During the Malaysian leg of the Fortinet 361° Security Conference, we got the chance to have an informal interview with Sean Hong, Regional Director - Strategic Alliance Cloud at Fortinet, who shared his views on the opportunities and challenges brought on by this rise in the “multi-cloud” movement among enterprises.
According to Sean, cloud has undoubtedly been a very exciting trend when it comes to digital transformation. “Fundamentally, what you gain out of this is the agility, flexibility and also the more optimised TCO. That’s the overall pitch for the cloud subscriber,” he said, adding that over the years, the APAC and ASEAN regions have become among the most competitive growing markets for all the cloud providers.
When it comes to multi-cloud, he said Fortinet’s definition of it includes the private cloud – which is owned and fully operated by the enterprises themselves, leveraging virtualisation or hyperconverged infrastructure technologies – as well as the use of multiple public clouds, “with all the data and workloads transversing in between”.
When it comes to multi-cloud implementations, Sean explained that many customers are taking advantage of the different strengths of each cloud provider, be it better AI engine, serverless architecture or others, while preferring to hold critical data in their own private cloud. He added, “We’re seeing very often this kind of architecture when it comes to multi-cloud implementations.”
The challenge that it imposes to enterprises, he said, is on having visibility into this very heterogeneous domain. How do they know where the data is sitting and whether it is secure? Even though virtualisation is used as the underlying technology, he pointed out that the implementations on various clouds as well as on-premises are quite different. “Those are the challenges that a lot of customers are facing,” Sean commented.
This mirrors the challenges they face when it comes to keeping their data, dispersed across different environments, secure. Each environment may be susceptible to the millions upon millions of malware types and variants as well as escalating hacking, penetration and cyber fraud attempts. The biggest challenge is to have, again, visibility, as well as consistent security policy configurations across all the various clouds and on-prem deployments.
95% of Cloud Security Failures are the Customers’ Fault
Over the past few years, we’ve often heard about the concerns businesses may have when it comes to migrating to cloud and whether their data would truly be secure as it leaves the confines of the physical data centre. Sean then shared an interesting piece of nugget from Gartner, who reported that up to 95% of data breaches happening on the cloud does not occur due to security lapses such as an operating system loophole or back door. On the other hand, they’re due to user misconfigurations.
That actually makes sense because of the sheer amount of investments that public cloud providers typically make to ensure that their infrastructure is functional and secure for customers. In an event we covered last month, for instance, Google revealed that it had spent over $47 billion in capital expenditure in the last four years to build out the Google Cloud network.
Sean explained that while the ease of use of the cloud may be one of its biggest benefits, it leaves more room for misconfigurations or mistakes from users which often leaves a loophole, back door or vulnerability that hackers can exploit.
Therefore, he said Fortinet’s cloud security strategy has been to focus on three big areas. First and foremost, the company saw the need to support the broadest choice of clouds. As Sean put it, “From the private cloud to Google, AWS, IBM, Oracle, Alibaba Cloud and Azure, we support the broadest cloud platforms and we have developed a consistent feature set and integration with all of them.”
Natively Integrated Security, Built for All Cloud Scenarios
By being natively integrated with the different clouds through the Fortinet Security Fabric Connectors, Sean said Fortinet customers don’t need to rely on third-party developers or API proxies to be able to see and control their workloads on different cloud platforms.
“The biggest benefit of that is automation. As I mentioned, a lot of misconfigurations have led to data breaches.” Sean commented that single-pane orchestration and automation, the ability to automatically sync up security policies between the cloud and the physical world, for example, are the best ways to counteract misconfigurations and reduce human error.
“Secondly, they have consistent visibility, regardless of whether their workloads are deployed on-premises or on the cloud, at what time, and what applications are accessing their data. These are all also very important,” he added.
Last but not least, Sean explained that since hackers and cybercriminals have become much more sophisticated, the jobs of the security practitioners have also become even more challenging. There’s a need for today’s organisations to have multi-layers of protection on-prem as well as in their cloud environments.
However, if they had different, multi-vendor solutions running on cloud, a big headache for a lot of security practitioners would be to figure out how to integrate the disjointed products together. But with Fortinet’s Security Fabric solution, Sean said, “You have a pre-integrated solution. All these different applications and security components will talk to each other regardless if they’re on cloud or on-premises. They’re all centrally managed by our central management system.”
“So with these, we greatly reduce the attacking surface for the enterprises, regardless if the workloads are on cloud or on-prem.” Moreover, he said Fortinet also has solution suites that cater to scenarios where a business does not have any on-prem workload, where everything’s natively built on cloud, as well as those who are running a serverless architecture.
“We also provide different cloud security assessment tools or risk management tools targeting the cloud environment. We recently announced our new product called FortiCWP, or Cloud Workload Protection, which provides seamless integration with our Security Fabric, and at the same time, provides a focused assessment and risk management for customers’ cloud environments,” Sean explained.
For companies that are still embarking onto the cloud or evaluating their multi-cloud strategies, Sean offered the following words of advice. “When it comes to cloud, first of all, you need to understand the nature of your business.” He said, before adding that, “Everything starts from the business. What are your business objectives? Are you leveraging cloud technologies to save cost, or do you want to expand your reach to different countries?”
Once they have aligned their business objectives, Sean said they need to assess their internal IT resources and whether they have the skillsets to be able to succeed. “[This is] because the cloud is not just for convenience. You gain the convenience, but on the other hand, you need to build up your internal IT team’s skillsets in terms of cloud and cloud securities.”
Therefore, Sean stressed that businesses need to know whether they’re ready to take the journey to cloud, what they want to achieve, what their business objectives are, whether they have the IT skillsets to support the cloud deployment, and lastly, understand what they’re expected to invest in.
They need to pick the right partner to work with, that provides the right solution for them that can ensure that their most valuable data is well protected. “Also, due to the shared responsibility model of the cloud providers, we strongly recommend our customers to take a holistic view, regardless of whether their workloads are sitting on-prem or on cloud.”
“Then you have the same or consistent security posture across this heterogeneous environment,” he concluded.