Hello!

In this lesson, we explore the mysterious “cloud”, what it really is, how it came to
be, and some of the security issues that we encounter there.

First, let’s de-mystify the cloud. It’s amusing that “the cloud” has extremely high public
name recognition, but few understand what it really is.

Before the cloud, organizations purchased their own computer systems to run the
application software needed to run the business. These computer systems were
located in the organization’s facilities, and managed by teams of experts. While not
always the case, often there was more than one computer system (or server) per major
application.

This setup was expensive because of the capital cost of the computer hardware and
labor cost of the resident experts who kept it all running; but it was worth it. These
systems raised overall productivity and helped maintain competitive advantage.

Not long ago, someone noticed that of all their computer systems, only a few were
completely busy at any given moment in time. Most were idle, waiting for the next
transaction to come in. Bottom line: there were many wasted resources.

So, a new way of using server hardware was developed called virtualization, which
actually comes from old technology in mainframe computing that lets a single server run
the operating systems and applications from multiple servers simultaneously. The
virtualization consolidates workloads onto fewer servers, increasing their utilization, and
saves money.

It wasn’t long until most datacenters were transformed from rows of computer hardware
dedicated to specific applications, into a collection—or pool—of general hardware
resources running virtualized applications. It was just the smart thing to do.

Along comes some ingenious entrepreneurs who build enormous datacenters, filled with
generalized computer hardware, and offer to rent out portions of this infrastructure so

1
that their customers can run their virtualized applications there, instead of on their own
hardware. With that, the cloud is born.

This type of cloud computing is called Infrastructure as a Service or IaaS. IaaS

provides organizations with networking, storage, physical servers, and virtualization,
while users must still provide computers with operating systems, middleware, data, and
applications. Middleware is software that acts as a bridge between the OS and
applications. An organization uses this type of service when demand for its services or
products varies, such as during seasonal holidays where workloads on systems
increase. Examples of this type of service provider are Amazon Web Services,
Microsoft Azure, and Google Compute Engine.

There are other types of clouds as well. For example, service providers rent cloud-
based platforms for software developers to develop and deliver applications. This
service, named Platform as a Service or PaaS, provides the OS and middleware in
addition to the elements provided by IaaS. This service makes it easier, more efficient,
and cheaper for organizations to build, test, and deploy applications.

A third example is Software as a Service or SaaS. In this cloud service, the software is
hosted by a third-party. Typically, the end user connects to the application using their
browser. Common examples of applications available through SaaS are Google Mail,
Salesforce, DocuSign, and Netflix.

Either way, moving the cost of having applications run on expensive, company-owned
hardware capital assets to a model where the price is a recurring operating cost is very
attractive to most organizations.

Now let’s look at what this means to security.

When applications are hosted in a company’s own datacenter, the security picture is
straightforward: you put the appropriate security technology at the right locations to
address the specific security concerns.

2
Providing security for the cloud, however, is not so clear. You could say it’s a bit cloudy.
Bottom line: security is a shared responsibility between the cloud provider and the
customer utilizing the cloud services.

Designed in layers, security includes both the physical components and logical
components.

The cloud infrastructure provided by IaaS vendors is protected in various ways. From
an availability point of view, the infrastructure is designed by the vendor to be highly
available, and it follows that the infrastructure’s uptime is the responsibility of the
vendor. From a security point of view, the vendor is only responsible for securing the
infrastructure it provides.

As a customer, when you install one or more virtualized applications in the vendor’s
cloud infrastructure, you are responsible for securing the access, the network traffic,
and the data applications.

Now, most vendors supply some form of security tools so that various parts of the
customer’s cloud application environment can be secured. However, these tools can
pose a few problems.

First, these tools tend to provide only a few, basic security functions, and they are the
same tools the vendors use to secure the underlying infrastructure. If an attacker were
to bypass these tools at the infrastructure layer, they would likely be able to bypass
them at the customer’s application level as well.

Second, and perhaps more important, is the fact that many organizations operate in a
hybrid world where some of their applications remain hosted in their own datacenters,
some in Vendor–A IaaS cloud platform, some in Vendor–B cloud platform, and various
others with multiple SaaS vendors. This is what we call a “Multi-Cloud” environment,
and it comes with a “Multi-Cloud” problem: multiple, independent, uncoordinated
security solutions—a problem where complexity can scale geometrically with the
number of cloud vendors involved.

3
Now, highly trained security staff are scarce to start with. Add to that a burden to
integrate and operate multiple non-integrated security environments simultaneously … it
can be a real problem.

At Fortinet, we have security solutions such as FortiGate, FortiMail, FortiWeb,

FortiSandbox, FortiInsight, and others within the Fortinet Security Fabric that are not
only at home in a company’s data center, providing the same consistent security, they
are optimized for all the leading IaaS cloud providers.

To wrap up, we’ve shown the fundamentals of how “the cloud” came to be, how cloud
environments are secured, and described Fortinet’s cloud security strategy that scales
from simple cloud-only environments to complex multi-cloud environments.

Thank you for your time, and please remember to take the quiz that follows this lesson.