Fortinet’s Michael Xie: How to secure the cloud

Fortinet President and CTO Michael Xie discusses the challenges and the role of the security fabric for cloud environments

Fortinet’s Michael Xie: How to secure the cloud

Last month I wrote a post highlighting the differences between a security fabric and platform. Of all the security vendors, for which there are literally hundreds, no one has evangelized the topic and value of a fabric more than Fortinet. 

One of the drivers of Fortinet’s security fabric has been to secure the cloud. To get a better understanding of what the challenges are and the role of the security fabric for cloud environments, I interviewed the founder, president and chief technology officer (CTO) of Fortinet, Michael Xie. 

Zeus: What has been driving cloud adoption? 

Michael: The digital economy is changing the way IT operates. Companies are driving business value by using technology to connect users, devices, data, goods and services to a common network. Success in the digital era requires the adoption of a number of new technologies and architectures to drive a higher level of business agility, meet market demands and be more relevant to customers. 

The rise in the number of connected endpoints has created unprecedented amounts of data, and building more and larger data centers is a time-consuming, expensive task. To combat this, businesses have turned to the cloud because it provides the elasticity and almost infinite scaling that organizations require. 

Zeus: How is the cloud impacting IT security? 

Michael: Workers require access to data and applications regardless of where they are or what device they are using. The cloud enables on-demand and location-independent computing environments where workers can perform any task at any time, regardless of location. IT is becoming more dynamic and distributed, and this has affected every aspect of the network and created a number of distinct security challenges that cannot be addressed with the traditional approach of building a network and bolting security on after the fact. 

For example, when a new virtual server or workload is provisioned, the network needs to intrinsically understand critical security issues, such as what devices and applications are allowed to talk to the virtual machine and where it can or cannot send data. These questions become exponentially more complicated as more physical and virtual devices are added and removed from the network. 

Securing these highly dynamic environments requires tightly integrated security and network technologies that share intelligence and collaborate to detect, isolate, and respond to threats in real time. Security solutions need to meet extreme performance requirements and be available on demand, and they need to be provisioned and deprovisioned in real time as the environment they are protecting adapts to demands. In our opinion, only a security fabric can do this. 

If companies don’t rethink their security architectures to meet the requirements of the cloud and have security that can essentially follow their data wherever it goes, their businesses will suffer as more and more data, workloads and applications are being offloaded to the cloud, especially via IoT devices. 

+ Also on Network World: Cybersecurity fabric vs. a security platform: Fabric wins +

Traditional security architecture was simple: apply security to a well-defined perimeter. This is no longer sufficient. In fact, our data shows that 84 percent of respondents to a recent survey were dissatisfied with traditional tools applied to the cloud. Securing the cloud means applying the right security tools at the end user and at the cloud. Our security fabric makes this much easier to deploy and manage. 

Zeus: Can you please expand on end user security. Why is it a challenge and what is needed? 

Michael: Cloud services are encrypted, which makes the traffic invisible to most security tools. As many applications that are currently in house move to the cloud, a simple application-level policy is no longer sufficient. What Fortinet provides is deep packet inspection for cloud applications that includes malware inspection, DLP (data loss prevention) and IPS (intrusion prevention). We also have other technologies needed to directly interact with cloud application providers for added security, both with respect to authentication, such as two-factor or SAML, and with security services. We build many of these capabilities into the silicon, allowing it to scale quickly. Software-only solutions often run out of horsepower when heavy loads are placed on it. 

Zeus: And how do you deliver security for cloud providers? 

Michael:Fortinet delivers security to the cloud and for the cloud. We support all major cloud deployment scenarios, whether public or private. This provides customers the ability to choose and migrate where and when they need. We partner with AWS, Azure, Google and others to offer a variety of deployment choices, a common operating system, and a management platform across IoT to cloud. 

With cloud providers, performance is everything, particularly for encrypted sessions. Specifically, Fortinet’s security processing unit (SPU) technology provides an advantage, as the process of decrypting and encrypting is very processor intensive and requires scale in silicon. Also, cloud providers rely heavily on virtualization, which requires deployment flexibility. Our solution can run as standalone hardware but also as virtual instances, making it highly agile. Also, the ability to virtualize security services means that cloud providers can focus on a very high-performance security need, such as black listing or port-based security, without having to deploy a full enterprise-grade solution.

Zeus: Is there an aspect of the cloud that benefits Fortinet?

Michael: Absolutely. Leveraging the cloud, we can aggregate security information from all over the world to help block threats within minutes from when it is discovered. Every URL/file used to be separate incidents, but now with our cloud platform, we can collect the data and find incidents quickly across the globe. Also, we have built a threat intelligence exchange where we partner with various government and non-government organizations, as well as some of our competitors to build a bigger database of knowledge.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2017 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)