Prtecting the Clud Frtinet Technlgies and Services that Address Yur Clud Security Challenges
FORTINET Prtecting the Clud Page 2 Intrductin 3 Which Clud t Chse? 3 Public Cluds 3 Private Cluds 4 Hybrid and Cmmunity Cluds 5 Clud Security Cncerns 6 Securing Data Entering and Leaving the Clud 6 Securing Data in the Clud 6 Vulnerabilities and the Clud 6 Enabling Custmers t Build and Maintain Secure Cluds 7 Frtinet s Multi-Tenant Architecture 7 Easier Administratin 7 Cntinuus Security 7 Savings in Physical Space and Pwer 7 Virtualized Prducts 8 Unmatched Prtectin 8 FrtiGuard Services 9 Frtinet Secures the Breadth f Deplyment Optins in the Clud 10 Hsted Services 10 Sftware Defined Netwrking 10 Cnclusin 11
FORTINET Prtecting the Clud Page 3 Intrductin Given the cnstant pressure that CIOs are under t imprve the return n investment (ROI) and reduce the ttal cst f wnership (TCO) f IT slutins, it shuld cme as n surprise that the clud has becme ne f the mst talkedabut tpics in the industry. Fr example, the majrity f 2012 predicatins made by Gartner 1 invlved the clud in sme way. Sme ntable Gartner predictins include: By 2015, lw-cst clud services will cannibalize up t 15 percent f tp utsurcing players' revenue. By 2016, 40 percent f enterprises will make prf f independent security testing a precnditin fr using any type f clud service At year-end 2016, mre than 50 percent f Glbal 1000 cmpanies will have stred custmer-sensitive data in the public clud. These far-reaching predicatins illustrate bth the imprtance that cmpanies are placing n clud-based services as well as the challenges they face in securing thse services. Organizatins f all sizes are bth excited by the pprtunities the clud prvides and cncerned abut the challenges psed by mving data and applicatins t the clud. In spite f the ptential fr increased ROI and lwer TCO, securing data in the clud is ften cited as the number-ne cncern by IT prfessinals lking t take advantage f clud based services 2. This paper will explre the security cnsideratins assciated with mving t the clud and discuss the key challenges assciated with public and private cluds. It will als describe the technlgies necessary t amelirate current cncerns regarding security in the clud. Lastly, this paper will discuss Frtinet s ability t secure data mving t, frm, and inside an rganizatin s clud infrastructure. Which Clud t Chse? The first issue t cnsider as yu lk twards the clud is which architectural apprach yu want t take in adpting clud services. The classes f clud architecture are private, public, cmmunity, and hybrid. Public Cluds Public cluds are available t any rganizatin, and a variety f well-knwn vendrs including Micrsft, Rackspace, Symantec, and Amazn prvide these public clud envirnments. They are designed t prvide the fllwing benefits: Scalability - Users have the ability t access additinal cmpute resurces n-demand in respnse t increased applicatin lads. Flexibility Public clud prvides flexible, autmated management t distribute the cmputing resurces amng the clud's users. Reliability and fault-tlerance - Clud envirnments can take advantage f their large number f servers by enabling applicatins t utilize this built- in redundancy fr high availability and redundancy. Utility-based cmputing - Users nly pay fr the services they use, either by subscriptin r transactinbased mdels. 1 http://www.gartner.cm/technlgy/research/predicts/ 2 http://searchcludsecurity.techtarget.cm/news/2240031767/clud-cmpliance-clud-encryptin-tpenterprise-security-cncerns
FORTINET Prtecting the Clud Page 4 Shared resurces - By enabling the cnslidatin f IT resurces, multiple users share a cmmn infrastructure, allwing csts t be mre effectively managed. CAPEX savings - Because the vendr is prviding all the hardware, sftware, supprt, security, and high availability fr the infrastructure, the rganizatin pays nly t use the service, saving significant capital expenditures. In spite f the many advantages f a public clud, yu still need t exercise cautin befre mving t a public clud. The primary cncerns arund public cluds are: Data access and cntrl Whenever data mves utside the walls f the rganizatin, cncerns ver the privacy and security f the data will cme up. While many clud prviders have extensive security measures deplyed in their datacenters, it is imprtant t research ptential clud prviders and fully vet their data security practices t ensure they are best f breed. The Clud Security Alliance (CSA) prvides guidance arund bth gvernance and peratinal areas that shuld be evaluated befre mving t the clud 3. Vendr lck-in Once yu mve yur data and applicatins t the clud, it can becme very difficult t mve away frm that prvider. T reduce this risk, administratrs shuld investigate the prcess fr extracting data frm the clud service prvider and structure their data in a way t expedite a future transitin t anther prvider if necessary. Regulatry cmpliance Sme cmpliance bdies have nt updated their standards with prvisins fr clud-based data. This des nt necessarily prevent yu frm mving yur rganizatin s data and applicatins t the clud, but yu must investigate whether a clud prvider s infrastructure, prcesses, data access and strage plicies meet yur cmpliance requirements. Anther ptin is t ask ptential clud prviders if they have cmpanies with similar cmpliance issues using their service, and investigate hw thse cmpanies have satisfied cmpliance and audit requirements. Reliability In thery, public cluds ffer higher availability than traditinal premise-based netwrks because the vendr is prviding SLAs arund this availability and has a financial interest in delivering it. Unfrtunately, even public cluds if nt designed prperly can fail, leaving custmers withut access t their wn data and applicatins. Custmers must be very familiar with the service level agreements f their prvider and shuld have plans in place t address any utage. Ultimately, clud-based services can help yu better manage yur rganizatins cmputing resurces by prviding flexibility and scalability. There are numerus examples f rganizatins using public cluds t quickly stand up applicatins requiring significant amunt f cmputing resurces, all withut having t plan and invest in their wn internal infrastructure. Private Cluds As the name suggests, private cluds are designed t be visible nly t the rganizatin that creates them. Private cluds prvide many f the same benefits that a public clud des, and still allws yu t maintain wnership f the data and equipment. A private clud is essentially a private datacenter that an rganizatin creates with stacks f servers all running virtual envirnments, prviding a cnslidated, efficient platfrm n which t run applicatins and stre data. Private cluds allw yu t reap many f the benefits f clud cmputing scalability, metering, flexible resurce allcatin, and s frth withut expsing any f yur rganizatin s assets t the public Internet. Private cluds 3 https://cludsecurityalliance.rg/guidance/csaguide.v3.0.pdf
FORTINET Prtecting the Clud Page 5 als address sme f the tp cncerns that prevent sme rganizatins frm mving t the clud. Since the data stays internal t the rganizatin, cncerns arund vendr lck-in and regulatry cmpliance are minimized. Hwever, where private cluds differ frm public cluds is that private cluds usually require a significant investment t plan and deply. The fllwing are all csts that yu shuld cnsider as yu lk t create a private clud: Hardware and sftware T create a private clud, an rganizatin much purchase all the servers, virtualizatin sftware, applicatin licenses, and netwrking hardware t create the private clud. The rganizatin must als bear the csts f upgrading resurces as the clud grws. Additinal help desk resurces As users mve data and applicatins t the clud, the number f help desk requests will rise. It will require extra supprt and training during the migratin prcess. Specialized IT skills Unfrtunately, a private clud des nt administer itself, and the skill set required fr the IT department t deply, manage, and maintain a clud envirnment will be different frm the skill set it utilizes fr its n-premise systems. Ptential slutins t the need fr specialized skills culd include hiring a cnsulting firm, training existing staff, and hiring new emplyees (r a cmbinatin f all three ptins) t manage the new infrastructure. High availability and disaster recvery Yu will have t invest in additinal resurces t ensure that the private clud maintains full-time availability and is fault tlerant. This will require extra investment n redundant systems, and may include cnstructin f duplicate facilities when the primary facility is lcated in a high-risk area. Reduced ecnmies f scale Althugh a large rganizatin will reap the benefits f scalability and flexible resurces using a private clud, the efficiencies and cst savings will be limited by the cmpany s size. Despite these challenges, private cluds can prvide significant advantages t rganizatins that need the flexibility and n-demand resurces ffered by the clud, but cannt mve the data utside f the rganizatin. Hybrid and Cmmunity Cluds Hybrid and cmmunity cluds are clud architectures that incrprate cmpnents f private and public cluds, depending n their use case. NIST defines these tw architectures as 4 : Hybrid Cluds - The clud infrastructure is a cmpsitin f tw r mre distinct clud infrastructures (private, cmmunity, r public) that remain unique entities, but are bund tgether by standardized r prprietary technlgy that enables data and applicatin prtability (e.g., clud bursting fr lad balancing between cluds). Cmmunity Cluds - The clud infrastructure is prvisined fr exclusive use by a specific cmmunity f cnsumers frm rganizatins that have shared cncerns (e.g., missin, security requirements, plicy, and cmpliance cnsideratins). It may be wned, managed, and perated by ne r mre f the rganizatins in the cmmunity, a third party, r sme cmbinatin f them, and it may exist n r ff premises. 4 http://csrc.nist.gv/publicatins/nistpubs/800-145/sp800-145.pdf
FORTINET Prtecting the Clud Page 6 Clud Security Cncerns There are a variety f security challenges related t bth private and public clud cmputing. Figure 1 belw shws the tp-ranked challenges related t clud security as indicated by Infrmatin Security prfessinals in a 2011 (ISC) 2 survey. Figure 1 - Cncerns arund mving t the clud With the expsure f sensitive data and data lss listed as the tw mst cmmn cncerns related t clud security, it is imperative that yu lk carefully at hw yur rganizatin s data will be prtected as it enters, travels thrugh and leaves the clud. Securing Data Entering and Leaving the Clud Data entering and leaving the clud shuld subject t the same level f scrutiny as any ther data entering r leaving the netwrk. Critical netwrk security technlgies such as firewall, intrusin preventin, applicatin cntrl, and cntent filtering need t prvide that level f scrutiny. The additinal challenge assciated with securing data in the clud is that the security architecture must als secure the multi-tenant nature f the traffic. This means the security architecture must have the ability t enfrce separate plicies n traffic, depending n rigin r destinatin. The security technlgies in place must als have the ability t keep traffic entirely separate in rder t avid any risk f unauthrized access. Securing Data in the Clud Once data is in the clud, new challenges arund security emerge. Primary amng this is the need t maintain cntrl ver data as it flws frm virtual machine t virtual machine. Traditinal hardware-based appliances have n cntrl ver the data nce in the clud, which requires the presence f virtual security appliances t inspect and prtect the data in the virtualized envirnment. Vulnerabilities and the Clud Clud envirnments are by design fluid, and therefr require regular updates t the security architecture t ensure prtectin. Despite effrts by clud prviders t stay abreast f the latest threats, a single zer-day vulnerability culd prvide the means with which t ptentially cmprmise every custmer and machine being hsted within the clud prvider's netwrk.
FORTINET Prtecting the Clud Page 7 In rder t address this risk, clud prviders need t invest in security vendrs that prvide frequent updates and a glbal intelligence netwrk that can accurately identity and prtect against new vulnerabilities and attacks befre they are explited in the wild. Enabling Custmers t Build and Maintain Secure Cluds Frtinet, the leader f the wrldwide unified threat management market 5, has a variety f prducts designed t extend traditinal netwrk security prtectin int the clud. As described previusly, the nly way t mitigate fears arund mving t the clud is t ensure that prtectin is in place at all pints alng the path f data: Entering r exiting the crprate netwrk, entering r exiting the clud, and within the clud itself. Frtinet s Multi-Tenant Architecture Virtual dmains (VDOMs) are a methd f dividing a FrtiGate physical r virtual appliance int tw r mre virtual units that functin independently. VDOMs can prvide separate netwrk security plicies and cmpletely separate cnfiguratins fr ruting and VPN services fr each cnnected netwrk r rganizatin. This native ability t split a single FrtiGate device int multiple secure entities prvides the enhanced levels f security and data segregatin needed t build any clud architecture. Sme key advantages f FrtiGate VDOMs are: Easier Administratin VDOMs prvide separate security dmains that allw separate znes, user authenticatin, firewall plicies, ruting, and VPN cnfiguratins. VDOMs separate security dmains and simplify administratin f cmplex cnfiguratins as security administratrs d nt have t manage as many settings at ne time. This is critical fr cmplex netwrks that might have different administratrs fr different functinal dmains r fr different grups f devices. VDOMs als prvide an additinal level f security because regular administratr accunts are specific t ne VDOM an administratr restricted t ne VDOM cannt change infrmatin n ther VDOMs. Any cnfiguratin changes and ptential errrs will apply nly t that VDOM and limit any ptential dwn time. Using this cncept, yu can further split settings s that the management dmain is nly accessible by a single admin and des nt share any settings with the ther VDOMs. Cntinuus Security VDOMs als prvide a cntinuus path f security. When a packet enters a VDOM, it is cnfined t that specific VDOM and is subject t any firewall plicies fr cnnectins between that VDOM and any ther interface. When hsting separate clients r entities n a single clud architecture (very cmmn with public and cmmunity cluds), the ability t guarantee that n data can pass frm ne cnnectin t anther is a critical requirement. Savings in Physical Space and Pwer FrtiGate VDOM technlgy allws yu t increase the number f dmains prtected withut having t increase the amunt f rack space and pwer cnsumed. There is n need t make physical changes t the netwrk t accmmdate additinal custmers r dmains. Als, there is n risk f expensive hardware sitting arund idle if grwth prjectins prve t be inaccurate. Increasing VDOMs invlves n additinal hardware, n additinal cabling, and very few changes t existing netwrking cnfiguratins. Yur ability t create virtual dmains is limited nly by the size f the VDOM license yu purchase and the physical resurces f yur FrtiGate device. 5 IDC (www.idc.cm)
FORTINET Prtecting the Clud Page 8 Virtualized Prducts Frtinet has a wide range f virtualized prducts fr many f its hardware platfrms as well as traditinal physical appliances. Frtinet virtual appliances allw yu t scale quickly t meet demand and prtect intra-virtual machine cmmunicatins by implementing critical security cntrls within yur virtual infrastructure, running n bth VMware and Citrix XenServer. Frtinet prvides virtualized appliances fr the fllwing prduct families: FrtiGate Frtinet s flagship netwrk security slutin that delivers the bradest range f cnslidated netwrk security and netwrk services n the market, including: Firewall, VPN, and Traffic Shaping Intrusin Preventin System (IPS) Antivirus/Antispyware/Antimalware Integrated Wireless Cntrller Applicatin Cntrl Data Lss Preventin (DLP) Vulnerability Management Dual-Stack IPv6 Supprt Web Filtering Antispam VIP Supprt Layer 2/3 Ruting WAN Optimizatin & Web Caching FrtiManager - Single pane f glass management cnsle fr cnfiguring and managing any number f Frtinet devices, frm several t thusands, including FrtiGate, FrtiWiFi, FrtiCarrier, FrtiMail and FrtiAnalyzer appliances and virtual appliances, as well as FrtiClient endpint security agents. Yu can further simplify cntrl and management f large deplyments by gruping devices and agents int administrative dmains (ADOMs). FrtiAnalyzer - Centralized lgging, analyzing, and reprting appliances securely aggregates lg data frm Frtinet devices and ther syslg-cmpatible devices. A cmprehensive suite f easily custmized reprts enables yu t analyze, reprt, and archive security event, netwrk traffic, Web cntent, and messaging data t measure plicy cmpliance. FrtiMail - Prven, pwerful messaging security platfrm fr any size rganizatin, frm small businesses t carriers, service prviders, and large enterprises. Purpse-built fr the mst demanding messaging systems, the FrtiMail slutin utilizes Frtinet s years f experience in prtecting netwrks against spam, malware, and ther message-brne threats. FrtiWeb - FrtiWeb web applicatin firewalls prtect, balance, and accelerate yur web applicatins, databases, and any infrmatin exchanged between them. Whether yu are prtecting applicatins delivered ver a large enterprise, service prvider, r clud-based prvider netwrk, FrtiWeb appliances will reduce deplyment time and simplify security management. FrtiScan - Enables yur rganizatin t clse IT cmpliance gaps and implement cntinuus mnitring fr real-time results. FrtiScan prvides yu with an enterprise-scale slutin that integrates endpint vulnerability management, industry and federal cmpliance, patch management, remediatin, auditing and reprting int a single, unified platfrm. Unmatched Prtectin Each FrtiGate virtual appliance ships with the bradest range f security and netwrk technlgies f any virtual appliance n the market tday. And, because all f these technlgies are included with the FrtiGate-VM license, yu have cmplete flexibility t deply the right mix f technlgies t fit yur unique virtualized envirnment and address cncerns abut migrating data t the clud.
FORTINET Prtecting the Clud Page 9 Each FrtiGate-VM delivers the same cmprehensive suite f cnslidated, integrated security technlgies as the industry-leading FrtiGate physical appliances. This suite includes: The latest next-generatin firewall (NGFW) technlgies like IPv4/IPv6 Firewall, Applicatin Cntrl and Intrusin Preventin, which deliver unmatched granular management and cntrl f data, applicatins, users, and devices Technlgies t blck tday s spearphishing attacks, APTs, and ther targeted attacks such as Antispam, Antivirus, Web Cntent Filtering, and Data Leak Preventin Essential prtectin fr remte users and ffices such as VPN, Endpint Prtectin, Tw-Factr Authenticatin, and Vulnerability Management Cre netwrking supprt, such as IPv4/IPv6 Dynamic Ruting, WAN ptimizatin, Traffic Shaping, and VIP Figure 2 - The Frtinet Virtualized Prduct Prtfli FrtiGuard Services The FrtiGuard Labs glbal team f threat researchers cntinuusly mnitrs the evlving threat landscape. The 150+ dedicated researchers prvide arund-the-clck cverage and updates t ensure the mst up t date prtectin pssible. The FrtiGuard Labs team delivers rapid prduct updates and detailed security knwledge, prviding prtectin frm new and emerging threats. Our research team has lcatins in the Americas, Eurpe, and Asia. The FrtiGuard Labs team prvides updates t a variety f Frtinet services, including: Intrusin Preventin Applicatin Cntrl Management Services Antivirus Antispam Vulnerability Cntrl and Database Security Web Security Management Web Filtering Frtinet Analysis and
These services, in cnjunctin with Frtinet research analysts, prvide a cnstant stream f up-t-date signatures and preventin measures against ptential attacks. When prtecting a clud-based envirnment, it is imperative t have timely prtectin in place against any attack that might ccur within a physical r virtual envirnment. Frtinet Secures the Breadth f Deplyment Optins in the Clud Chsing the apprpriate clud architecture is nly the first step in the transitin t virtualized deplyments. The next step is fr yu t determine which services will be deplyed in the clud and hw physical and virtual cmpnents will interact. One f the key strengths f virtualized technlgy is the ability t prvide flexible, scalable cmputing fr a variety f services, and yur netwrk security slutin has t be equally flexible and scalable. As requirements fr prcessing change, yu need t be able t make changes n demand t bth yur clud envirnment and the security slutin prtecting that envirnment. Frtinet prducts prvide agile end-t-security regardless f the deplyment ptin. As yu lk t a cmbinatin f physical and virtualized slutins t slve yur cntemprary IT challenges, it is essential t select a single security slutin that can prtect bth yur evlving netwrk. With the bradest prtfli f physical and virtual appliances in the industry, all cntrlled by a single unified management platfrm, Frtinet allws yu t secure a wide variety f clud and netwrk cnfiguratins. Sme ppular netwrk deplyments that Frtinet can prtect are: Hsted Services Hsted services include sftware as a service (SaaS), infrastructure as a service (IaaS), platfrm as a service (PaaS) and many thers (referred t as XaaS r anything as a service 6 ). Each f these services requires the same specialized security that exists in the physical realm as well as unique attributes t perate in a virtualized envirnment. With seven distinct Frtinet prducts available in a virtual appliance frm factr, yu can prvide dedicated security regardless f the service ffering. Fr example, virtual FrtiMail and FrtiWeb appliances can prtect yur Web and email servers, FrtiScan can prtect yur virtual platfrms against vulnerabilities by FrtiScan, and FrtiGate can prvide prven prtectin fr yur entire virtual infrastructure. Sftware Defined Netwrking Prtecting individual services is nly ne part f the equatin. Anther ppular trend, driven by clud cmputing and virtualizatin is Sftware Defined Netwrking. Sftware Defined Netwrking (SDN) is an apprach t netwrking in which cntrl is decupled frm hardware and given t a sftware applicatin called a cntrller 7. SDN enables rapid changes in switching and ruting plicies independent f physical architecture, meaning that security plicies can easily becme ut f date, leading t gaps in prtectin. Virtualized Frtinet appliances are well-suited t enabling and prtecting SDN envirnments. Frtinet prducts supprt the ruting prtcls and VPN technlgy necessary fr administratrs t implement new infrastructures while maintaining prper security plicies. Virtualized FrtiGate devices supprt dynamic ruting prtcls in bth IPv4 and IPv6 (such as BGP and OSPF) allwing administratrs t define new netwrk rutes as necessary. Built-in IPsec and SSL VPN technlgies allw yu t prtect new cnnectins t data centers and encrypt and secure cmmunicatin between systems and end-users. 6 http://searchcludcmputing.techtarget.cm/definitin/xaas-anything-as-a-service 7 http://whatis.techtarget.cm/definitin/sftware-defined-netwrking-sdn
Cnclusin The ppularity f clud based services and the high risk assciated with mving data t the clud has cmpanies f all sizes lking fr slutins t address their clud cmputing challenges. Securing the clud requires a variety f technlgies, and n single technlgy can address all the challenges. Clud prviders and custmers must take special care t understand all the safeguards in place arund any clud slutin. Frtinet s netwrk security prduct strategy is purpse-built arund a multi-tenant architecture. Frtinet has the breadth and depth f slutins t address securing data as it mves t, thrugh, and utside f the clud. By prviding centrally managed physical and virutal appliances that delvier the bradest range f netwrk security slutins in the industry, Frtinet can help prtect yur critical data frm the custmer t the clud and back.