Cloud Security Fabric (2019)

Timo Lohenoja, CISSP Systems Engineer Fortinet

Enterprise Cloud Adoption

. Fast » New Cloud services are tried out and used every day » It is much easier to deploy a cloud application than decommission it . Decentralized » New service creation is not funneled through a central IT dept. » Anyone across the organization may source a new cloud service . Heterogeneous » Employees will use different cloud services from different providers » Different cloud services offer different security levels

3 Reality = All of the above

DELIVERY MODEL DEPLOYMENT MODEL

PaaS IaaS Public Community

SaaS Private

SERVICE PROVIDERS

YOURSELF

4 Risk = All of the above

DELIVERY MODEL DEPLOYMENT MODEL

PaaS IaaS Public Community

SaaS Malicious Private insiders

Interface and API hacking

APTs Data DoS and DDoS breaches attacks

SERVICE PROVIDERS

YOURSELF

5 6 Cloud Adoption Market Breakdown

Laggards Majority of Customers Bleeding Edge # Companies Secure Journey to the Cloud

Mindshare NGFW

CSPM/CASB Cloud Native / CI/CD Integrated CASB WAF

Security Automation Container/Serverless Security Orchestration Cloud Adoption Maturity

CLOUD SECURITY

PRODUCTIVITY

8 Security Thinking Evolution

CLOUD SECURITY . Templates . Auto-Everything AUTOMATION

SECURITY . Processes . Policies . Controls CLOUD

. On-demand . Ubiquitous PRODUCTIVITY

9 Shared Responsibility The majority of the cloud security responsibility is on the user — not the provider

Data & Content

95% Customer Applications, Platform & User Management Customer builds Security applications that run IN responsibility OS, Firewall & Network Settings & the Cloud Cloud security failures Configuration through 2020 where the customer is at fault1 Encryption & Network Traffic Protection

Public Cloud Cloud provider secures Infrastructure the infrastructure Services Storage Network Compute

10 Cloud Security Evolution

Virtualization Private Cloud Hybrid Public Cloud Hypervisor Port SDN—Orchestration Integration On-Demand

East-West North-South IaaS Cloud

Hypervisor

NGFW WAF Management Reporting APT

Connector API Flow SaaS Cloud

Proxy Broker CASI API

11 Cloud Market Insights

Roughly 5% of Cloud Spend is Security

FortiGate-VM FortiWeb FortiMail FortiSandbox FortiManager FortiAnalyzer FortiAuthenticator FortiSIEM

Fortinet has offerings and partial offerings for only part of the cloud security market

Micro Security Security Security Fabric CASB CSPM NGFW WAF Segmentation Analytics Management Automation Products

12 Customer Responsibility Fortinet builds cloud security solutions to help the customer secure the cloud

MANAGEMENT & AUTOMATION

BROAD PROTECTION Customer builds manages security IN the Cloud

NATIVE INTEGRATION

Public Cloud Cloud provider secures Infrastructure the infrastructure Services Storage Network Compute

13 Security Framework for Digital Security NIST Model Identify the Attack Surface

Trust Protect Against Assessment Known Threats

Continuous

Rapid Detect Unknown Response Threats

14 Fortinet Security Fabric for the Cloud

DELIVERY MODEL DEPLOYMENT MODEL

PaaS IaaS MANAGEMENT & AUTOMATION Public Community

SaaS Private

BROAD PROTECTION NATIVE INTEGRATION

SERVICE PROVIDERS

YOURSELF

15 What’s Needed? - Multi-Cloud Security Single Console

Multiple Clouds Multiple Integrations Multiple Applications

16 Cloud Adoption Initiatives

Migrating/Extending Applications to the Cloud Building Cloud Native Consuming SaaS Applications Applications

Datacenter transformation INITIATIVES CUSTOMER CUSTOMER to the Cloud

MIGRATE BUILD CONSUME INITIATIVES

17 Fortinet Secures the Cloud Migration Journey

MIGRATE BUILD CONSUME INITIATIVES

Visibility and Control

Application Security

SOLUTIONS Secure Connectivity

FortiGate FortiWeb FortiManager FortiAnalyzer FortiGate FortiWeb FortiSandbox FortiMail PRODUCTS FortiCASB-Cloud FortiSandbox FortiClient FortiCASB-Cloud FortiCASB

18 Cloud Security Services Hub

Customer Challenge Solution

As organizations grow, and their consumption of the cloud increases and By building a central hub (transit network) for security functionality, that expands, the need to separate security management from application securely interconnects all disperse networks, locations, clouds and development increases. Different organizational units tent to build datacenters and can effectively enforce security policies between the applications in different virtual networks and even different clouds and different virtual networks and locations as well as offer central security datacenters. Securing all disperse locations becomes challenging. filtering for traffic between these networks and the internet, organizations can effectively split the role of security management from application Cloud Network Cloud Network development. Benefits

V V V V M M M M SD-WAN . The key benefits of this approach are the ability to enforce consistent

Cloud VPN security across the entire set of networks Gateway . Additionally, organizational units can continue to develop security solutions autonomously without needing to wait for security policies to be applies and without exposing the organization to unwanted risk.

Cloud Security Services Unique Selling Points Hub • High Speed VPN Connectivity with Scale-out and Scale-Up options • Flexible network connectivity and advanced routing capabilities Related Topics

Cloud Network Cloud Network FortiGate-VM Datasheets AWS Transit VPC & Transit Gateway functionality V V V V M M M M GCP Shared VPC

19 Amazon Amazon Macie flow logs FortiCASB Inspector

instances AWS Security Hub virtual private cloud

High Speed IPSec VPN Fabric Connector

data center

Containers

virtual private cloud Transit GW FortiWeb Auto FortiGate Auto Scaling Scaling

Branch Amazon Amazon API FortiWeb FortiSandbox FortiMail Offices WorkSpaces Gateway* AWS WAF Containers

Protected Services Cloud Services Hub and Resources

20 Fortinet Cloud Security Strategy – 3 Pillars

POLICY MANAGEMENT & AUTOMATION

FortiAnalyzer FortiManager API` FortiCASB CONTROL VISIBILITY

APPLICATION SECURITY BROAD PROTECTION FortiGate FortiMail FortiWeb FortiClient FortiSandBox NETWORK SEGMENTATION SECURE CONNECTIVITY

CLOUD SERVICE INTEGRATION NATIVE INTEGRATION Fabric Connectors Automation Stitches CLOUD RESOURCE ABSTRACTION FORM FACTOR OPTIMIZATION

21 Cloud Security - Technology Fundamentals

Network Security

Ingress/egress WAAP Web Applications Cloud Platform API/UI

Platform Security

•Management • The Human Factor • Operational Model • DevOps vs. SecOps •Application Awareness •Multi-Cloud

Most Scalable (out and up) – VPN, IPS, App Control FortiGate NGFW Multiple Connectors – Multi-Cloud, Multi-Org, Cloud Services HA Failover (Unicast)

Ingress/egress Form factor flexibility – Docker for CI/CD, SaaS Web Applications FortiWeb WAF ML simplicity and Accuracy – WAAP for All Cloud Platform API/UI Fabric Integration – SOC Integration

Multi-Cloud Dashboards - Consistency FortiCASB-Cloud FortiGuard Labs integration – Advanced Threat Protection Platform Security Fabric Integration – SOC Integration

Internet

CASB Container Security VPN / SD-WAN

NGFW NGFW MPLS Cloud Sandboxing

Enterprise Data Center

/ Branch Office

s VM • Single Policy Set across all deployments • Policy Enforcement Connector • Block lateral threat propagation in East-West • Leverage metadata instead of traditional IP in • Management / Analytics security policies • Next Generation Firewall direction AWS CFT Azure ARM • Comprehensive protection in N-S direction • Automated workload and metadata discovery • Compliance Automation • Advanced security (L7 Firewall, IPS, and ATP) for all • Centralized management & analytics across • Advanced Threat Protection traffic paths deployments • VPN IPSec Tunnels • Security workflows that adapt to deployment • Intuitive visibility • Web Application Firewall changes • Automated VPN provisioning for multi-cloud • Identity and Access Management • Auto-provisioning of security services across all connectivity • Cloud Access Security Broker platforms • Quarantine infected workloads automatically • Auto Scaling Security Terraform Python • Denial of Service Protection

25 Realizing the Vision of: Security Driven Networking

Network Operations Network Security

Multi-Cloud Security

Device, Access, and Application Security BROAD Fabric Fabric Visibility of the entire APIs Connectors Open Ecosystem digital attack surface Security Operations INTEGRATED Protection across all devices, Endpoint/Device Multi-Cloud networks, and applications Protection Security Network Security AUTOMATED Operations and response driven by Machine Learning Secure Application Access Security

Security Operations 26 Fortinet Security Fabric—Cloud

Network Operations

Multi-Cloud Security

Network Security

SaaS

Security Operations 27 The Broadest Security Portfolio in the Industry Built from the ground up to deliver true integration end-to-end

Network Endpoint Web Application Advanced Security Security Security Threat Protection Multi-Cloud Email Secure Management Security Security Unified Access & Analytics

IoT Web Unified Multi Advanced Management

Threat Email Applications Cloud Endpoint Access Protection Analytics

FortiOS FortiClient FortiMail FortiAP FortiSandbox FortiAnalyzer FortiWeb Secure Email FortiOS Gateway

FortiSwitch FortiManager FortiCASB

Network Access FortiSIEM Control

28 Virtual Appliance Platforms B BYOL P PAYG

VMWare Citrix Xen Microsoft Nutanix Amazon Microsoft Oracle Google Xen KVM Aliyun vSphere Server Hyper-V AHV AWS Azure OPC GCP

FortiGate-VM ✓ ✓ ✓ ✓ ✓ ✓ B P B P B B P B P

FortiManager-VM ✓ ✓ ✓ ✓ ✓ ✓ B P B B B B

FortiAnalyzer-VM ✓ ✓ ✓ ✓ ✓ B P B B B B

FortiWeb-VM ✓ ✓ ✓ ✓ ✓ B P B P B B

FortiWeb Manager-VM ✓ B

FortiMail-VM ✓ ✓ ✓ ✓ ✓ B B

FortiAuthenticator-VM ✓ ✓ ✓ ✓ B

FortiADC-VM ✓ ✓ ✓ ✓ ✓ ✓ B B

FortiVoice-VM ✓ ✓ ✓ ✓ B B

FortiRecorder-VM ✓ ✓ ✓ ✓ P

FortiSandbox-VM ✓ ✓ B P P

FortiSIEM ✓ ✓ B

FortiProxy-VM ✓ ✓ B B

29 The Integration of Security Automation Into the Application Lifecycle

DevSecOps DevOps

Operations Development Operations Development

Application Security Delivery Application Delivery

30 CONFIDENTIAL 31 Protection for the Layer 7 Perimeter

Web Protection API Protection Bot Protection

32 Cloud Security Use Cases

. SaaS Visibility and Control . Cloud Infrastructure Visibility and Control VISIBILITY AND CONTROL . Compliance in the Cloud . Cloud Based Security management and analytics . Web Application Security APPLICATION SECURITY . Intent Based Segmentation . Container Security . Cloud Workload Protection . Secure Hybrid Cloud SECURE CONNECTIVITY . Cloud Security Services Hub . Secure Remote Access

33 Top Uses Cases

Inside out Security FortiCASB Advanced App Cloud Services Hub Cloud Protection Services Hub

Transit VPC NGFW Cloud Services Public Cloud Management API Hub Internet Transit VPC

VPC1 VPC2 FortiGate Internet -VM Sandbox Web & Mail Security

V V V

VM VM Internet VM M M M Web based and Mail VPC1 VPC2 Applications

V V V V V

VM VM

VM VM M M VM FortiClient M M M

Public Cloud Based Public Cloud Based Public Cloud Based Infrastructure Infrastructure Infrastructure

IaaS and SaaS Security Management Remote Access VPN FortiCASB FortiGate-VM Public Cloud Based Security Management

Public Cloud Management API

Cloud Cloud Network 1 Network 2 Public Cloud Based Security FortiGate-VM

V V V Management

VM VM MVM M M

Cloud Remote Access Points

34 35 Performance Testing

FortiTester includes a wide range of testing functionalities, such: » Connection per Second » Request per Second » Concurrent Connection » Throughput » HTTP Transaction » Packet per Second » Payload Throughput » Latency » Loss Rate » Back to Back and more...

36 Performance Testing FortiTester includes a wide range of protocols and applications

HTTP HTTPS SSL IPSEC SSL-VPN UDP

RFC TCP DNS NTP RADIUS SIP Benchmark

TFTP BitTorrent CIFP/SMB FIX FTP IMAP

LDAP NFS POP3 PSQL RDP SMTP

YouTube SSH DHCP WhatsApp IGMP RTSP/RTP

37 Deception is Widely Used in

Honey Pot Peter’s icon vs

Human warfare

Natural world Cybersecurity warfare (attack vs defend)

38 FortiDeceptor: Flexible

DEPLOYMENT • On-Premise • Public Cloud DECOYS • Branch • Campus • Data Center/Public Cloud

DECEPTION VMs • Windows • Linux

39 On-premises

SD-WAN

Cloud

40 Multi-Cloud Expansion has Expanded the Attack Surface

Single Console Public

Campus

Data Center

Branch Office SD-WAN CSP Cloud

Private Cloud

Retail Office Remote SaaS

41 The leader in Multi-Cloud Security

. Industry’s most cloud security offerings (Dozens) . Maximum flexibility with global availability on all 6 cloud platforms . Simplified solution deployment and security operations with A full suite of API’s, Automation Templates, and Integrations . Mitigates on-going cloud security risks via over 3 million global threat feeds providing advanced security telemetry. . Helping over 340,000 customers secure their journey to the cloud . Leader in helping customers design, implement, and operate true Multi-Cloud Security with Dedicated Cloud Security Architect team

42 Summary

Business Aligned & Consistent Visibility, Control & Automation of Cloud Security

[email protected]

43 Cloud Market Insights

Roughly 5% of Cloud Spend is Security

FortiGate-VM FortiWeb FortiMail FortiSandbox FortiManager FortiAnalyzer FortiAuthenticator FortiSIEM

Fortinet has offerings and partial offerings for only part of the cloud security market

Micro Security Security Security Fabric CASB CSPM NGFW WAF Segmentation Analytics Management Automation Products