrastructure security, but also application security, cloud security posture management and more.
Therefore, the solution must work well with your company’s configuration management stack, including support for infrastructure-as-code deployments. In addition, the solution has to be deeply integrated with the cloud providers’ offerings. In general, your goal should be to streamline operations and promote ease of use by minimizing the number of point security solutions that have to be deployed and managed separately.
6. Is There Adequate Visibility and Observability?
You can’t secure what you can’t see. The solution’s dashboards, logs and reports should provide end-to-end and actionable visibility into events as they are happening. For example, logs and reports should use easy-to-parse cloud object names rather than obscure IP addresses. This visibility is also important for enhanced forensic analytics should a breach take place.
7. Is the Solution Scalable and Has Secure Remote Access?
In a world of highly distributed and mobile workforces, remote access to the corporate network that is both secure and performant is a must-have. The solution must secure remote access to the company’s cloud environment, with features such as multifactor authentication, endpoint compliance scanning and encryption of data-in-transit. Remote access must also be able to scale quickly, so that during times of disruption, such as the COVID-19 pandemic, any number of remote employees can work productively yet securely.
8. Is There Context-Aware Security Management?
With asset, change and configuration management frameworks playing a central role in vulnerability remediation efforts, your security platform must be able to seamlessly publish changes and adapt in real time to all relevant security policies. The cloud network security solution must be able to aggregate and correlate information across the entire environment — public and private clouds as well as on-premises networks — so that security policies can be both context-aware and consistent. Changes to network, asset or security group configurations should be automatically reflected in their relevant security policies.
9. What Vendor Support Is Offered and Industry Recognitions?
In addition to the features and capabilities of the solution itself, it is also important to take a close look at the vendor. Look for impartial recommendations to seek out a vendor that can drive your cloud security strategy forward with the capacity to adapt and scale to your ever-changing business requirements. Consider questions such as:
- Is it highly rated by independent industry analysts and third-party security testing companies?
- Can it meet your SLAs?
- Does it have a proven track record?
- Can it provide added value, such as network security advisory services? Can it support your global operations?
- Is it committed to innovation so that its solution will be future-proof?
- Is its software mature, with few vulnerabilities and does it deliver timely fixes?
10. What Is the Total Cost of Ownership?
You want your cloud security platform to streamline operations, optimize workflows and reduce costs, while enhancing your security posture. Determine the total cost of ownership by looking at the flexibility of the licensing model, the extent to which the cloud security platform integrates with and leverages existing IT systems, the level and scope of personnel required to administer the system, the vendor’s MTTR and availability SLAs, and more. The last thing you want is to be surprised by hidden infrastructure, personnel and other costs that emerge only after the system is up and running.
Conclusion
Organizations moving to the cloud need the ability to control their own data and keep it private, protect themselves from cyber threats and securely connect their cloud with their traditional on-premises network — all while maintaining compliance with regulatory mandates. Adopting a cloud network security solution that meets these requirements and integrates seamlessly with their cloud provider will help organizations remain protected in an increasingly complex threat environment.