The Best Way to Protect Your Cloud May Be Another Cloud

One challenge that comes with being a midsize enterprise today is that you're large enough to be a target but not large enough to afford the kind of security that large enterprises use. This is one of the reasons why one of the fastest-growing segments for data breaches is the small to midsize business (SMB). In fact, according to the 2018 Verizon Data Breach Investigation Report, smaller enterprises received over half of all data breach attacks last year.

The reasons aren't surprising, and boil down to the fact that smaller enterprises still have something worth stealing even though they aren't always well-protected entities. While they usually do well when it comes to endpoint protection, SMB data centers and traffic hubs are often another matter. Fortunately, that could be changing. Just as the cloud gave these enterprises new capabilities to manage and analyze data that were previously only available to large enterprises, the cloud is also able to deliver big enterprise security to smaller organizations. And yes, it's another series of cloud services that fall under the umbrella term, Security-as-a-Service.

There are a few types of cloud-based security; probably one of the best-known types is for mitigating denial-of-service (DoS) attacks. In such cases, a cloud service inspects traffic on its way to the destination enterprise, and when it detects a DoS attack, it simply shortcircuits the damaging traffic. A large enterprise can do this itself, but a smaller one generally has neither the bandwidth nor the network infrastructure required to handle it.


More recently, we've seen a related technology arrive. It's called Firewall-as-a-Service (FWaaS) and it's exactly what it sounds like. Available from vendors such as Cato Networks and eSecurity Solutions, these services simply require you to sign up, and then your incoming traffic is routed through a cloud-based, next-generation firewall before it reaches your network.

Note that this is distinctly different from a managed firewall service, though some vendors offer both. In that instance, you've simply hired a knowledgeable IT security consultancy that takes on the task of managing, monitoring, and updating your on-premises firewall.

The advantage of FWaaS is that the cloud provider has enterprise-level expertise in handling an enterprise-grade firewall, and you're affording that via the cloud's economies of scale. In a managed firewall scenario, you're paying the consultant the standard rate plus you've still got to pay for the firewall and all its ancillary costs. FWaaS means you're not paying for the firewall, the support contract, or the staff. You get all of that just by paying for your share.

The potential downside here is, of course, latency. Because these services are new and vary in terms of how well they're implemented, there's no way to assign a general rule of thumb here when it comes to traffic delay. But given all of the variables—what kind of firewall infrastructure the provider is using, how it's architected, where it's located on the internet in relation to your infrastructure, how much and what kind of traffic your organization generally gets, and, of course, what settings you've implemented on your firewall account (not to mention the vagaries of internet traffic flow in general)—the only way to get a handle on how FWaaS will affect your traffic flow is to test, test, and maybe after all of that, test a little more.

Software-Defined Network Segmentation

A good example of this technology is OPAQ Networks, which provides a managed security service that uses products and services from Palo Alto Networks and adds its own specialized support for midsize enterprises. A key technology offered by OPAQ Networks is software-defined network segmentation, which simplifies the process of segmentation while also bringing it into the reach of smaller organizations.

"Using this tool, it's possible to granularly segment internal networks so that end users only have access to the resources that they need, without having to reconfigure VLANs or wrestle with NAC (network access control) solutions," explained Tom Cross, CTO at OPAQ Networks, in his blog.

"The traditional security stack delivered from the cloud has value, particularly for businesses where consistent patch and configuration management can be a challenge," Cross added.

As you probably suspect, OPAQ Networks isn't alone in providing this sort of Security-as-a-Service. Firewall vendor Barracuda is now offering a Web Application Firewall (WAF) that the company can provide as a service. According to Barracuda, the WAF can protect your cloud and your on-premises data. Barracuda offers distributed denial of service (DDoS) protection as an add-on service for its WAF, along with access and identity management, giving you almost a one-stop protection opportunity.

Threat Tracking

And, of course, there's more to Security-as-a-Service than just DDoS protection and firewalls. Microsoft is now offering its Threat Tracking for Office 365, which works with its Threat Intelligence product for Office 365 (which was released in 2017).

While the Microsoft product doesn't actually interact with your cloud solution, it does provide a useful source of information. However, Microsoft does provide other cloud security protections for use with its Azure cloud service, including a lockbox for access keys.

The other major cloud providers, including Amazon Web Services (AWS) and Google Cloud Platform, have all announced security products for their customers. And one thing that you'll see when you're configuring your cloud service with any of the major vendors is the opportunity to add a firewall to whatever product suite they're selling. But those firewalls and other products only protect your cloud presence. Typically, what sets Security-as-a-Service apart is that it should also protect the stuff in your data center.


The question you have to answer as a small to midsize enterprise (SME) is whether or not you need security in the cloud. If your IT operation is any way hybrid, and most are these days, then the answer is almost certainly "yes." Except in all but the most unusual of cases, your IT staff probably doesn't have the expertise or the budget for the kind of security you need to fight off today's threats.

While you can (and should, if at all possible) hire someone to manage your IT security, salaries in data center security management are stratospheric right now. And even if you do hire a security expert, the workload is often prohibitive for just one person, especially in anything larger than a small business and certainly in any organization that does significant business on the web. That's because it's not only exacting work but also because it spans most every aspect of your IT infrastructure. Therefore, the level of expertise required is significant. Unless your needs prohibit the use of a cloud-based resource, Security-as-a-Service is probably the most cost-effective and speedily implemented solution available.

This article originally appeared on