By Amir Khan, CEO of Alkira

Migrating firewalls to the cloud shouldn't be at the expense of control

The data center is the best place for enterprise firewalls - or it was, until the cloud.

Three-quarters of enterprises responding to a recent survey by Deloitte said they now run more than half of their enterprise IT as a service. The same survey found that security remains the biggest concern holding back enterprise as-a-service technologies.

Enterprises have hesitated to move firewalls to the cloud for the same reason that they have kept other services in the data center: they take longer to deploy, are more complex to configure and harder to manage in the cloud. The arguments against cloud firewalls become even more compelling when the organization wants to move workloads and applications into multiple clouds.

Yet in the cloud era, providing services centrally from the corporate data center makes no sense. Backhauling traffic to the data center, typically over MPLS connections, is inefficient, expensive and slow.

When the applications and data move to the cloud, it's logical to move the firewall too, but that's easier said than done.

Spinning up a VM in the cloud is not a big deal. How you manage it once it's there is the difficult bit.

Virtualizing firewalls in the cloud raises a number of operational issues around availability, throughput, network segmentation, traffic steering, elasticity and monitoring. The security team needs to be able to monitor the health of the firewall for performance and they need to be able to enforce enterprise security policies just as they would in an on-prem set-up.

Our vision of cloud networking, Alkira's Network Cloud, resolves this lose-lose dilemma.  Connectivity is only half the story. The critical part is how you provision the network services on top and manage them. Historically, security vendors have not been great at enterprise-class networking and networking vendors have not been great at providing strong security products. With partners, such as Palo Alto Networks, we give customers access to best-of-breed firewall solutions, while we supply the best-of-breed network services infrastructure needed to deliver the ease of connectivity, manageability and flexibility that enterprises demand. This best of breed approach enables the Alkira Network Cloud to provide a very different approach to SASE while still agreeing the main premise that networking and security must be addressed in an integrated way.

Our as-a-service platform leverages the near-infinite compute capability of the cloud to deliver performance that auto-scales up and down according to need. That capability applies to every service running over it, including firewalls, taking care of the performance and availability issues.

Critically, because Alkira is cloud-agnostic by design, services such as firewalls can be deployed and managed in the same way whether in single or multi-cloud or hybrid environments. 

Firewall administrators can manage the firewall just as they would in the data center, for example with the ability to apply intent-based policies to intra-zone and inter-zone traffic, and do network segmentation and micro-segmentation with advanced policy-based routing controls.

Software licensing is another management task that customers would like to see simplified. Because the network cloud is delivered as a service, firewall capacity can either be on a pay-as-you-go basis or provided under the terms of an existing license.

Security is more important and challenging than ever as we enter an era of cloud-enabled hyper-distributed applications. In this environment, the cloud firewall has to be a no-compromise zone.

For more information about how to build your own no-compromise zone, please see:

• Palo Alto Networks and Alkira joint solution brief
• A technical blog on deploying Palo Alto Networks VM-Series firewalls in AWS with the Alkira Network Cloud
• A joint webinar with Palo Alto Networks and Alkira on Intelligent Networking and Security for the Cloud Era
  

##

ABOUT THE AUTHOR

Amir Khan founded and led Viptela, the company that pioneered the $8 billion SD-WAN market and was sold to Cisco for $610 million in 2017. Recognising that enterprises were struggling to build networks within and between clouds, Amir and his brother Atif founded Alkira to provide a virtual network as a service (NaaS) for the cloud era. Alkira's platform delivers connectivity, integration, visibility and control to enterprise networks spanning multiple clouds and legacy environments. Before Viptela, Amir held leadership roles at Cisco, Juniper, and Nortel. Amir's holds four patents and trained as an engineer. He earned an MS in electrical engineering from the University of Colorado at Boulder, and a BS in electrical engineering from the University of Mississippi.