Cloud-based services and infrastructures provide organizations with the agility and flexibility needed to stay competitive. However, the security solutions deployed alongside these services often take the form of a heterogeneous set of technologies and disparate security controls in various cloud environments, leading to gaps in protection.
This article explores the main factors that must be considered when building a cloud security strategy—including platform security, application security, and network security—and how those strategies form a cohesive whole.
Three Key Areas of a Cloud Security Strategy
The ultimate goal in developing a cloud security strategy is to unify security solutions deployed across cloud infrastructures, applications, and connections so that visibility and control can be managed centrally on a single platform. Such a comprehensive strategy must enable monitoring and response across three different levels within the cloud environment.
First and most critical is the cloud platform and infrastructure itself must be secure – this is the backbone that the cloud itself is built upon. This includes securing any software-as-a-service (SaaS) usage while also providing infrastructure visibility and control. Second, any cloud-based applications that connect internally and externally across clouds must be secured thereby protecting the application and its underlying data. And third, security must be integrated at the network level to ensure gaps in protection don’t occur at the network or multi-cloud level.
Securing a cloud platform can be further broken down into four primary areas of concern: SaaS security, infrastructure visibility and control, compliance, and security management and analytics.
SaaS in the cloud offers flexibility, scalability, and cost-effectiveness over on-premises software deployment. However, because these services are so convenient, it often leads to cloud sprawl within an organization, making it difficult to manage associated security risks. To address this problem, the FortiCASB-SaaS cloud access security broker service leverages APIs for SaaS applications to monitor all activity and configurations across all SaaS services. This includes providing complete visibility of usage, monitoring for malware and data loss, control of resource consumption, and more.
Misconfiguration is one of the leading causes of cloud-related risk. To secure cloud use at the infrastructure level, a tool like FortiCWP can provide the necessary comprehensive cloud workload protection by leveraging the public cloud management API. FortiCWP provides cloud infrastructure visibility and control, including risk management, data security, traffic analysis, and threat protection.
FortiCWP can also create compliance reports. Adding on FortiSIEM can provide a more comprehensive compliance picture across multiple clouds and third-party products, while FortiAnalyzer and FortiManager allow for the collection of logs and management of changes.
Cloud-based applications are vulnerable to threats as well as compliance issues. According to the 2020 Verizon Data Breach Investigations Report, 43% of all data breaches result from web-based application hacks. Fortinet’s fabric-based approach to web application security makes use of machine learning to block attacks with nearly perfect accuracy and also includes a virtual firewall, threat update feed, and a cloud-based sandbox.
The Fortinet Security Fabric goes beyond traditional point security solutions by using open standards and protocols to integrate multiple security devices into a single system that can span a multi-cloud environment. This, in turn, prevents security gaps and siloed solutions while making it possible to manage and automate security features from a single dashboard.
Solutions of particular value that can be integrated into this approach include FortiWeb, a web application firewall that secures web services APIs. Additionally, FortiGate-VM—the virtual cousin of FortiGate Next-Generation Firewall (NGFW)—enables central enforcement of security policies and increased visibility. Finally, the FortiSandbox cloud service allows for dynamic analysis to detect previously unknown threats. These tools additionally enable security for all stages of container deployment and support faster development.
The final piece to consider in any cloud security strategy is the protection of connectivity between data centers and clouds. Traditionally, the security measures deployed in this space tend to be inconsistent and complicated to manage, leading to security gaps. Once again, the Fortinet Security Fabric can help fill these gaps and simplify the overall strategy.
Key elements that can contribute to a secure network include FortiGate NGFW, which provides secure connectivity and network segmentation, FortiGate-VM, which can securely communicate and share consistent policies with NGFWs, FortiManager, which simplifies management across the entire enterprise, and FortiAnalyzer, which allows for analysis, reporting, and archiving security events.
Centralized security management via a cloud security services hub helps unify disparate environments, provide visibility, and enable consistent security policy enforcement without hindering the work of developers using these environments. Comprehensive network security also enables secure, on-demand remote access from anywhere, which can’t be achieved with traditional remote access VPNs.
Additional benefits of this fabric-based approach to network security include high-speed connectivity that doesn’t compromise performance, the ability for teams to develop security solutions autonomously and dynamically adjust security policies, and blocking of lateral attack movement.
Cloud Security – Putting It All Together
Fortinet Adaptive Cloud Security Solutions make it possible to address cloud security at the platform, application, and network levels all under one umbrella with single-pane-of-glass visibility and control, and consistent policies. This empowers organizations to secure any application on any cloud.
A fabric-based approach takes security beyond a complex collection of point solutions or a hub and spoke model matching the network structure by creating a meshed security network that enables communication between all security functions while maintaining central visibility and management capabilities. Not only does this model provide more comprehensive and less complex protection, but it scales and adapts easily to change—which is vital in a world where technology progresses at break-neck speeds and threat landscapes continue to expand.
Learn how Fortinet’s adaptive cloud security solutions provide the necessary visibility and control across cloud infrastructures, enabling secure applications and connectivity from data center to cloud.