The Fortinet sponsored 2021 Cloud Security Report highlighted numerous interesting finds, with time to market and customer responsiveness topping the list of business outcomes that organisations said they had realised by moving to cloud. But with multi-cloud set to be a key element of enterprises’ strategies, it’s crucial to enable consistent security, connectivity and visibility across these environments in order to stay ahead of cyberthreats. Intelligent CIO sat down with Ricardo Ferreira, Principal Cloud Security Architect, Fortinet and Joeri Van Hoof, Consulting Systems Engineer, Fortinet, to find out more about the latest trends and insights around transformation and trust in the digital era.
How is cloud future-proofing businesses across the EMEA region?
RF: From my perspective, working with customers in highly regulated industries such as banking, there’s certainly been an uptick in cloud usage.
Many new insurers, for example, are trying to leverage AI and they do that based on having access to a cloud platform. I also see the banking and capital markets using cloud in order to be more competitive, to enable that faster time to market and increase competitiveness with FinTechs and challenger banks.
Across the sector, I’m seeing cloud being adopted to power new ways of working and to enable predictive analytics, Big Data and so on. Telco is another area, with cloud playing a major role in 5G and contact centres-as-a-service to improve customer relationships.
JVH: Another example is operational technology where cloud is used for predictive maintenance across industrial control systems.
What role do you see cloud playing in organisations looking ahead and how is this impacting the role of the CIO?
RF: Cloud is reshaping businesses and is acting as a catalyst for Digital Transformation, enabling faster time to market, more innovation and, as a result, more talent. It also enables organisations to access analytics, Big Data and AI to predict things before they happen. This creates a predictive paradigm, instead of reactive. That’s important because one thing that the CIO and wider team is concerned about is making sure that the organisation is also self-service.
This means they can actually use APIs to interact and have a shared single source of truth. So that generates a new API economy.
CIOs have been forced to adapt, under pressure to innovate and improve agility while at the same time taking security into account. I think this will redefine the relationship between CIOs and CISOs because security is paramount and can also be brought in during this transformational event.
JVH: We have those building blocks and different public clouds that may look the same from the outside, but each of them works differently with its own unique advantages.
I think the CIO will be the broker here and assess which cloud will be best for a particular project. It depends on a number of different factors, whether it be costs, ease of operation within a specific cloud or whether the service and technology is better in one versus the other.
Done right, cloud can be an opportunity to improve security. Do you agree?
R: I think it represents an opportunity to build in security from inception as organisations go through this massive disruption. While security has historically been on the back burner, this major transformation enables security to be seen as a first-class citizen.
That’s super important because our report highlighted that misconfiguration and other issues can be a very damaging risk. With the cloud you use ‘tokens’, which we should think about as the keys to the kingdom.
If a bad actor gets access to those tokens, they access your environment and then they can horizontally scan and see what’s around. Bringing in security by design and making a shift to proactive security will be a major change and will bring about a new relationship between the CIO and CISO.
J: On the one hand, there is reduced risk and improved security because of some of the building blocks that are secure by default. But we shouldn’t think that everything is secure by default – there are still things that you need to investigate and processes you need to put in place.
That’s sometimes forgotten. More and more customers have security top of mind but we can still do better and need to continue to advocate for security to be built in early on.
What are the internal transitions that organisations need to go through in order to seize this opportunity and improve their security posture?
JVH: If customers or partners come to me and say they want to deploy a shiny new application or piece of technology, I always start by asking what the purpose of it is. Does it need it to run 24/7, for example, and what are the criteria? You need to start with the people. This also applies to training.
First, people, then processes and technology will definitely follow.
RF: I normally use this phrase from Peter Drucker. Culture eats strategy for breakfast. And that could not be more true. We can have the best strategy but if we don’t have the culture and people to support that, it will all crumble to pieces.
The cloud security report indicates that the majority of organisations are actually using two or more cloud providers. Is that something that you see and what impact is that having on security?
RF: From my perspective, highly regulated industries have something called ‘risk concentration’ which essentially means that they shouldn’t put all their eggs in one basket. They actually need to use two or more cloud providers in order to share risk across them. That’s something that I see very often with my customers.
JVH: What we see more and more is a multi-cloud approach where organisations pick and choose based on the unique capabilities of the different cloud providers. For example, if a company is using AWS to host their website and their business application and they’re using Microsoft 365 they are already multi-cloud. They have two different attack surfaces that they need to defend against.
The question is, how do you get these clouds to talk to each other and then ensure visibility across all of them? That’s where we need to have the proper tools. The good thing with cloud is that everything’s API driven, so I can get all the information out of these portals using API.
The report findings state that the features teams found most useful in cloud security solutions were integration and customisation.
Why so, and how can these capabilities help not only in improving security posture, but in helping organisations achieve success in delivering on their business objectives?
JVH: If we look at what we have available at Fortinet, we have a lot a lot of things predefined. When I started 20 years ago, installing firewalls and so on, it took two or three days to get everything set up and get the hardware in place, etc.
Now, deploying a firewall within public cloud or deploying a service in public cloud takes five to 10 minutes and it’s ready to go because we have those templates and best practices contained within that system and using that as a blueprint to get you started makes it much easier.
Cloud providers are also doing the same thing – they have their concept of landing zones for example where we can tie in and provide that security as well. The fascinating thing is that we can obstruct, but in the end, also gain that extra security there.
Can you tell us about the specific elements and capabilities of Fortinet solutions and approach to security that customers tell you that they find particularly helpful?
JVH: Many of our solutions are completely cloud-based, for example, our FortiWeb, which is our web application firewall construct. We’ve totally revamped that as a fully cloud native service. It runs inside of the different cloud providers so we support AWS, Azure, GCP, as well as Oracle. Once you set up your website or your API service through that service we will automatically detect in which cloud you’re running.
Based on that, we will select the closest data centre that we have to run the security scrubbing.
Secondly, FortiGuard Labs, our threat intelligence arm, gathers information from all of our different data points across the Internet and we use sandboxing and leverage Machine Learning and AI to reduce false positives.
RF: Fortinet is also committed to innovation. We are supporting, for instance, the latest on containers. Our products leverage Machine Learning and Artificial Intelligence, and we statistically analyse the traffic to detect malicious patterns.
We also cover some on-premise and have on-premise products. And while that’s not the cloud, it’s important. Why? Because no CIO is going to the board and saying they’re switching everything to the cloud tomorrow. That’s not going to happen. It’s a journey.
Fortinet has the portfolio to cover that entire state and that journey – for when the customer needs security protection on-prem and when they need it in public cloud. We offer a single pane of glass that provides visibility across environments.
Fortinet also has a consulting offering which can help customers understand their security posture while they’re migrating into the cloud and help them through that journey, either with best practices and also by giving them advice on alignment to industry leading frameworks as well.