MeriTalk spoke with Felipe Fernandez, Director of Systems Engineering, Fortinet, to hear his thoughts on dynamic cloud security and the impact it’s having on our Federal government during telework.
MeriTalk: With an increase in the number of public sector organizations adopting cloud-based systems for business practices, the demand for more applications and data is greater than ever before. What are the necessary tools or guidance organizations need to provide their staff to ensure security?
Felipe: The tools they really need are ones that provide visibility across multi-cloud architectures, whether that be infrastructure, platform, or applications. They need to ensure the portions they’re responsible for securing are indeed secure and that only authorized users have access to these resources. Then, they need to ensure what those authorized users are doing is compliant with the intent behind those subscriptions or services. Tools like Fortinet’s FortiCWP offer great visibility on many different activities happening in the cloud, whether it be data storage and how it’s used, or how files are being accessed, used, or moved.
Specifically, cloud storage has seen the greatest number of issues – from improper permissions settings to malware in the files uploaded to these cloud storage buckets. What usually happens when people buy cloud storage is it creates a gap, similar to out of sight, out of mind. We’ve yet to create that connection where we’re thinking about our subscriptions and services – that in-depth visibility, and consciously monitoring everything that is transpiring on those surfaces.
MeriTalk: How are agencies approaching cloud compliance and security regulations, and what should they be taking into consideration when it comes to platform security?
Felipe: From a cloud compliance security regulations perspective, they’re certainly willing to combine as much guidance as they can from the various Federal agencies or departments such as the National Institute of Standards and Technology, the Department of Defense, and the FedRAMP office, or from private organizations like the Center for Internet Security (CIS). The program offices have done a good job of creating frameworks of which to consume or evaluate the security posture of a particular service, whether it be a public cloud platform or SaaS application.
With that said, tools like a cloud access security broker (CASB) really do help provide visibility for a particular environment. When you’re subscribing to a platform or SaaS, customers don’t need visibility for underlying architecture and security – that is for the vendor to provide. But the customers do have responsibility for personal files and configuration settings. With a CASB, they can move forward confidently while utilizing these kinds of services. Gartner IT has a great take on cloud and agencies moving to cloud: through 2025, 99 percent of cloud misconfigurations and security breaches will be the customer’s fault. That’s a really big number; it’s striking. That should put someone in the right frame of mind to understand how important this visibility is.
MeriTalk: Using the shared responsibility model as a guided principle, cloud-based applications are vulnerable to cyber threats and must meet compliance requirements. How can agencies provide protections for web applications while enhancing regulatory compliance?
Felipe: Various frameworks can be utilized to provide a foundational posture, from which you can programmatically improve the security components within an agency’s responsibility. Compliant means you at least have a programmatic approach to your security program and the practice. But compliant doesn’t mean secure. Agencies still need to evaluate and utilize other tools that provide capabilities that aren’t mentioned in the standard frameworks or the security recommendation guides. Particularly for web applications, agencies should look at cloud-native variants of tools such as web application firewalls that are delivered as a service from the cloud and integrate with cloud APIs so they can provide more granular protection for a particular cloud app.
We now have things like containers and various technologies that will make application-hyperscaling possible, such as Kubernetes. You need to have container-aware security and those are offered in the appropriate form-factor of web application firewalls. It can protect north-south, and east-west security – so from container to container, not just the entire cluster, from the rest of the world. This is very important, especially for agencies implementing a zero trust model.
MeriTalk: Among application security, what is essential as more organizations outsource IT management and email applications?
Felipe: IT services are a significant portion of cloud spend, from migration services to management services. So, close coordination with and monitoring of those parties is essential. There also needs to be tools in place that allow for an agency to get real time visibility into the security posture of outsourced applications.
When it comes to email applications, it is important to deploy security tools that complement the security features already provided in web email applications. There are shortfalls in the one-size-fits-all application, software, or platform-as-a-service delivery model. And unfortunately, cloud service providers can’t deploy the most granular control because it could break things and reduce performance. A product like FortiMail, which is a mail security gateway for which you can integrate directly with Microsoft Office 365, can help organizations close the gap between the default security posture of email applications and the security they really need.
MeriTalk: Agencies are constantly looking for consistency between data centers and clouds. How can Fortinet help protect that connectivity between them?
Felipe: Fortinet is entirely devoted to ensuring that no matter where their customers’ data and applications are located, security can be deployed for them. Fortinet provides tools for network visibility and security, in either hardware or virtual offerings that support hybrid architectures with multiple clouds and data centers. Whether an agency has a Hyper V infrastructure, VMware infrastructure, or went the open source route and has an OpenStack infrastructure, Fortinet has a form factor of next gen industry-leading security tools that can be leveraged wherever the applications are deployed.
As far as protecting connectivity between data centers and clouds, Fortinet provides VPN technologies with FortiGate. You can deploy a FortiGate on-prem in your data center – in whatever form factor you wish, and as a virtual machine in the cloud. Fortinet has very high-performing VPN capability with physical appliances, the FortiASIC. But even in the cloud, Fortinet is still achieving industry-leading VPN performance, upwards of 20 gigabits per second. There’s a tendency to think that in the cloud, FortiGates will lose any performance advantage, but they don’t and it is noticeable when you compare it side-by-side with other vendor offerings.
MeriTalk: Talk to us about “The Cloud Security Services Hub” and how the hub applies to a telework environment.
Felipe: The Cloud Security Services hub is an architecture where a single virtual private cloud (VPC), or a logically isolated environment in the cloud, is deployed to host security tools and functions. The hub is integrated with identity and access management tools like user Active Directory and multi-factor authentication, and provides a gateway for which remote or on-prem users can securely connect to critical resources and applications. More importantly, the cloud security services hub architecture allows the Fortinet security tools suite to be the centerpiece of security and provide consistent security policy throughout an organization’s infrastructure. With that level of visibility, those capabilities range from user and behavior analytics, assigning risk scores to user and data access activities, and making enforcement decisions in real time. Ultimately, what the cloud security services hub provides is a zero trust security capability built in the cloud that can be leveraged in all areas of the network.
MeriTalk: As organizations are increasingly deploying a variety of workloads across multiple clouds, what have been some of the biggest challenges you’ve seen when transitioning to these telework environments in regards to maintaining cloud security?
Felipe: From the multi-cloud perspective, the number one thing that organizations had issues with is deploying and maintaining consistent security configurations. And it isn’t all their fault. Cloud platforms are constantly evolving, as are the applications that agencies need to deploy in them – but the impacts from these evolving cloud platforms can be greatly reduced by the cloud security services hub.
MeriTalk: Anything else you’d like to cover today?
Felipe: One of the capabilities that agencies may not be thinking about is secure SD-WAN in the cloud. Secure SD-WAN can be used to enhance the utilization of links, like for cloud on-ramp, intra-cloud, or between different cloud platforms. With Fortinet Secure SD-WAN, you can apply technology that is typically associated with only the WAN and actually extend that to cloud applications and databases on the back-end, for example. It is not uncommon these days to see multiple elements of cloud applications deployed on different cloud platforms, so that’s what is driving this use case and agencies should consider taking advantage of SD-WAN there.