What does it take to secure your cloud network during and after your cloud migration? This question is growing even more complex as most organizations migrate to hybrid-cloud and multi-clouds, which are now in use among 76 percent of enterprises, compared to 62 percent a year ago, according to (ISC)².
There are three main directions you can choose when securing cloud networks and migrations:
- Protect your assets using security solutions delivered by your cloud vendor
- Invest in a DIY approach
- Work with a vendor who specializes in cybersecurity.
Each option has its advantages and disadvantages and should be evaluated in terms of the organization’s requirements and “best fit,” as well as how well each supports the different cloud security layers (see the diagram below, from Five Best Practices for Secure Cloud Migration).
Cloud Security Layers (source: Check Point)
The pros and cons of different cloud migration security approaches
Option 1: Cloud vendor security
Cloud vendor security means relying on the tools and services provided by your cloud vendor to protect your cloud network and deployment from cyber threats. If you use AWS, for example, the cloud vendor security solutions include AWS GuardDuty and AWS Security Hub.
The main advantages of solutions like these include:
- Focus on each specific cloud: The security solutions built by each cloud vendor are designed specifically for the cloud services that vendor offers. As a result, they are adept at detecting the threats and risks that most commonly target those services in particular. For example, a cloud vendor’s solution may have a particularly deep understanding of that cloud’s IAM framework, making it capable of detecting configuration mistakes or poor practices that other solutions might overlook.
- Easy integration: Cloud vendor security tools and services usually integrate easily with the cloud they support since these solutions are built right into the fabric of that cloud. They are generally integrated with other similar cloud-native services, although this may require using multiple user interfaces and portals.
- Scalability and performance: Cloud vendor tools can scale almost infinitely, which is an advantage when you have very large-scale workloads to secure and high bandwidth of network traffic to inspect.
- Easy deployment and purchasing: Because the solutions are part of the cloud vendor’s native services, they are normally easy to deploy. Similarly, solution purchases often only require a simple “check-of-the-box” from the user.
On the other hand, relying on a cloud vendor for cloud migration security can lead to challenges, such as:
- Misunderstanding of shared responsibility: Cloud vendors secure some parts of cloud environments under the Shared Responsibility Model, but other security responsibilities are under the remit of the cloud users – i.e. you. If you misinterpret how the models work, you could end up with gaps in your cloud security strategy. (For guidance on how to avoid mistakes when working under a cloud shared responsibility model, download our shared responsibility model whitepaper.) This can make it particularly hard to understand which parts of your cloud infrastructure you need to secure, and which parts the provider will protect.
Above: Illustration of AWS’s Shared Responsibility Model (source: AWS)
- Lock-in: When you rely on the same vendor for both your cloud infrastructure and your security solutions, it’s more difficult to migrate from that vendor in the future if your needs change or more cost-effective solutions become available elsewhere.
- Lack of hybrid-cloud and multi-cloud support: Most cloud vendor security services work only within the vendor’s own cloud, so they’re not a good solution if you have a hybrid or multi-cloud environment to protect, or plan to have in the future. With an increasing number (and vast majority) of companies choosing the multi-cloud route, this is a significant hindrance to take into consideration.
- Lack of primary focus on security: Cloud vendors’ core business is providing infrastructure and platform services, not providing security. Their security tools are an important line item, but companies are not likely to decide to use a particular cloud provider based on their added security. For that reason, they don’t always leverage the latest, greatest cybersecurity technologies and techniques for securing the various layers of your cloud.
If you prioritize simplicity or ease of purchase above all else, cloud vendor security may be a good way to secure your cloud networks and cloud assets. But it’s certainly not the most secure, cost-effective or flexible approach.
Option 2: DIY cloud network security
A DIY approach to cloud security involves building your own cloud security solutions or perhaps patching together many solutions and processes to fit your requirements.
The advantages of DIY security include:
- Flexibility and customizability: You can choose whichever tools you want and customize them as you wish. This is an important benefit for businesses that have very strict compliance requirements or can’t seem to find a solution that meets all their needs. Complex network and application layers housed both on-premises and in the cloud are often more difficult to protect with generic security solutions and may be better suited to a DIY approach
- Cost savings: DIY security can potentially minimize your software costs by allowing you to select from more solutions to find the best trade-offs between cost and features.
- Expertise in development: Managing cloud migration and ongoing security internally provides an opportunity for internal teams to gain hands-on experience and develop expertise in cloud migration security strategies.
But you should be aware of these drawbacks:
- Complexity: DIY security is by far the most complex approach. It comes with a steep learning curve, and a lack of experience or expertise with the necessary solutions can hinder your cloud migration. Additionally, the myriad of integrations required for each solution in the IT software stack to communicate with each other securely will require a deep and complex project for any team to contend with.
- Time and resource cost: You’re likely to spend more time and resources setting up and managing DIY solutions than you would obtaining them all from one vendor. This is very much a scenario where the IT and security teams are reinventing the wheel with solutions that are already available.
- Security risks: Without specialized expertise, organizations may overlook crucial security considerations, potentially leaving vulnerabilities in their cloud environments.
DIY security strategies make sense when you have a deeply experienced team that is ready to find or build, configure, test, deploy, integrate, and manage the cloud network and other security solutions you need. But many (perhaps most) organizations will struggle to rely on DIY solutions.
Option 3: Dedicated cybersecurity vendors
The third approach is to work with a cybersecurity vendor whose software solutions and best practices are specifically designed for securing cloud migrations and ongoing cloud security. Doing so gives you several advantages:
- Maximum flexibility and freedom from lock-in: An established vendor can support your needs regardless of what the various layers of your cloud look like, and the vendor can work with you regardless of which type of cloud architecture – single cloud, multi-cloud or hybrid – you use. You get maximum flexibility, and you’re never locked into a particular solution or infrastructure. If you add a new cloud vendor in the future – for example as a result of strategic choice, data sovereignty or M&A activity – it should be quick and easy to secure. As a result, you can meet not just the cybersecurity requirements you face today, but also those you’ll encounter in the future as your business and cloud strategy evolve.
- Specialized security expertise: Security is 100% what these vendors do. Day in, day out. With their deep security expertise, cybersecurity vendors are the trusted authority when it comes to cloud security. They offer advanced security solutions and practices that keep up-to-date with the latest threats and attack techniques and as a result, are consistently recommended and ranked as leaders by industry analysts.
- Compliance and regulatory support: Cybersecurity vendors understand the compliance requirements specific to various industries, and their solutions can assist organizations in meeting regulatory obligations related to cloud security during the migration process and beyond.
- TCO considerations: This is often more affordable in the long run as less time is required to understand requirements, set up and plan, and train teams. Your time to deploy will be much quicker and simpler, which in turn also saves money. And this is especially true when you use the same cybersecurity vendor for your on-premises security, securing your cloud migration and ongoing cloud security.
In fact, according to a Forrester study of how one business used a cybersecurity vendor’s solution, the software delivered a total ROI of 169 percent with payback period of under three months; the value of the software increased the longer the organization deployed it.
Drawbacks to be aware of include:
- Potentially more complex integrations: Because vendor security tools aren’t built natively into the clouds they protect, setup can be slightly more complex than it would when using cloud vendor solutions. However, with thousands of secure deployments and migrations under their belts, most cybersecurity vendors offer smooth integration processes; once you complete the initial setup, you’re good to go.
- Adding another vendor: Your cybersecurity vendor becomes another vendor to work with and another relationship to manage. This creates a small amount of additional operational effort. But this is less relevant when you use the same cybersecurity vendor for your on-premises security.
Still don’t know which way to go?
We may be a little biased, but we have 30 years of cybersecurity and over 100,000 customers globally to support our claim that working with a cybersecurity vendor is a good approach for businesses who want to maximize security, ease of use, and return on investment.
So when a cloud vendor tells you that their cloud security solutions are “good enough,” you’d be wise to carefully weigh up the pros and cons of such a move. And, importantly, make sure you know what you are getting yourself into.
Check Point will gladly help you learn more about the tradeoffs of the different cloud security strategies. Get the inside story on how one company made the choice by watching our webinar “What CISOs need to consider in their cloud migration” with Saul Schwartz, Zinnia’s Information Security Manager, and TJ Gonen, Check Point VP of Cloud Security.
Next Steps
If you are migrating to the cloud and evaluating cloud network security solutions, download the Buyer’s Guide to Cloud Network Security to understand:
- The top 10 considerations when evaluating and choosing a cloud network security solution in more detail
- An overview of Check Point CloudGuard and how it answers these top 10 considerations
- The relative benefits of the solutions provided by leading cloud providers and third-party security vendors
If you would like to schedule a deep-dive personalized workshop around CloudGuard or best practices for secure migration, please fill in the form here and a cloud security architect will contact you to discuss your needs and schedule next steps.
To see CloudGuard in action, please schedule a demo, and a cloud security expert will help to understand your needs.
If you have any other questions, please contact your local Check Point account representative or channel partner using the contact us link.
Follow and join the conversations about Check Point and CloudGuard on Twitter, Facebook, LinkedIn and Instagram.