Cloud Security Fabric (2019)
Timo Lohenoja, CISSP Systems Engineer Fortinet
© Copyright Fortinet Inc. All rights reserved.
Enterprise Cloud Adoption
. Fast » New Cloud services are tried out and used every day » It is much easier to deploy a cloud application than decommission it . Decentralized » New service creation is not funneled through a central IT dept. » Anyone across the organization may source a new cloud service . Heterogeneous » Employees will use different cloud services from different providers » Different cloud services offer different security levels
3 Reality = All of the above
DELIVERY MODEL DEPLOYMENT MODEL
PaaS IaaS Public Community
SaaS Private
SERVICE PROVIDERS
YOURSELF
4 Risk = All of the above
DELIVERY MODEL DEPLOYMENT MODEL
PaaS IaaS Public Community
SaaS Malicious Private insiders
Interface and API hacking
APTs Data DoS and DDoS breaches attacks
SERVICE PROVIDERS
YOURSELF
5 6 Cloud Adoption Market Breakdown
Laggards Majority of Customers Bleeding Edge # Companies Secure Journey to the Cloud
Mindshare NGFW
CSPM/CASB Cloud Native / CI/CD Integrated CASB WAF
Security Automation Container/Serverless Security Orchestration Cloud Adoption Maturity
© Fortinet Inc. All Rights Reserved. 7 Security Thinking Evolution
CLOUD SECURITY
PRODUCTIVITY
8 Security Thinking Evolution
CLOUD SECURITY . Templates . Auto-Everything AUTOMATION
SECURITY . Processes . Policies . Controls CLOUD
. On-demand . Ubiquitous PRODUCTIVITY
9 Shared Responsibility The majority of the cloud security responsibility is on the user — not the provider
Data & Content
95% Customer Applications, Platform & User Management Customer builds Security applications that run IN responsibility OS, Firewall & Network Settings & the Cloud Cloud security failures Configuration through 2020 where the customer is at fault1 Encryption & Network Traffic Protection
Public Cloud Cloud provider secures Infrastructure the infrastructure Services Storage Network Compute
10 Cloud Security Evolution
Virtualization Private Cloud Hybrid Public Cloud Hypervisor Port SDN—Orchestration Integration On-Demand
East-West North-South IaaS Cloud
Hypervisor
NGFW WAF Management Reporting APT
Connector API Flow SaaS Cloud
Proxy Broker CASI API
11 Cloud Market Insights
Roughly 5% of Cloud Spend is Security
FortiGate-VM FortiWeb FortiMail FortiSandbox FortiManager FortiAnalyzer FortiAuthenticator FortiSIEM
Fortinet has offerings and partial offerings for only part of the cloud security market
Micro Security Security Security Fabric CASB CSPM NGFW WAF Segmentation Analytics Management Automation Products
12 Customer Responsibility Fortinet builds cloud security solutions to help the customer secure the cloud
MANAGEMENT & AUTOMATION
BROAD PROTECTION Customer builds manages security IN the Cloud
NATIVE INTEGRATION
Public Cloud Cloud provider secures Infrastructure the infrastructure Services Storage Network Compute
13 Security Framework for Digital Security NIST Model Identify the Attack Surface
Trust Protect Against Assessment Known Threats
Continuous
Rapid Detect Unknown Response Threats
14 Fortinet Security Fabric for the Cloud
DELIVERY MODEL DEPLOYMENT MODEL
PaaS IaaS MANAGEMENT & AUTOMATION Public Community
SaaS Private
BROAD PROTECTION NATIVE INTEGRATION
SERVICE PROVIDERS
YOURSELF
15 What’s Needed? - Multi-Cloud Security Single Console
Multiple Clouds Multiple Integrations Multiple Applications
16 Cloud Adoption Initiatives
Migrating/Extending Applications to the Cloud Building Cloud Native Consuming SaaS Applications Applications
Datacenter transformation INITIATIVES CUSTOMER CUSTOMER to the Cloud
MIGRATE BUILD CONSUME INITIATIVES
17 Fortinet Secures the Cloud Migration Journey
MIGRATE BUILD CONSUME INITIATIVES
Visibility and Control
Application Security
SOLUTIONS Secure Connectivity
FortiGate FortiWeb FortiManager FortiAnalyzer FortiGate FortiWeb FortiSandbox FortiMail PRODUCTS FortiCASB-Cloud FortiSandbox FortiClient FortiCASB-Cloud FortiCASB
18 Cloud Security Services Hub
Customer Challenge Solution
As organizations grow, and their consumption of the cloud increases and By building a central hub (transit network) for security functionality, that expands, the need to separate security management from application securely interconnects all disperse networks, locations, clouds and development increases. Different organizational units tent to build datacenters and can effectively enforce security policies between the applications in different virtual networks and even different clouds and different virtual networks and locations as well as offer central security datacenters. Securing all disperse locations becomes challenging. filtering for traffic between these networks and the internet, organizations can effectively split the role of security management from application Cloud Network Cloud Network development. Benefits
V V V V M M M M SD-WAN . The key benefits of this approach are the ability to enforce consistent
Cloud VPN security across the entire set of networks Gateway . Additionally, organizational units can continue to develop security solutions autonomously without needing to wait for security policies to be applies and without exposing the organization to unwanted risk.
Cloud Security Services Unique Selling Points Hub • High Speed VPN Connectivity with Scale-out and Scale-Up options • Flexible network connectivity and advanced routing capabilities Related Topics
Cloud Network Cloud Network FortiGate-VM Datasheets AWS Transit VPC & Transit Gateway functionality V V V V M M M M GCP Shared VPC
19 Amazon Amazon Macie flow logs FortiCASB Inspector
instances AWS Security Hub virtual private cloud
High Speed IPSec VPN Fabric Connector
Containers
virtual private cloud Transit GW FortiWeb Auto FortiGate Auto Scaling Scaling
Branch Amazon Amazon API FortiWeb FortiSandbox FortiMail Offices WorkSpaces Gateway* AWS WAF Containers
Protected Services Cloud Services Hub and Resources
20 Fortinet Cloud Security Strategy – 3 Pillars
POLICY MANAGEMENT & AUTOMATION
FortiAnalyzer FortiManager API` FortiCASB CONTROL VISIBILITY
APPLICATION SECURITY BROAD PROTECTION FortiGate FortiMail FortiWeb FortiClient FortiSandBox NETWORK SEGMENTATION SECURE CONNECTIVITY
CLOUD SERVICE INTEGRATION NATIVE INTEGRATION Fabric Connectors Automation Stitches CLOUD RESOURCE ABSTRACTION FORM FACTOR OPTIMIZATION
21 Cloud Security - Technology Fundamentals
Network Security
Ingress/egress WAAP Web Applications Cloud Platform API/UI
Platform Security
© Fortinet Inc. All Rights Reserved. 22 What Built in Cloud Network Security Lacks
•Management • The Human Factor • Operational Model • DevOps vs. SecOps •Application Awareness •Multi-Cloud
© Fortinet Inc. All Rights Reserved. 23 Cloud Security – Fortinet Differentiators
Most Scalable (out and up) – VPN, IPS, App Control FortiGate NGFW Multiple Connectors – Multi-Cloud, Multi-Org, Cloud Services HA Failover (Unicast)
Ingress/egress Form factor flexibility – Docker for CI/CD, SaaS Web Applications FortiWeb WAF ML simplicity and Accuracy – WAAP for All Cloud Platform API/UI Fabric Integration – SOC Integration
Multi-Cloud Dashboards - Consistency FortiCASB-Cloud FortiGuard Labs integration – Advanced Threat Protection Platform Security Fabric Integration – SOC Integration
© Fortinet Inc. All Rights Reserved. 24 Multi-cloud Security Reference Remote Workforce Policy Enforcement Architecture Connector / Management and Cloud Access Analytics & VPN NGFW
Internet
CASB Container Security VPN / SD-WAN
NGFW NGFW MPLS Cloud Sandboxing
Enterprise Data Center
/ Branch Office
s VM • Single Policy Set across all deployments • Policy Enforcement Connector • Block lateral threat propagation in East-West • Leverage metadata instead of traditional IP in • Management / Analytics security policies • Next Generation Firewall direction AWS CFT Azure ARM • Comprehensive protection in N-S direction • Automated workload and metadata discovery • Compliance Automation • Advanced security (L7 Firewall, IPS, and ATP) for all • Centralized management & analytics across • Advanced Threat Protection traffic paths deployments • VPN IPSec Tunnels • Security workflows that adapt to deployment • Intuitive visibility • Web Application Firewall changes • Automated VPN provisioning for multi-cloud • Identity and Access Management • Auto-provisioning of security services across all connectivity • Cloud Access Security Broker platforms • Quarantine infected workloads automatically • Auto Scaling Security Terraform Python • Denial of Service Protection
25 Realizing the Vision of: Security Driven Networking
Network Operations Network Security
Multi-Cloud Security
Device, Access, and Application Security BROAD Fabric Fabric Visibility of the entire APIs Connectors Open Ecosystem digital attack surface Security Operations INTEGRATED Protection across all devices, Endpoint/Device Multi-Cloud networks, and applications Protection Security Network Security AUTOMATED Operations and response driven by Machine Learning Secure Application Access Security
Security Operations 26 Fortinet Security Fabric—Cloud
Network Operations
Multi-Cloud Security
Network Security
SaaS
Security Operations 27 The Broadest Security Portfolio in the Industry Built from the ground up to deliver true integration end-to-end
Network Endpoint Web Application Advanced Security Security Security Threat Protection Multi-Cloud Email Secure Management Security Security Unified Access & Analytics
IoT Web Unified Multi Advanced Management
Threat Email Applications Cloud Endpoint Access Protection Analytics
FortiOS FortiClient FortiMail FortiAP FortiSandbox FortiAnalyzer FortiWeb Secure Email FortiOS Gateway
FortiSwitch FortiManager FortiCASB
Network Access FortiSIEM Control
28 Virtual Appliance Platforms B BYOL P PAYG
VMWare Citrix Xen Microsoft Nutanix Amazon Microsoft Oracle Google Xen KVM Aliyun vSphere Server Hyper-V AHV AWS Azure OPC GCP
FortiGate-VM ✓ ✓ ✓ ✓ ✓ ✓ B P B P B B P B P
FortiManager-VM ✓ ✓ ✓ ✓ ✓ ✓ B P B B B B
FortiAnalyzer-VM ✓ ✓ ✓ ✓ ✓ B P B B B B
FortiWeb-VM ✓ ✓ ✓ ✓ ✓ B P B P B B
FortiWeb Manager-VM ✓ B
FortiMail-VM ✓ ✓ ✓ ✓ ✓ B B
FortiAuthenticator-VM ✓ ✓ ✓ ✓ B
FortiADC-VM ✓ ✓ ✓ ✓ ✓ ✓ B B
FortiVoice-VM ✓ ✓ ✓ ✓ B B
FortiRecorder-VM ✓ ✓ ✓ ✓ P
FortiSandbox-VM ✓ ✓ B P P
FortiSIEM ✓ ✓ B
FortiProxy-VM ✓ ✓ B B
29 The Integration of Security Automation Into the Application Lifecycle
DevSecOps DevOps
Operations Development Operations Development
Application Security Delivery Application Delivery
30 CONFIDENTIAL 31 Protection for the Layer 7 Perimeter
Web Protection API Protection Bot Protection
32 Cloud Security Use Cases
. SaaS Visibility and Control . Cloud Infrastructure Visibility and Control VISIBILITY AND CONTROL . Compliance in the Cloud . Cloud Based Security management and analytics . Web Application Security APPLICATION SECURITY . Intent Based Segmentation . Container Security . Cloud Workload Protection . Secure Hybrid Cloud SECURE CONNECTIVITY . Cloud Security Services Hub . Secure Remote Access
33 Top Uses Cases
Inside out Security FortiCASB Advanced App Cloud Services Hub Cloud Protection Services Hub
Transit VPC NGFW Cloud Services Public Cloud Management API Hub Internet Transit VPC
VPC1 VPC2 FortiGate Internet -VM Sandbox Web & Mail Security
V V V
VM VM Internet VM M M M Web based and Mail VPC1 VPC2 Applications
V V V V V
VM VM
VM VM M M VM FortiClient M M M
Public Cloud Based Public Cloud Based Public Cloud Based Infrastructure Infrastructure Infrastructure
IaaS and SaaS Security Management Remote Access VPN FortiCASB FortiGate-VM Public Cloud Based Security Management
Public Cloud Management API
Cloud Cloud Network 1 Network 2 Public Cloud Based Security FortiGate-VM
V V V Management
VM VM MVM M M
Cloud Remote Access Points
34 35 Performance Testing
FortiTester includes a wide range of testing functionalities, such: » Connection per Second » Request per Second » Concurrent Connection » Throughput » HTTP Transaction » Packet per Second » Payload Throughput » Latency » Loss Rate » Back to Back and more...
36 Performance Testing FortiTester includes a wide range of protocols and applications
HTTP HTTPS SSL IPSEC SSL-VPN UDP
RFC TCP DNS NTP RADIUS SIP Benchmark
TFTP BitTorrent CIFP/SMB FIX FTP IMAP
LDAP NFS POP3 PSQL RDP SMTP
YouTube SSH DHCP WhatsApp IGMP RTSP/RTP
37 Deception is Widely Used in
Honey Pot Peter’s icon vs
Human warfare
Natural world Cybersecurity warfare (attack vs defend)
38 FortiDeceptor: Flexible
DEPLOYMENT • On-Premise • Public Cloud DECOYS • Branch • Campus • Data Center/Public Cloud
DECEPTION VMs • Windows • Linux
39 On-premises
SD-WAN
Cloud
40 Multi-Cloud Expansion has Expanded the Attack Surface
Single Console Public
Campus
Data Center
Branch Office SD-WAN CSP Cloud
Private Cloud
Retail Office Remote SaaS
41 The leader in Multi-Cloud Security
. Industry’s most cloud security offerings (Dozens) . Maximum flexibility with global availability on all 6 cloud platforms . Simplified solution deployment and security operations with A full suite of API’s, Automation Templates, and Integrations . Mitigates on-going cloud security risks via over 3 million global threat feeds providing advanced security telemetry. . Helping over 340,000 customers secure their journey to the cloud . Leader in helping customers design, implement, and operate true Multi-Cloud Security with Dedicated Cloud Security Architect team
42 Summary
Business Aligned & Consistent Visibility, Control & Automation of Cloud Security
43 Cloud Market Insights
Roughly 5% of Cloud Spend is Security
FortiGate-VM FortiWeb FortiMail FortiSandbox FortiManager FortiAnalyzer FortiAuthenticator FortiSIEM
Fortinet has offerings and partial offerings for only part of the cloud security market
Micro Security Security Security Fabric CASB CSPM NGFW WAF Segmentation Analytics Management Automation Products
44