Key Considerations for a Secure Cloud Migration

According to a 2018 Cloud Computing Survey by IDG, 73% of organizations already have at least one application or some portion of their computing infrastructure in the cloud, with an additional 17% planning to do so within the next 12 months. In line with that revelation, 42% of organizations are using multi cloud. In addition, enterprise organizations have budgeted an average of $3.5 million for cloud investments for the coming year, an increase of nearly 36%.

Further, more than one third of respondents (38%) shared that their IT department feels pressure to migrate 100% to the cloud, which reflects the view of executive management at technology-dependent industries—including manufacturing, high-tech, and telecom—which are already driving toward becoming 100% cloud-enabled.

What this means is, except for new startups that already have an entirely cloud-based infrastructure, 90% of organizations are either actively migrating their infrastructure and/or applications to the cloud. Which also means that they are trying to bridge their business processes, applications, and workflows between their local physical network and WAN-based branch offices with and one or more networks residing in the public cloud.

The challenge is ensuring that data, workflows, and applications can move quickly and seamlessly across and between these different physical and virtual environments. And from a security perspective, this also requires creating a consistent security posture across all local and cloud-based resources so that policies and enforcement can follow and protect those transactions.

Unfortunately, given the ad-hoc nature of most security deployments, many security policies simply cannot be consistently implemented across a multi-cloud environment, especially when using a variety of tools from a variety of vendors. Even for those rare companies that have standardized on a single security toolset, there are two additional challenges. First, features and functions are often inconsistent when a security tool does not operate natively in a cloud environments. And if they do operate natively, they do not operate consistently between cloud environments. This can create challenges as workflows and applications move between different cloud environments, resulting in security gaps and blind spots that can be exploited.

How to Migrate Security to the Cloud

Addressing these challenges requires careful preparation. This starts by establishing clear communication between lines of business and the IT and security teams.

"Without clear communications about business needs and objectives and a candid discussion of related threats, organizations open themselves to a whole array of new risks, including denial-of-service attacks targeting cloud resources, cloud malware injection, web application exploitation, cloud-API attacks and account or service hijacking."

—“6 Considerations for Secure Cloud Migration”, April 11, 2109, DevOps.com

To establish a single, consistent security framework that spans the entire multi-cloud infrastructure, every organization should consider the following six steps as part of their migration strategy: 

1. Establish a Common Security Framework

Isolated security devices, decentralized management, and vendor sprawl is usually the result of an ad-hoc, or “accidental” security architecture. Before you can hope to create a consistent cross-network security strategy that spans your cloud deployments, you will need to impose a central security strategy. Once that is in place, you then need to ask three critical questions:

1. What are your short and long-term goals for your network? This includes business objectives, resources that need to be implemented, and how you will address the challenges of today’s digital marketplace.
2. What are the risks associated with those goals? Answering that question often starts with performing a gap analysis for how cloud will change your security paradigm.
3. How do you specifically address those challenges? This requires not only knowing your current security posture, but also its implications for your future business goals. You also need to understand the impacts of a distributed, cloud-based network on risk management, and the policies you need to have in place before you move a single process to the cloud.

2. Make Sure Your Infrastructure is Ready

Whatever you think your bandwidth requirements will be, you can be pretty sure that you have underestimated them. Ever since Bill Gates supposedly said "640K [of RAM] ought to be enough for anybody” back in 1981, new capacity has always driven the development and adoption of bandwidth-hungry applications. So to start, you will need to model and understand data flows and bandwidth requirements to ensure that your security solutions can meet performance requirements, especially for latency-sensitive services and new immersive applications that will need to travel over VPN tunnels. Then, assume you are wrong by at least half.

3. What About Compliance?

You can begin by understanding what requirements you have to meet for data processed and stored on the cloud, as well as for data that moves between different cloud and physical network environments. However, given things like GDPR and the new California Consumer Privacy Act, it’s only a matter of time before those requirements are ratcheted up. So any compliance strategy has to be flexible enough to adapt to new requirements. As a result, it is not only crucial that your legal team be consulted before you begin to build or adopt any sort of cloud program, but also that you consult experts working in areas where new, stricter regulations have already been put in place so you aren’t caught flat-footed when changes happen.

4. High Availability and Disaster Recovery are Table Stakes

The biggest fear for most organizations looking at a cloud solution, after addressing security concerns, is the continuous availability of cloud-based resources. It’s one of the primary drivers of a multi-cloud strategy. In addition to parsing out functions to different cloud, it is important to also consider redundancy of critical functions and data.

You also need to consider issues like the need for dynamic scaling (probably yes) and whether your security solutions can meet new performance requirements (probably no). Finally, you need to consider things such as flow symmetry, load balancing, and error correction to maintain availability, performance, and protection when utilizing highly dynamic, cloud-based services.

5. The Right Tool for the Job

“Cloud security requires much more than simply placing a firewall at the perimeter of the cloud infrastructure. A wide range of security solutions will need to be applied depending on the applications running and services being used. A next-generation firewall (NGFW) solution is the most common security tool to be applied, but other solutions are often also required, including web application firewall (WAF), intrusion protection or detection service (IPS/IDS) and a cloud access security broker (CASB).”

—“6 Considerations for Secure Cloud Migration”, April 11, 2109, DevOps.com

6. Lifecycle Management

Consistency in security policy and enforcement, especially when they span multiple environments, is crucial. In addition to their ability to operate natively in a cloud, security tools also need to be chosen for their ability to interoperate seamlessly through the entire security policy life cycle with solutions deployed in other environments.

This includes things like consistent support for changes in security policy, consistent dynamic provisioning and scaling, single point of management—including integration with a central ITSM solution and central log collection, and centralized policy orchestration and correlation. To make this happen without compromising on security functionality and efficacy, organizations need to consider adopting open standards, APIs, and cloud connector technology that can translate between solutions deployed in different cloud environments on the fly.

Don’t Be Fooled Into Taking Security Shortcuts

 Adopting a cloud service can be deceptively easy. In many cases, it’s as simple as clicking a link. Likewise, adding a new cloud-based infrastructure is far easier than building its physical counterpart. But that can be deceptively simplistic when it comes to security.

“Far too many organizations have had to pay the price for rushing into a new cloud solution without carefully considering challenges related to security. These have ranged from opening new attack vectors into their network, to being unprepared for new cloud-based threats or being blindsided by fines and penalties for failing to adequately prepare for new compliance considerations.”

Fortinet’s New SD-WAN Capabilities Help Achieve Maximum Application Performance

The Promise of SD-WAN

SD-WAN, on the other hand, enables the creation of a flexible, resilient, and secure network that can deliver the rich services and interconnectivity to the remote SD-Branch that today’s digital businesses require. It also comes with no bandwidth penalties, is relatively easy to set up, and can easily adapt as the network’s digital framework continues to evolve.

As a result, SD-WAN is now the fastest growing networking technology segment. According to IDC, the "optimization of WAN bandwidth" and "consistent application security are the top two motivations for SD-WAN deployments, while a study by Dimensional Research indicates that more than 85 percent of companies reported that they are actively considering SD-WAN to increase security and reduce sprawl.

But not all SD-WAN offerings provide the solutions that organizations require. SD-WAN not only needs to provide low-cost WAN connectivity, but also ensure that business-critical unified communication application performance remains high—without compromising on effective security. An effective SD-WAN solution also needs to enable WAN overlay combined with simple operations for deploying and managing both Security and SD-WAN functionality across their large networks, which only a few vendors can provide.

Fortinet’s commitment to SD-WAN innovation is setting a new pace by providing organizations with the advanced SD-WAN capabilities—including business-critical application performance, interoperability, and simplifying overall orchestration—all functions that today’s organizations require to compete effectively in today’s digital marketplace.

New Fortinet Secure SD-WAN Capabilities

• WAN Path Remediation utilizes forward error correction (FEC) to overcome adverse WAN conditions such as poor or noisy links. This enhances data reliability and delivers a better user experience for applications like voice and video services. FEC adds error correction data to the outbound traffic, allowing the receiving end to recover from packet loss and other errors that occur during transmission, improving the quality of real-time applications. 

• Tunnel bandwidth aggregation uses per packet load balancing to maximize the bandwidth utilization to ensure that chatty applications have the performance they need, without compromising the bandwidth of other applications. To provide better insight into bandwidth management, Fortinet Secure SD-WAN is also able to detect and report WAN bandwidth on demand.

• Application steering through an accelerated overlay VPN network provides the best quality of experience across an low cost WAN through enhanced application recognition accuracy combined with deep SSL inspection and the lowest performance impact.
• New granular historic analytics makes it easier for customers to assess the health of applications and quickly automate policies for effective application steering in the future.

All of these enhancements enable enterprises to improve application performance and reduce WAN troubleshooting and cost.

New 360 Protection Services Enable Overlay Cloud Orchestration

Fortinet has also announced a new overlay orchestration solution that simplifies overlay VPN deployment with cloud-based automated provisioning to reduce complexity and overhead.

Our new cloud-hosted FortiManager solution is the first solution to fully support complex SD-Branch deployments, allowing organizations to manage the entire SD-Branch suite—including all SD-WAN connections, an integrated portfolio of security solutions, as well as access points and and switches—through a single pane of glass.

Fortinet Provides the Fastest, Securest, and Most Comprehensive SD-WAN Solution Available

In addition to advanced SD-WAN link remediation, Overlay Cloud orchestration, cloud-based management controls, and application services, Fortinet’s new SD-WAN ASIC delivers 10X the performance of competitive solutions. It also accelerates application recognition, and extends connectivity and security functionality and performance from the SD-WAN connection into the branch WAN, optimizing the SD-Branch experience.

Today’s organizations are increasingly reliant on solutions that can help them meet the demands of digital business and their DX efforts. While many SD-WAN solutions provide basic connectivity, they struggle to provide the full range of speed, interconnectivity, flexibility, and security that today’s branch offices truly require. Fortinet’s Secure SD-WAN technology, augmented by the recent release of FortiOS 6.2 and the new SD-WAN ASIC, is the first solution to not only meet, but exceed all of the requirements and expectations of the next-generation branch.