Table of Contents
- Executive Summary
- Market Categories and Deployment Types
- Decision Criteria Comparison
- GigaOm Radar
- Solution Insights
- Analyst’s Outlook
- Methodology
- About Andrew Green
- About GigaOm
- Copyright
1. Executive Summary
Cloud network security solutions provide a suite of security services for single- and multicloud environments to prevent unauthorized traffic, access, modification, misuse, or exposure. Cloud network security is entirely software-driven, with vendors orchestrating cloud-native, third-party, or proprietary appliances to enforce security policies and gain visibility over the infrastructure footprint.
Native security appliances in public clouds offer functionalities that are limited because, for example, they lack granularity in policies or have only simplistic filtering capabilities. Many vendors featured in this report offer proprietary alternatives that can be deployed across multiple cloud providers to deliver consistent security across the whole surface area. These functionalities may include firewalls, gateways, load balancers, sandboxes, or network traffic analysis appliances.
While some vendors leverage third-party appliances or provide proprietary ones such as firewalls to deliver more advanced functionalities than those available natively in the public clouds, vendors who choose to orchestrate the native solutions can still bring considerable benefits with extensive visibility and global policy definitions, often with less disruption and without passing the cost of developing proprietary appliances or licensing third-party solutions to the end customer.
Cloud network security solutions must unify different environments, so a solution can deliver its benefits only by following multiple phases, which is a useful yardstick for selecting a solution.
First, the solution needs to gain visibility over the environments that need securing, which includes onboarding activities such as accessing public cloud accounts. Once the requisite permissions are in place, the solution must discover all the assets within the environments. Across multiple clouds, these should include virtual networking constructs, regions and availability zones, existing security and networking appliances, compute and storage instances, workloads, applications, and other services such as databases.
Second, the solution needs to create visualizations that reflect the current environment. These can be topological maps that display how networks and workloads communicate and are isolated from each other. If the environment spans multiple cloud providers, the solution should also capture this level of information and create a comprehensive view of the entire cloud estate.
Third, solutions that are able to detect misconfigurations, which includes internet-exposed resources, open ports, or policies that are too permissive, will highlight any current configuration issues. To do this, the solution may require a sample of real-world traffic to understand the connectivity across resources and identify potential security risks.
With a clear understanding of the cloud environment, including how entities are connected and how traffic flows, administrators can define security policies across environments more intelligently. The policy engine serves as a crucial component, enabling the creation of policies that provide granular control over rules, accommodate elastic workloads, and offer traffic-based recommendations. These policies are essential for securing ingress and egress filtering for “north-south” (client-server) traffic and for implementing network segmentation for “east-west” (server-to-server) traffic.
Once policies are defined and the solution is up and running, the tool must continuously reassess and reinforce policies as configurations and workloads in the cloud change. Topology maps and segments must be updated as entities are spun up and down.
Finally, besides filtering traffic that goes in, out, and across the environment, cloud network security solutions should also inspect and analyze traffic and communication patterns to detect anomalies. This information is useful to identify attempts at obfuscating data exfiltration, command and control attacks, and lateral movement, as well as detecting malware before it enters the network.
This is our second year evaluating the cloud network security space in the context of our Key Criteria and Radar reports. This report builds on our previous analysis and considers how the market has evolved over the last year.
This GigaOm Radar report examines ten of the top cloud network security solutions and compares offerings against the capabilities (table stakes, key features, and emerging features) and nonfunctional requirements (business criteria) outlined in the companion Key Criteria report. Together, these reports provide an overview of the market, identify leading cloud network security offerings, and help decision-makers evaluate these solutions so they can make a more informed investment decision.
GIGAOM KEY CRITERIA AND RADAR REPORTS
The GigaOm Key Criteria report provides a detailed decision framework for IT and executive leadership assessing enterprise technologies. Each report defines relevant functional and nonfunctional aspects of solutions in a sector. The Key Criteria report informs the GigaOm Radar report, which provides a forward-looking assessment of vendor solutions in the sector.