Cloud firewalls are usually just a cluster of virtual machines running security software in a data center somewhere. So while they operate “in the cloud”, they don’t really take advantage of the additional cloud advantages like complex network layers, small, agile containers, micro-services, and the ability to scale by adding the modules you need on-the-fly.

Welcome the next generation of Cloud-Native Firewalls.

Partially driven by the velocity of the startup market needs, users want to scale rapidly with fault tolerance and high agility in an effort to get to market first. They need firewalls to be more all-encompassing, emulating a more full network stack, and doled out in a pay-as-you-go model so you can pick and choose what you want, hit a button, and it all just magically happens.

Except it’s more complicated than that, for a few reasons.

1. No one knows what to call them. My colleague Bijay noted no less than 13 examples of name variations that mean largely the same thing (or variations of the same thing).
2. There’s a strong bent toward vendor lock-in, since you’ll need to integrate with their cloud-native ecosystems and toolsets to really use them effectively. That also makes it more non-trivial to move to another environment if needed.
3. The functionalities are merging, so vendors in the VM-based firewall space are adding more functionality of the Cloud-native vendors.

At its core the effort is aimed at mostly targeting markets by vertical. Vendors find out what a vertical is looking for and package an offering to meet that demographic, and the feature set they want. 

But it does force innovation, and that’s a good thing.

Here are a few areas where Cloud-Native really shines.

1. East-west networking – Because Cloud-Native has an underlayment of agile networking, it’s more trivial to create tiny networks behind your firewall for specific purposes, like small private networks that isolate critical processes. That’s a good thing if you’re interested in simplifying constructing network segmentation, for example.
2. No charge when you’re not using it – Since you pay-as-you-go, or use a subscription, you don’t pay for raw rackspace, bandwidth, and power if you have no workloads running. You also don’t have to do OS updates and patching, that’s handled by the vendor. In this way, it’s a lot more hands off, which can be a welcome relief. 
3. It integrates with other cloud services in a more seamless way. Through extensive reliance on APIs to talk to other cloud providers, building apps which seamlessly integrate across multiple platforms mostly “just works”. This is a huge boost if you’re trying to spin up a new app and don’t want to build new non-core functionality, you can just “bolt it on and go.” 
4. Identity and policy management aims to be more seamless across the rest of your fabric, so you can just use it without complex configurations to manage. This can be a big timesaver if you’re standing up a new project quickly, or onboarding a lot of new staff and managing their access quickly across whole networks and resources. It’s also compatible with Infrastructure-as-Code tools (Terraform, CloudFormation, Helm), allowing policies to be codified, tested, and deployed through pipelines.
5. Metrics across a whole fabric are more easily utilized through more seamless integration with stacks like Prometheus, Grafana, ELK, Fluentd, OpenTelemetry, and SIEMs. 

Whatever vendors call them, whether it’s “Secure Firewall Cloud Native”, “Cloud Native Security”, or “Magic Firewall” (really), we’ll be testing them all soon and sharing the results with you. If you have questions about that process, drop us a line and we’ll help you get up to speed on this next generation of cloud native firewalls.

The post Cloud firewalls get a (welcome) overhaul appeared first on SecureIQ Lab.

*** This is a Security Bloggers Network syndicated blog from SecureIQ Lab authored by Cameron Camp. Read the original post at: https://secureiqlab.com/cloud-firewalls-get-a-welcome-overhaul/