How secure is your cloud?

By Maxtec and John Ward

As cloud adoption continues to ramp-up and with the ever-increasing Work from Anywhere (WFA) “ringing true” across South Africa, we thought it pertinent to reach out to our friend John Ward, Principal of Systems Engineering and SME for Public Cloud, Africa at Fortinet, to unpack the benefits and demystify the enigma around securing these two key movements.

John is a cybersecurity veteran with roots stretching back to the 90’s – a time when “bad actors” were only just beginning to see the gaps and take advantage of business and personal data in an evolving landscape.

Today, the cybercriminal community is a highly-organised and innovative ecosystem, fervently taking advantage of rapid cloud adoption and an unsuspecting remote workforce to push the boundaries of cybersecurity. John eloquently walks us through the essentials of Cloud Security and Zero Trust Network Access, two key focus areas that are critical to defending users and applications that are now spread across a range of different devices and locations.

Read our full exchange in the Q&A transcript below:

Q: With WFA being a major business shift after the pandemic, would you say that it’s irresponsible for companies to carry on without a Zero Trust Network Access (ZTNA) strategy in place?

A: The answer would be a resounding yes! As time has progressed, our work environment has changed. We were already starting to hit a cycle before Covid-19 where a transition towards zero trust was becoming a requirement. With the current environment, traditional methods simply aren’t good enough to keep-up with bring-your-own-device (BYOD) and users connecting from a range of different locations. Traditional VPNs work but they’re clunky. With ZTNA, users don’t need to worry about which device or which location, they can get dynamic, continuously secure access to any environment, from anywhere, on any device. Plus, it makes it easier and quicker to perform cloud migrations.

Q: What are some of the major threats associated with work-from-anywhere (WFA), if your security strategy is not up-to-scratch?

A: One specific threat would be malware – including ransomware. When someone connects from home or to a coffee shop network where there are multiple users, they open themselves up to an attack vector for which they may not be protected. Meaning that they can be compromised. This is where Zero Trust kicks in. When that device then connects to corporate resources, ZTNA evaluates the host, checks its current status, what’s changed over time, and makes sure that there are no malicious applications running that the user may not even be aware of.

Q: If employees are working from home, should they worry about their IoT devices posing risks to the business network?

A: Corporate Network Security Operators must worry about all eventualities and assess all user activity, creating choke points at each stage of access. We’re already seeing an increase in attackers targeting users via home devices, as a way to get to the corporate network. “Don’t attack them in the castle, get them while they are crossing the drawbridge.” With IoT and connected devices cluttering homes and other network-heavy spaces, both businesses and users should be aware of the risks posed when not enforcing a ZTNA approach or a strong security posture.

Q: A lot of employees work while travelling, connecting to unsecured networks as they move. How does ZTNA keep things simple and safe for these users?

A: ZTNA provides a seamless next-gen security experience for users. Not only does it offer the ability to securely connect from anywhere, it abstracts the underlying connection mechanism so that users don’t have to think about it. They don’t have to worry about manually setting up a connection or wondering whether resources are on-prem or in the cloud.

Those resources are all protected by ZTNA constantly assessing the users, their devices, and their traffic.  ZTNA can be provided in the cloud, on-prem or even as a SaaS – something called SASE (Secure Access Service Edge) – so that customers don’t have to build, maintain or scale the service.

We need to remember that a lot of attacks are opportunistic, so without ZTNA, a simple outdated patch could lead to disaster for the entire organisation.

Q: We’ve spoken about remote-access; what about in-office staff, how does ZTNA bolster security on-premises?

A: One of the things that comes-up a lot in my discussions is – at what level do I trust a user when they are inside my network? If we consider everyone and everything on a network to be untrusted, and a potential breach being present, we can design networks to assume that they have already been compromised; then work backwards from there. So, at the end of the day, it doesn’t really matter whether users connect remotely, or bring a physical device on-prem. By treating everyone the same way, we get continuous protection, with granular segmentation, to control access and the flow of traffic on our networks.

Q: What about SD-WAN, can ZTNA integrate into my current solution?

A: Yes, they integrate extremely well. Many customers already have an SD-WAN enabled topology that creates a seamless operating environment, stretching from on-prem, all the way into various cloud providers and cloud regions. Be it Hybrid or Multi-Cloud, ZTNA works really well with SD-WAN.  You can think of ZTNA as offering a new way of connecting into these environments so that users can securely and reliably access the resources they need, wherever they, or said resources may be situated.

Q: Users often mention a lack of visibility into who or what is accessing their cloud environments, why is this the case?

A: Companies are moving to new cloud environments and the way that cloud operates is quite different. Many Security Professionals consider visibility into an environment as the Source IP Address but with Network Address Translation (NAT) being common for inbound cloud traffic, that often isn’t even an option. One needs to look at where the physical device is connecting from, what privileges the user needs, as well as insight into the traffic these users are creating. ZTNA provides all these things, along with visibility into what traffic is being sent through Deep Packet Inspection.

Q: Phishing and Email Based attacks are still at the top of the threat list, can you tell us how Cloud Security can help combat the Mail Attack Vector?

A: Despite being with us since the mid 90s, email is probably the worst threat vector for security professionals, because people are cursed with the fear of missing out. The human condition is to be inquisitive, and phishing attacks play on emotions to catch people off-guard. The interesting thing about securing email in the cloud is that it can be non-obtrusive and simple to manage. With Security SaaS offerings such as FortiMail Cloud, customers don’t have to know or learn how to build, scale, and maintain a secure email gateway. They can simply consume it as a service.  That way, they get optimum protection from the latest malware, spam, and phishing, as well as content filtering to ensure safe access, but with minimum overhead. Plus, they get email continuity, in the event that their email server is unreachable. Something that we’ve seen become an issue a few times recently.

Q: With the rush to deliver new services faster with cloud, how can Security Professionals protect business-critical web applications?

A: It’s all about securing the environment and then being more specific about the applications within your environment. These advanced controls aren’t specific to cloud, the same rules apply on-prem. But web applications and APIs are really on the front-line in terms of attacks, since the majority of them are exposed to the public Internet. At the same time, developers are often not application nor network security experts. Making it easy for them to publish code fast but keep their environments clean is key.

With a tool like FortiWeb, which combines a WAF (web application firewall), API security, and Layer 7 DDoS, and which is even available as a SaaS offering, there’s really no excuse. The solution puts a Zero Trust layer in-front of applications, websites, and APIs. Known threats and vulnerabilities are automatically blocked by the latest threat intelligence from FortiGuard Labs and machine-learning identifies the difference between malicious activity and anomalies. This ensures developers aren’t blocked every time they make a change, and security teams aren’t bombarded with false positives. It also offers vulnerability scanning to help identify and address risks before a bad actor finds them.

The tricky part is threats that have never been seen before, or zero-days. That’s where sandboxing comes into play – figuring out if something is malicious or simply benign by activating it in a safe environment. FortiSandbox then feeds that answer back into the security infrastructure, and into the broader threat community, through a cybersecurity mesh architecture that is the Fortinet Security Fabric.

Q: The huge variations in user and traffic volumes to a web site can be a big challenge, how can Security Professionals help here?

A: Availability is one of the key pillars of security, so being able to scale to demand is key. User experience can be terrible otherwise. FortiWeb has its own built-in CDN (Content Delivery Network) to deliver the best user experience based on where a user is connecting from. For other applications and network connectivity, application and service performance is vital. This is where FortiADC (Application Delivery Controller) and FortiGSLB (Global Server Load Balancing) can optimise application and service delivery to offer the best user experience and ensure resilience. Tracking what users are experiencing is also a great way to address issues quickly; this is where FortiMonitor can help. With early insights, support staff can be proactive instead of purely reactive, which is always a bonus for morale.

Q: Considering all of this, users need access to both cloud and non-cloud resources, where consistent security policies must be enforced. How do Fortinet’s Cloud Security and ZTNA solutions work to address this?

A: I would say that the best gift is to own a FortiGate. This industry-leading Next-Generation Firewall is already the mainstay for protecting cloud and on-prem environments, and it offers customers the ability to easily make the transition towards both cloud and a zero trust approach, as ZTNA is already built-in. FortiGate acts as the Zero Trust Access Proxy that checks user-trust-levels and enforces access to applications in whichever data centre or cloud platform they reside. This gives users secure and seamless access to cloud or on-prem resources, and provides security teams with continuous evaluation of user-access and associated risks. Plus, FortiGate can protect all the backend resources and data that threat actors are always after, whether on-prem or in any of the cloud platforms.

Centrally tracking all this activity is key to being able to detect and mitigate threats sooner. Users can start with FortiAnalyzer to consolidate Fortinet insight, expand to FortiSIEM to bring in security feeds from non-Fortinet devices, and progress to FortiSOAR to create automated playbooks. Wherever you are in this automation journey, it really is the only way to effectively manage risk and keep users and networks secure as today’s environments continue to rapidly expand.

The common thread in this discussion is a mesh architecture, such as the Fortinet Security Fabric. By utilising what many of Fortinet’s customers already have and extending it with Cloud Security and ZTNA for these new environments and user locations, Cybersecurity professionals can easily “pave the way” to a future that we can all trust. Getting there as quickly as possible is pretty much the norm nowadays and Fortinet Services, along with Free Training and Workshops, can make that happen by leveraging our experience and expertise to boost in-house knowledge. All you need to do now is reach out.