For the past few posts I’ve been writing about cloud-based security adoption while focusing on cloud-based firewall as a service, which enjoys high interest among enterprise security architects and staff. There are definitely inherent advantages and disadvantages to moving to a cloud-based firewall and in this post we’ll look at some of these as we work toward making a cloud-based firewall business case.
First let’s look at the advantages. What makes a cloud-based firewall different from an on-premise firewall (other than being off-premise) comes down to three things: scalability, availability and extensibility.
Scalability: Cloud-based firewall providers deliver services to multiple customers and at the core of their service they use firewalls designed to scale to meet ever-increasing demand. From the enterprise perspective this scalability comes into play when bandwidth increases. Unlike an on-premise firewall that needs replacement when bandwidth exceeds firewall throughput, cloud-based firewalls are designed to scale as customer bandwidth increases—or at least any hardware upgrade has to be made transparent to customers.
Availability: Cloud-based firewall providers offer extremely high availability (> 99.99%) through an infrastructure with fully redundant power, HVAC, and network services, as well as backup strategies in the event of a site failure. In contrast, on-premise firewalls are only as reliable as the existing IT infrastructure, which may not be an issue at the data center but could be at the branch. High availability is certainly possible but depending on the manufacturer, high-availability can double the cost of hardware and make operations more complex.
Extensibility: Cloud-based firewalls are available anywhere the network manager can provide a protected communications path. Given interconnection agreements between network providers, the footprint of service may extend well beyond the boundaries of any single service provider’s network. An on-premise firewall on the other hand may be deployed at any corporate location, with the associated capital cost (higher for redundancy)—if there is enough space and the necessary out-of-band management connection.
So, what about the downside to a cloud-based firewall? Fundamentally, it’s the same issues we see with managed security services: successful security management requires context. Security staff must evaluate an alert in the context of the infrastructure and unique institutional characteristics. To put this in context: “I’m not sure they [managed security providers] gained the expertise [of our environment] that really benefited them. For us, we gain security expertise [from the provider] but we lose internal knowledge. An alert out of context is just as much an issue as an alert without expertise,” says the chief security officer of a manufacturer.
A number of companies echo this sentiment: much of the corporate security zeitgeist is lost in the transition to the cloud. The best way to deal with this is to make sure you get multiple references and really dig into the process and procedures the cloud-based firewall provider offers to discover, assimilate and maintain its knowledge of the unique characteristics of your organization, the context necessary to deliver strong firewall security in the cloud.
John Burke is a Principal Research Analyst with Nemertes Research, where he conducts primary research, develops cost models, delivers strategic seminars, advises clients, and writes thought-leadership pieces across a wide variety of topics. John’s main focus of research are cloud computing, virtualization, application delivery networking, SOA, and SaaS. His other areas of expertise are information stewardship (including information protection, information lifecycle management, business continuity planning, compliance, and data quality management) and storage technologies.
As an established speaker, John has appeared at Interop, Network World IT Roadmap and TechTarget events, as well as private events for Cisco, AT&T, and others.
As research analyst, John draws on his past experience as a practitioner and director of IT to better understand the needs of IT executives and the challenges facing vendors trying to sell to them. His career began at The Johns Hopkins University, where he supported the engineering faculty in its use of computers in research and teaching. He moved on to departmental management as well as systems and network administration at The College of St. Catherine, in St. Paul, MN, and then to directing staff in voice, data, desktop and systems management at the University of St. Thomas, also in St. Paul. He has broad and deep experience in computing, communications, and IT management.
John holds a bachelor of science degree in electrical engineering and a masters degree in the history of science, both from The Johns Hopkins University.
He devotes his spare time to family, baking, gardening, bird watching and wild mushroom hunting.