Authored By: Jonathan Maresky, Cloud Product Marketing Manager, at Check Point Software Technologies
Cloud security has become business-critical as organisations expand and deepen their cloud presence. According to the Check Point 2020 Cloud Security Report, 75% of surveyed organisations were either very or extremely concerned about cloud security. The figure below illustrates the kind of multi-layered yet unified cloud security platform that organisations should put in place in order to protect their cloud deployments and ensure a robust cloud security posture. Similarly, a recent Forrester study stated that cloud security confidence is a leading driver for adopting more cloud services.
It is always important to remember that cloud security takes place in the context of a shared responsibility model. At the infrastructure level (IaaS), cloud providers are responsible for securing their compute-network-storage infrastructure resources while users are responsible for protecting the data, apps, and other assets deployed on the infrastructure. The tools and services offered by cloud providers to help users uphold their end of the shared responsibility model are important elements of any cloud network security solution. However, cloud providers are not specialists in security; these cloud provider tools and services must be complemented by partner solutions in order to achieve enterprise-grade network security.
This article describes the ten essential considerations a company should examine when choosing its cloud network security platform. It explains how you can ensure that vendor solutions have the capabilities that are important to your organisation’s success and security.
1. Advanced Threat Prevention and Deep Security
Threat detection is not enough to effectively protect cloud assets in today’s complex cybersecurity landscape. You need multi-layered, real-time threat prevention for both known and unknown (zero-day) vulnerabilities. The solution must deliver deep security through features such as granular and deep traffic inspection, enhanced threat intelligence, and sandboxing that isolates suspicious traffic until it is either validated or blocked. And these advanced capabilities must be deployed on both North-South (incoming/outgoing) and East-West (lateral) traffic.
The solution must run transparently and consistently across even the most complex multi-cloud and hybrid (public/private/on-prem) environments. A unified management interface (sometimes called a “single pane-of-glass”) should provide a single source of cloud network security truth as well as a centralised command and control console.
3. Granular Traffic Inspection and Control
Look for next generation firewall (NGFW) capabilities, such as fine matching granularity that goes beyond basic whitelisting, deep inspection to ensure that traffic matches the purposes of the allowed ports, advanced filtering based on URL addresses, and controls at not just the port level but the application level as well.
In order to match the speed and scalability of DevOps, the solution must support high levels of automation, including programmatic command and control of security gateways, seamless integration with CI/CD processes, automated threat response and remediation workflows, and dynamic policy updates that don’t require human intervention.
5. Integration and Ease of Use
The solution must work well with your company’s configuration management stack, including support for Infrastructure as Code deployments. In addition, the solution has to be deeply integrated with the cloud providers’ offerings. In general, your goal should be to streamline operations and promote ease of use by minimising the number of point security solutions that have to be deployed and managed separately.
The solution’s dashboards, logs, and reports should provide end-to-end and actionable visibility into events as they are happening. For example, logs and reports should use easy-to-parse cloud object names rather than obscure IP addresses. This visibility is also important for enhanced forensic analytics should a breach take place.
7. Scalable, Secure Remote Access
The solution must secure remote access to the company’s cloud environment with features such as multi-factor authentication, endpoint compliance scanning, and encryption of data-in-transit. Remote access must also be able to scale quickly so that, during times of disruption such as the COVID-19 pandemic, any number of remote employees can work productively yet securely.
8. Context-aware Security Management
The cloud network security solution must be able to aggregate and correlate information across the entire environment—public and private clouds as well as on-prem networks—so that security policies can be both context-aware and consistent. Changes to network, asset, or security group configurations should be automatically reflected in their relevant security policies.
9. Vendor Support and Industry Recognition
In addition to the features and capabilities of the solution itself, it is also important to take a close look at the vendor. Is it highly rated by independent industry analysts and third party security testing companies? Can it meet your SLAs? Does it have a proven track record? Can it provide added value, such as network security advisory services? Can it support your global operations? Is it committed to innovation so that its solution will be future-proof? Is its software mature, with few vulnerabilities, and does it deliver timely fixes?
10. Total Cost of Ownership
The total cost of ownership is determined by a number of factors, all of which should be considered as part of the buying process: the flexibility of the licensing model, the extent to which the cloud security platform seamlessly integrates with and leverages existing IT systems, the level and scope of personnel required to administer the system, the vendor’s MTTR and availability SLAs, and more. You want your cloud security platform to streamline operations, optimise workflows, and reduce costs while enhancing your security posture. The last thing you want is to be surprised by hidden infrastructure, personnel and other costs that emerge only after the system is up and running.