With the rise of cloud computing, cybersecurity has become a top concern for organizations that move their operations to the cloud. One area of concern has been the lack of a network firewall feature in public cloud providers, such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP), when it all started. In this blog, we will explore the issue in-depth and discuss whether implementing a stateful firewall is the only solution.
A network firewall is a critical security device that monitors and filters incoming and outgoing network traffic based on predefined security rules. It serves as a barrier between a private network and the internet, preventing unauthorized access to the network. When public cloud providers first emerged, many did not offer a network firewall feature, leading to concerns about cyber risk exposure.
It is true that most cloud engineers were not even aware of a web application firewall (WAF – Layer 7 firewall) until later in 2020. However, this does not necessarily mean that most applications deployed on the internet were wide open and running with just security groups. Public cloud providers did offer other security measures that could be used to secure applications and data in the cloud. For example, AWS provided Security Groups, Azure offered Network Security Groups (NSGs), and GCP offered Firewall Rules. These features allowed organizations to control access to their applications and data by defining security rules that restricted traffic based on various parameters, including IP addresses, protocols, and ports, however on those open ports there were no measures in place to inspect the traffic, hence it was not protecting the application effectively. Eg: If your application was running on port 80/tcp or 443/tcp and and you only allowed those two ports open on your security group, those traffics still goes straight to your application and relies on the security measures set directly on your application itself.
That being said, the lack of a network firewall feature was still a concern for cybersecurity experts. Security groups and network security groups are limited in their ability to provide comprehensive security for cloud environments. A stateful firewall, such as NetGate, Fortinet, Checkpoint, Cisco, Juniper Networks and Paloalto, offers a higher level of security by providing deeper packet inspection and other advanced security features on the ports that is open to the world. (eg: 80/tcp or 443/tcp )
Implementing a stateful firewall on top of a public cloud provider requires advanced networking knowledge and expertise. It involves creating a complex networking architecture on top of the public cloud provider’s virtual network. However, if an organization is serious about security, it may be worth the investment.
It is also worth noting that cloud-native security solutions are becoming increasingly popular for securing cloud environments. Cloud security posture management (CSPM) and cloud workload protection platforms (CWPP) are examples of cloud-native security solutions that can help organizations ensure their cloud resources are configured according to security best practices and compliance standards and protect cloud workloads from threats such as malware, ransomware, and data exfiltration.
In conclusion, while public cloud providers may have been responsible for some organizations’ cyber risk exposure due to the lack of a network firewall feature, it is not the only security measure that can be used to secure cloud environments. Public cloud providers offer other security features that organizations can use to secure their applications and data in the cloud. Implementing a stateful firewall may be a solution, but it requires advanced networking knowledge and expertise. Alternatively, cloud-native security solutions, such as CSPM and CWPP, are becoming more popular for securing cloud environments. Ultimately, the best approach will depend on an organization’s specific needs and security requirements.