Barracuda Cloud Security Guardian, one step beyond AWS Control Tower

Get a free Techzine subscription!

More and more companies are opting for the cloud. They often start by virtualizing their virtual machines in the cloud, and the next step is to develop applications that are completely cloud-based. These types of applications make use of all kinds of different cloud services, from serverless to machine learning and from S3 storage to all kinds of different databases. Keeping all these cloud services secure and compliant is a challenge in itself. Products such as Barracuda Cloud Security Guardian and AWS Control Tower can help.

Barracuda is one of the security companies that has chosen to bring its technology and innovations to the cloud, and to develop new applications in the cloud in particular. A few weeks before AWS re:Invent, we were already talking to Barracuda about its new Cloud Security Guardian product. During re:Invent, Amazon Web Services introduced AWS Control Tower.

We talked to Tim Jefferson, Barracuda Senior Vice President Data Protection, Network and Application Security, to understand better what Cloud Security Guardian does, but also how it differs from AWS Control Tower. At first glance, the two products are very similar. Since both products are presented almost simultaneously, we wondered how we should see this.

What do Barracuda Cloud Security Guardian and AWS Control Tower do?

What these products basically do, is make an overview of all the AWS services you use and compare the configurations of these services with a set of compliance rules and frameworks. This includes various ISO and PCI standards, as well as GDPR rules and, of course, the CIS benchmarks.

If a service somehow does not meet one of these standards and should meet them, then both tools can display this, indicate what the solution is, or even provide the solution at the push of a button by adjusting the settings. Basically, the products in this area are almost identical – or they will be within a few months. Both are mapping AWS services and use the same standards. Barracuda supports Azure as well as AWS, so they can apply this to two public cloud platforms.

These comparisons are made on a micro-level. So per API and per feature a number of things are considered: what can you do with it and what influence does this have on your environment, on compliance and how you should deal with it.

Next-gen firewall and malware scanning

However, Barracuda Cloud Security Guardian goes a few steps further than the standard AWS Control Tower product. AWS does have a WAF (Web Application Firewall), but in terms of firewall protection, it stops there. This is no more than the opening or closing of ports. Barracuda also offers its next-gen firewall within AWS, which is capable of decrypting and analyzing SSL traffic. At the touch of a button, a next-gen firewall can also be added, and compliance can be further increased. Without a next-gen firewall, for example, it is much more difficult to provide good IPS/IDS (Intrusion Detection Prevention). You really need a next-gen firewall for this and Barracuda can currently offer this within AWS, but AWS itself cannot.

Another feature with which Barracuda creates added value is the scanning of malware in S3 buckets. This allows it to better tackle possible (future) problems.

Healthy competition is great, but the trick is staying ahead

We ask Jefferson how he feels about the fact that Barracuda is in a very competitive playing field. Jefferson acknowledges that with AWS Control Tower, Amazon has a great basic product. However, he emphasizes that Barracuda Cloud Security Guardian will be available in the near future and that AWS will need months to bring this product to the market. In addition, they can distinguish themselves from AWS with a number of features and offer added value to AWS users.

Asking whether he is not afraid that the competition will also build the unique features or that AWS will come up with a next-gen firewall at some point, Jefferson says: “We assume that AWS will come up with a next-gen firewall at some point and that the competition will come up with similar platforms. It’s up to us to keep coming up with new features that will keep us ahead of the competition and create added value for our customers.”

He is counting on Palo Alto Networks and Checkpoint Security, for example, to come up with a kind of Cloud Security Guardian solution within one or two years. He bases this on the recent acquisitions that the companies have made. He expects these parties to integrate the technology of these acquisitions into new solutions.

API and data plan make a difference

Jefferson also said that Barracuda’s main focus is on SMEs. Such companies also need high-quality security and can easily deploy it in both Azure and AWS with a product such as Barracuda Cloud Security Guardian. In addition, he states that this product can also be very interesting for enterprise organizations, especially for companies that do not yet have such a solution, or companies that want to extend the solution to their firewalls.

Jefferson argues that Cloud Security Guardian is not a unique product for most enterprises, because they have often already developed such a product themselves to ensure that their environment is compliant with all requirements. They are also obliged to do this internally because the managing board does not want any conflicts about it.

However, Barracuda can offer a number of things that could make enterprises very happy. The whole solution is API-based, so enterprise organizations can use Cloud Security Guardian without using the user interface. Since Cloud Security Guardian is able to automatically place many services behind a next-gen firewall and take care of all that configuration, it does offer added value. These are things that are a lot of work for many organizations to guarantee, ensuring that all firewalls are properly adjusted, both next-gen and the Web Application Firewalls (WAF). These kinds of integrations are often more difficult for them.

Analyzing and protecting the data plane is also something that is currently impossible with other solutions. AWS does not yet have a solution for this. Azure is starting to take first steps, but still has a long way to go. Within one or two years, Jefferson expects that Azure will be more competitive in this area.

Thinking faster about security

One of the things that more and more companies are encountering is that security is slowing down the development process. For a number of years now, we have been hearing that, when developing applications, one should think in terms of a security mindset. It is simply much more difficult to build security into an application afterwards than it is to develop applications from a security point of view. This actually works the same way with the cloud. If you are going to use new cloud services and microservices, you will almost immediately have to put a security strategy next to it.

This is happening more and more often, to the great displeasure of developers. They are faced with the problem that it takes weeks to think about how they are going to secure all of this. With Cloud Security Guardian, this can be done much faster, and developers can be involved much more closely.

From a security point of view, it can be indicated which requirements an application can meet, while Cloud Security Guardian can also report immediately during development when a service is not compliant. If a developer uses new services, but their configuration does not meet the requirements, this can be communicated immediately. Not only traditionally by e-mail, but also directly in channels and other messaging services. This allows both the security team and the developer to act quickly to arrive at a solution. This means that the developer is almost immediately alerted to a problem, and a solution can be looked at immediately.

This is much more effective than doing extensive research beforehand or when the developer has to start over in order to make a large module compliant.

Barracuda Cloud Security Guardian also suitable for managed security providers

The Barracuda Cloud Security Guardian is, as mentioned earlier, fully API-based, but it is also a multi-tenant SaaS application, which makes the product also very suitable for managed security providers.

Within the Cloud Security Guardian SaaS environment, multiple AWS and Azure accounts can, therefore, be added and assigned to different users and environments. Companies that opt for Cloud Security Guardian, via an MSP or directly at AWS, receive an instance from Barracuda within their cloud environment that collects all the data and continues to scan the environment.

The customer chooses whether Barracuda can only read or also write in this environment. Writing, in this case, means adjusting configurations. Because the instance runs in the environment of the customer and all data is collected there, the data also remains in the management of the customer and not of Barracuda.

However, if the SaaS environment is used, it will talk to the instance in the network to visualize that data. However, this is a very limited data transfer. If the customer decides to stop using Cloud Security Guardian, the data will be with the customer.

Furthermore, the SaaS environment can also be run in the same public cloud region in which the customer is active. Barracuda does not have a preferred cloud partner; the SaaS environment is offered in both Azure and AWS. Jefferson was also able to tell us that the support for Google Cloud Platform is currently being mapped and will certainly follow in the future. He was not yet able to provide a timeline for this.

Cloud Security Guardian was initially an internal product

What is also interesting to know is that Cloud Security Guardian was initially an internal product. Like many enterprise organizations, it was initially developed to monitor Barracuda’s own cloud environments and see if all the microservices and services that Barracuda uses are compliant with the set requirements.

However, Barracuda realized that this is applicable to many more companies. That’s why it started building Cloud Security Guardian based on the technology it had previously developed for internal purposes.

Soon the product will be finally available, it can already be tested in the Marketplace, and until February there will be no charge. We are curious to see how it will be received, how the solution will develop, and whether Barracuda can stay ahead of the competition.