What is a Public Cloud Firewall?
Public cloud firewalls are virtual network security devices deployed in the public cloud. As a general rule, public cloud firewalls tend to offer capabilities similar to those of hardware firewalls. However, in hybrid cloud deployments, public cloud firewalls offer significant advantages over on-premises devices in terms of scalability, availability and extensibility. Often also called "virtual firewalls," these devices are referred to as “public cloud firewalls” when used in those environments.
The Need for Public Cloud Firewalls
Security for cloud-based applications is a shared responsibility between the customer and the cloud service provider (CSP). The CSP protects the infrastructure – hardware, software, networking and facilities – that run its services. However, the organizations using these services are responsible for the security of the operating systems, platforms, access control, data, intellectual property, source code and customer-facing content that sit on top of the provider’s infrastructure (see figure 1). Many CSPs offer firewalls as an optional service, but the user remains responsible for configuring firewall policies and monitoring threats.
Figure 1: Shared security model for cloud-based environments
As companies migrate existing applications from their data centers to the cloud, they often continue to use on-premises firewalls to secure their cloud-based assets. This configuration has the advantages of familiarity and proven efficacy, but it is difficult and expensive to scale, requiring substantial capital outlays for hardware and software as well as the overhead of installing, maintaining, and upgrading on-premises devices. In addition, many companies are reluctant to invest in the redundancy needed to ensure high availability for their firewalls. Also, global organizations find it impractical to extend in-house security to applications dispersed around the world.
Benefits of Public Cloud Firewalls
Public cloud firewalls address the limitations of on-premises firewalls and more. Running on the CSP’s infrastructure, these virtual firewalls are highly available because they take advantage of the CSP’s investments in redundant power and heating, ventilation and air conditioning (HVAC), as well as network services and automated backup systems to prevent data loss in the event of a site failure.
As an organization’s cloud presence grows, public cloud firewalls scale gracefully by adding virtual instances, with no hardware installation or maintenance required. Even bandwidth-hogging threats, such as distributed denial-of-service (DDoS) attacks, can be mitigated quickly and effectively using public cloud firewalls.
Unlike on-premises firewalls, public cloud firewalls are deployed in close proximity to the assets they protect. This configuration avoids the bandwidth drain associated with backhauling traffic from the region to the data center and may reduce or eliminate the fees CSPs impose on traffic crossing regional boundaries. Even the CSP’s perimeter doesn’t constitute a barrier, thanks to interconnection agreements between most major CSPs.
How Public Cloud Firewalls Work
Like their on-premises counterparts, public cloud firewalls identify and control applications, grant access through user-based policies, and prevent known and unknown threats from entering the network perimeter. Public cloud firewalls provide application visibility across an entire multi-cloud environment, helping organizations make better informed decisions about security policies and procedures. Automation and centralized management enable developers to embed next-generation security in the application development lifecycle, ensuring security functionality can keep pace with cloud native development strategies and DevOps principles, such as continuous integration and continuous delivery (CI/CD).
Given the increasing sophistication of advanced threats, perimeter breaches are inevitable. Today’s cyberthreats often compromise individual workstations or users and then move laterally across a network, gaining access privileges as they move, and placing mission-critical applications and data at risk wherever they are located. Top-tier public cloud firewalls support segmentation and microsegmentation strategies that isolate critical applications and data in secure segments to block lateral movement of threats and streamline regulatory compliance.
Public cloud firewalls work best when designed and configured to work in concert with the provider’s native security solutions, with no gaps. It is a best practice for an organization to procure public cloud firewalls from cybersecurity vendors who have jointly developed their solutions with the CSPs the organization intends to use.
As this discussion shows, public cloud firewalls are extremely versatile. Here are some typical use cases:
- Protect mission-critical applications and data: Public cloud firewalls isolate critical applications and data in secure segments based on Zero Trust principles as a means of controlling access. Zone-based policy architectures enable organizations to build access control policies based on applications and users, protecting east-west traffic between virtual machines.
- Extend security to branch offices: Organizations deploy public cloud firewalls to extend security to their branch offices. As noted, the virtual nature of public cloud firewalls allows them to be deployed almost anywhere in the world – a particularly attractive feature for global enterprises.
- Secure software-defined environments: Public cloud firewalls can secure software-defined environments, including software-defined networks and wide area networks (SDNs and SD-WANs). Organizations can ensure consistent network security across their entire enterprise, isolate point-of-sale and other critical systems, and secure the flow of live traffic over SD-WANs.
- Safeguard private cloud assets: Public cloud firewalls can also meet the security needs of private clouds, which are on-demand compute environments used by a single organization. In these environments, virtual firewalls help maximize investment in highly virtualized environments and reduce time-consuming manual provisioning.
For more information about public cloud firewalls, visit our website.