For years legacy firewall vendors have received criticism from customers on operations in the cloud. This is why Valtix built a cloud network security offering from scratch.
Recently, we’ve seen firewall vendors announce offerings in cooperation with the CSPs. These offerings deliver firewall services running in individual public clouds, which frees the end customer from having to manage virtual appliances. It’s important to note that they’re not actually building a cloud-native service like Valtix, but instead just offloading the operations of appliances. This architecture has a few implications – we’ll get to those in a minute. Overall, the move by these firewall vendors highlights some of the important truths we’ve learned in talking with enterprise customers running workloads in public clouds:
- Recent widespread vulnerabilities have shown that security controls outside the app (e.g., network, compute platform) are an absolute must. This is WHY the discussion of secure cloud networking is urgent.
- Appliances don’t work in the cloud at scale. Period. The size, speed, and dynamism of cloud environments means appliances beyond “experiment” scale can’t keep up. And if you can’t keep up, you can’t secure.
- Staying with dynamism for a second – IP addresses as a means of pinning policy to workloads hasn’t been relevant for years. Appliances built in the datacenter era don’t have a lot of options here.
- Looking at cloud adoption in the enterprise, most are multi-cloud. Not always by choice, but it’s a fact. Note that having security capabilities in each cloud is different than a multi-cloud security solution that enables a single view.
- Finally, sending your production data somewhere else (in this case, to someone else) to get secured makes most enterprises a bit uncomfortable. Many organizations resist shipping their production workload data for security purposes as a matter of policy (individual user data is sometimes considered separately).
Pointing these truths out shows how limited these duct-taped appliance offerings really are. Yes, they know controls outside the app are critical. And they’ve made a good effort to isolate the customer from the operations pain of managing their appliances (sort of – deployment is done through the CSP, policy is done through the firewall vendor’s management app). But the rest of the findings from enterprises we highlight are left unaddressed:
- Still using IP address (or some archaic signature to ID apps) for policy. Tags are the only meaningful way to identify a workload in the cloud era.
- Siloed approaches to different clouds. There are some solutions that bridge clouds with policy in the firewall management platform, sure, but which networks and workloads are protected? Admins have to go into individual cloud managers to see that. So these aren’t really multi-cloud offerings.
- Shipping your production data to another entity – yup, it’s a trade off: you get to pick between the ops pain of running appliances, or the security, risk, and compliance pain of having production data go to someone else for security.
Overall, it’s great to welcome more vendors to the party. Valtix has been working closely with customers in this space for over 5 years. We 100% agree with legacy firewall vendors that this is a critical need for customers, and the ops model of managing their appliances in the cloud was excruciating for enterprises.
However, we think about a solution very differently – and so does Cisco, which is why they acquired us. Cisco’s multi-cloud vision includes not only all the public clouds, but all the private ones as well – under a single networking and security umbrella.
Valtix was the first platform with a cloud-centric, multi-cloud approach to cloud network security for the enterprise. And still, we’re the only ones who integrate deployment, management, and policy into a single SaaS-based controller, fully support tags for policy, integrate into all cloud constructs and services, and enable the customer to enforce security next to workload without shipping production data anywhere.