Public cloud security: virtualized firewalls or native controls?

I was recently contacted by an analyst who asked for my thoughts on the usage of, and business value offered by virtualized next-generation firewalls (NGFWs) in enterprises’ public cloud environments, such as Amazon Web Services (AWS) and Microsoft Azure – particularly as these environments offer their own native security controls.  These were very interesting questions, which I felt were worth exploring. 

Certainly, both public cloud offerings include traffic filtering capabilities:  AWS uses Security Groups and Network Access Control Lists to achieve this (as we covered in an earlier blog), and Microsoft Azure uses Network Security Groups to allow or deny traffic in a virtual network.  I believe that the costs for these controls are included as a part of the overall service provision, which certainly makes them an inexpensive option for provisioning security in public clouds.

As such, these native security controls are well suited to development or test environments, workloads from smaller organizations, and ‘shadow IT’ applications for larger organizations.  Usually, such deployments have relatively loose security requirements:  there is minimal need for regulatory compliance, and a low perceived risk to the business, because the deployments are not seen as mission-critical.  For these use cases, AWS and Azure’s own security controls are often good enough.

However, NGFWs provide additional advanced features such as application awareness, user awareness, the ability to create hierarchical network object groups, and the ability to add comments and notes to rules. Therefore, organizations that need a more sophisticated, granular approach to network and application security should carefully evaluate the capabilities of both cloud controls and virtualized NGFWs to figure out which combination of technologies best suits their needs.

I believe that major Fortune 1000 enterprises are just starting to move workloads to public clouds. Large-scale, business critical applications, carrying sensitive, regulated data, are not yet in production in large volumes in public clouds.  However, this landscape will change, and soon. When it does, I suspect that the more sophisticated security features that major enterprises demand – which are available from firewall vendors but not from public cloud vendors’ controls yet – will drive and accelerate deployments of virtualized NGFWs in these environments.

It’s also important to remember that once an organization has migrated applications to the cloud, the cloud environment becomes an extension of traditional on-premise networks, with highly sensitive corporate data flowing across both.  So you need to be able to visualize and manage policies across both environments consistently and cohesively, through a single pane of glass, to ensure security and compliance requirements are met.