There has been a shift to cloud computing over the past few years, but the skills to manage these cloud workloads and applications have not kept up with demand. Even now, 10 years after the launch of Microsoft Azure and more than 15 years after Google and AWS launched their cloud services, we still have companies that adopt a traditional on-premises strategy of deploying and managing network security in the cloud. Why?
Skills and resources
I believe this can be attributed to a lack of expertise and a shortage of resources. Network administrators who have worked primarily with network security on-premises may simply lack the training to deploy a cloud-first strategy for the workloads and applications being moved to the cloud. As a result, they deploy what they understand, and ultimately create friction and anti-patterns in the cloud. This can leave security and performance gaps that are difficult to identify without the right expertise.
Even a skilled administrator can end up with a complex and time-consuming network. Hybrid networks or cloud firewall deployments that scale into the thousands can be difficult to configure, manage, and troubleshoot. This can get even more difficult when the number of security alerts becomes overwhelming and therefore meaningless. For example, Azure Security Center provides threat intelligence using behavior analytics, which can range from unknown logins to bruteforce attacks on your virtual machines. Security Center generates alerts for resources deployed on Azure, as well as for resources deployed in on-premises and hybrid cloud environments. These alerts can quickly turn into background noise if they aren’t managed correctly.
Breaking it down
- Azure Virtual Networks (VNet) — allows virtual machines to securely communicate with each other and the internet.
- Subnets — segments of the VNet that create their own sub-networks, which allows administrators to assign resources into a specific space. This increases address allocation efficiency and allows more granular security assignments.
- Network security groups (NSG) — a group of access control lists that are bound to a virtual machine interface or to a subnet. This allows micro segmentation of traffic internal to a VNet or subnet.
- Pare-feu — A firewall in Azure can be a native Azure Firewall or vendor-based firewall like Barracuda CloudGen Firewall. These firewalls allow a centralized way to control egress and ingress traffic, and some vendors like Barracuda also allow deep inspection of packets using IDS/IPS and application control.
In a simple VNet architecture below, you can see the use of firewalls and the network security groups assigned to various subnets and other resources.
Automation allows ease of deployment across different datacenters for regional support and scalability to support customer traffic. Current cloud capabilities let you to deploy applications across different VNets, regions, subscriptions, and even cloud services. This enables greater efficiencies, improved application performance, and other business goals that drive cloud deployments. However, it also creates new challenges for the network security administrator.
To reduce risk while maximizing the benefits of the cloud, companies have to plan the network architecture and the supporting IT processes. Network administrators need to know how to configure and manage the firewalls, NSGs, and other resources that keep the network secure. For example, in an enterprise network with thousands of firewalls and NSGs, how will the following scenarios be handled?
- An ecommerce web app subnet needs to be updated to accept traffic from a specific IP address
- A native security service triggered an alert that a VM was the target of a DDoS attack
- An IP address has to be blocked from making any inbound or outbound calls
Without proper planning or the proper tools, network administrators can get mired down in troubleshooting these incidents. How will the company scale network security and the additional management of network security services so that this doesn’t happen?
Most firewall administrators lack expertise in cloud, and this complicates their work of finding the right association of VM or subnet and NSG or firewall. Overall, this process gets complex when the number of rules and network security groups being managed increase to the point of being out of control.
Barracuda Cloud Security Guardian provides a centralized way to manage firewall rules and network security groups across multiple subscriptions, tenants, and cloud services. With Barracuda Cloud Security Guardian, you get the following benefits:
- Visibility across your network infrastructure — Get a better view of your VNet, subnet, virtual machines, and associated network security groups
- Centralized deployment and management of Azure Firewall or Barracuda CloudGen Firewall — Deploy shared and local rules for ease of management. Auto-detect existing Barracuda CloudGen Firewalls deployed in Azure and AWS and manage policies from a central console
- Centralized management of network security groups — Ease of management using shared and local rules. Push a single policy across all network security groups, such as blocking a malicious IP address across multiple NSGs.
- Deploy and manage Barracuda Web Application Firewall — Centralized management of services in a web application firewall. View all Barracuda Web Application Firewalls across all of your cloud subscriptions and cloud providers and manage them from Cloud Security Guardian.
Click here to evaluate Cloud Security Guardian for 30 days.
Vinayak Shastri is a Sr Product Manager at Barracuda Networks. In his role, he runs product management for Barracuda Cloud Security Guardian. He has contributed the last five years on cloud security and the past 12+ years in various roles around sales and technical marketing. He holds a Masters in Business Administration from the University of North Carolina and a Bachelor of Engineering from VTU, India.
Connect with Vinayak on Linkedin here