¶ Cloud Native Firewalls Underperform in Security
Welcome to the Cables to Clouds podcast , your one-stop shop for all things hybrid and multi-cloud networking . Now here are your hosts .
Tim , chris and Alex .
Hello and welcome to another episode of the fortnightly news with the Cables to Clouds podcast . As always , I am Tim McConaughey at carpe dash dmvpn on blue sky , and with me , as always , is my co-host , chris miles . Uh at , was it the cloud main on blue sky ? that's right , yeah that's right , that's right , that's right . We don't .
We don't know that other place , we don't go there anymore . I'm just kidding . Um , yeah , so this week we we have kind of a quick roll-up for you .
I mean , most of the really big news we actually covered in an episode which you'll be seeing pretty soon if you haven't seen it already , or you will have seen it by the time you see this , should I say which is a recap of MS Ignite and reInvent .
So let's just jump into some of the more interesting stuff that's happened in the meantime with some of the other clouds and get into it .
So the first article we have is , sorry , sdxcentralcom , and this is actually a follow-up to something that was done back in May of this year talking about how the cloud native firewalls kind of underperformed from a security perspective , and so what SDX Central has done is gone back , essentially , and given them time to fix what was broken .
You know , rejigger it , make it better and the findings are still pretty awful is what they found .
So I think AWS actually did worse , as I said , just to be clear . So it was the . The report was actually done by cyber ratings . I think sdx central is just doing following up with cyber ratings .
Yeah but yeah , there was , yes , cyber ratingsorg . Sorry , yeah , yeah , that's my , I totally misread it , uh . But yes , cyber ratingsorg is the actual , actual people that did the cyber risk assessment on it .
So AWS actually managed to do worse than they did the first time , which I don't know how that's possible , but this is the craziest part they scored a point .
So this is another percentage score , basically on things like how much protection essentially do you get based on their rating score , which the article goes in a little bit more detail about that , and of course , you can go to cyberratingsorg and get the full details .
But in May AWS Network Firewall actually scored I think it was a 5.39% of effectiveness , meaning that you were protected almost not quite 5.5% of the time . And it says here that they scored a mere point , 38 percent . So not even so , not even a half a percent , and that is a regression . That is not just more or less , that is a total point , 38 percent .
I don't know that's possible . It's basically saying you're not running anything , basically . So it's a very interesting finding by CyberRatings and I know that when we reported on this back in May , aws had actually issued a statement saying that our network firewall is great and we think they tested it incorrectly or something to that effect .
Cyberratings in this version says , quote unquote this was not a bug . There's a fundamental flaw in how AWS network firewalls is approaching the detection of vulnerabilities so very troubling . I don't know . I really don't know what to say to that . Really , I mean , that's pretty crazy , right . And then , to roll it up , azure and GCP were not great either .
The best performing firewall got a protection level of 50.57% , 57% , 50.57% , if I can learn how to talk , and Azure is 24.14% , which , again , I don't know the exact . You know ratings or how they did it . We have to go to the . You have to read the whole report to get to that .
But this is just , you know , a percentage based on how they determined that they were these , these native firewalls were protecting workloads . So for the money you're paying for these , man like I , I don't , I don't know , I don't know . What do you have ? What ? Anything to add there ?
Chris to this crazy article . No , yeah , I mean it's . It's funny because , um , I mean the . The outcome , basically , of this is from the , the interview that they did with , uh , vikram fatak I think it's how you say his last name um , the ceo of cyber ratings that performed the report .
He basically just said , like , look , these things are charged at a premium for security and you don't get security . He was just like you don't get it . Um , the , if any pretty much any range within you know whether you're a small business or you're a large enterprise . He just says use a third party .
So the third party players that were called out were Cisco , checkpoint , palo or quote unquote , the whole gang . So he basically just says don't use any of the cloud native stuff today .
He basically just says don't use any of the cloud-native stuff today , which is I mean , tim , you and I work in a specific technology sector where we see how many people actually use the cloud-native firewalls today and it's a very large number . So this is , I don't know .
There's like I do understand that each one of these cloud-native firewalls doesn't have every bell and whistle that Apollo Alto is going to have right , because they obviously have very , you know , enhanced threat protection and new feature sets that they've added over the last , you know , 10 , 15 years , but I find it hard to believe that they're that bad , like I
don't know .
Yeah , I mean , how could you sell a product that has 0.38% protection ? I mean , let , could you sell a product that has 0.38% protection ? I mean , like , it's like saying there's no protection at all . You're basically saying that it does nothing except pass traffic , like that's .
I mean , I guess right my , my inkling here is that . So one of the interview answers that he gave was that um or sdx central . So it's like only 0.38 percent of all exploits hitting the aws firewall are caught and stopped . Sure , looks like anyone using the aws network firewall is basically wide open um .
And he said , unless you care about the basic access , basic access control , pretty much for any kind of deep inspection , exploit blocking you need a third-party . So it's more .
It's not just like whether or not the firewall functions , which I feel like is kind of misleading in that sense , right Like if from a traditional firewall perspective it is , I think it probably does its job , but probably I think the emphasis here should be at detecting exploits on its own , which you know that requires a certain level of merit , that that you
know um , um that they need to live up to um . So I can understand that criticism if they're saying that , like almost all those other exploits got through um . But yeah , I mean that I'm not in this state to test this right . I don't have , uh , the capabilities of pushing you know known exploits through the firewall like this .
So it's it's hard for me to recreate this , but , man , that seems insane For the amount of people I know at AWS and their emphasis on security and specifically network security . I've seen some of the things like web application firewall can do and detect as far as exploits go , and the fact that that would not be baked into network firewall .
I don't know if I can believe it . That just sounds crazy .
Yeah , that's , it's so insane , right , it's . Yeah , like I said , it's a basic . It's saying like you have a router , we're just forwarding packets , we're not even looking at them , right , like with that level of protection . So , yeah , I mean I , I think there's gotta be a little column , a little column B there .
I I also find it really really hard to understand the idea that there's like no protection from any of the you know , or you know even that the best performing one was just over 50% . Right , that's , and that's that's being extremely generous . So , yeah , man , I mean yeah , anyway .
So so I don't know what to say to that , except that if I definitely suggest that if your organization is using a native firewall for a checkbox or you know to to meet a requirement or you know , take a look , if you guys are doing this , and especially if anyone has done this and gotten a pen test , like something like when we talked to Serena , one of
those type of pen test orgs , I would love to know have you seen this ? Has this been a thing for you ? So anyway , yeah , great , great story .
¶ AI Market Competition and Partnerships
So the next one is from I just completely blanked . The next one is from Reuters , sorry , and this is an interesting one .
It's from Google , and Google is asking the FTC , the Federal Trade Commission , to basically break up the deal between Microsoft and OpenAI , saying that basically Microsoft has a monopoly on access to OpenAI because of their agreements between these two organizations .
We know Microsoft has a large stake in OpenAI , the organization , and basically in order to access OpenAI , you have to use Microsoft's servers , access whatever . So Google's basically saying to the FTC that is the same thing as monopolistic behavior . You should , you should , stop this .
You should let other organizations like us , for example Google , be able to access open AI without having to go through Microsoft to do it . So very interesting , and I mean , the more the AI stuff heats up man , the more stuff like this I would expect to see . The more the AI stuff heats up man , the more stuff like this I would expect to see .
I'm actually . I mean , does Google ? I mean Google has Gemini , like why I'm not saying there's no reason to ever use another model ? Obviously , the models are trained in a very specific way . They all have different strengths and weaknesses , et cetera , et cetera .
Or is this more like a advocacy for Google customers that might want to use OpenAI without having to go be Azure customers or something . Maybe that's the angle here .
So pretty interesting stuff , yeah , I mean , my rub of it is that the FTC was already investigating Microsoft for their practices elsewhere , right , and it even says in this article that this came up while Google was being interviewed about that . So it was almost like they're leveraging , like hey , we know , you're already looking into them .
You should probably have a look at this too . This is kind of a potential violation as well . I mean , I think that's a much easier play for Google to try to get you know , to ruffle some feathers and stir some commotion there , rather than promoting Gemini Because they know .
Gemini is probably that's a long haul to get Gemini to the state of where chat GPT is today , right , so that's my initial thought anyway . But I mean , who knows if the FTC is even going to even you know kind of look at this at all . I don't think they even comment or responded to their comment .
Well , and I guess we'll see . We'll see what the FTC looks like , along with many other federal agencies , in a few months anyway , to be honest , so it may not be fully staffed in order to even do this . For all we know , you know , for whatever that's worth . We don't know yet . So , yeah , interesting .
You know we've reported several articles already where Microsoft's being investigated , like in Europe , for example , for , you know , anti-competitive practices and whatnot . So , yeah , I guess we'll see how this one goes . I expect a lot more stuff like this , as , as we do , more as we see , the AI wars heat up a lot more . Okay , you want to take the next ones ?
Sure ?
So we have a couple articles here , one from Reuters and then another one from cloudcomputingnewsnet , so kind of two quick , rapid fire ones that we'll kind of talk about about Oracle . So Oracle , this one from Reuters is titled Oracle Slides as Revenue Target Miss Spotlights in Tough Cloud Competition .
So Oracle , you know obviously been number four of the top four for quite a while in the cloud space . Um , you know , I hate talking about the stock market because this thing is so ephemeral so it's like it's hard to really , you know , talk about what this actually means . But , um , they did have .
They previously had their shares , uh , up 80% as of Monday and then , as the cloud earnings came out , it looks like they've tumbled about 9% , as the company was on track to lose nearly $50 billion of the market cap . So that is interesting . I mean , like I said , this stuff changes every day so it's hard to really read into this .
Yeah , and in addition , we also have an article from cloudcomputingnet or cloudcomputingnewsnet , sorry saying that Oracle has now entered into the use of meta and meta's LLMs being LLAMA as their large language models . I don't know if it's specifically on a certain offering or if this is just like what's baked into their AI products .
Did you pull that out from this ?
I mean just that the main thing is that they're partnering with Meta to power their Lama AI , right . So Meta's going to be using Oracle's compute basically to do their Lama AI stuff . So it's a partnership . I mean , it's probably going to be money . There's going to be a lot of money involved
¶ Challenges in Cloud Infrastructure Management
. It's funny to see these two articles together , you know like here we have . Oracle missing its target . And then you know , potentially something very lucrative for Oracle in the very next breath . But you're right , the stock market is such a roller coaster man it's not worth it .
I mean it's almost not worth drawing . At the same time , it's like they're obviously the ones that can be most competitive on stuff like compute and storage and networking as of right now , just because they are in that fourth spot . So they're offering the biggest discounted rates from what we've heard .
So it almost makes sense that if you're someone like Meta , maybe that's appetizing to you .
Well , meta , maybe that's appetizing to you . Well , I guess no this isn't .
they're not servicing Meta , they're just using the open source model . Is that right ?
Yeah . Okay , I think that's yeah , Fair enough . But I mean , there's basically there's money changing hands there . There's a partnership , there's money changing hands , oracle's making money .
So yeah , it's kind of like the same as what they've been doing , right , they've went all in on partnerships all across the as much as possible , even with other CSPs , to try to stay relevant and keep the market cap up and all of that . So yeah , I guess we'll see if it's , if it pays off for them . We shall see .
All right , we got one more which is interesting but not surprising necessarily to a lot of people , and this one comes from CloudTech and basically says they there was a survey done and the results of the survey are less than a fifth of IT professionals say that cloud infrastructure is actually meeting their needs .
So specifically , one in than 1 in 5 , 18% of IT professionals said this , saying that there's a large disconnect between their expectations and what the reality is when it comes to their cloud strategy , like their organization's cloud strategy .
Now , this was a SolarWinds survey , so maybe a little bit of a grain of salt there , because obviously SolarWinds is very on-prem heavy . That's kind of their bread and butter , right . So again , take a little bit of salt with it , but I think that generally there's also the grain of truth in it .
So they said they did a survey that shows that , despite the cloud's promise of scalability and cost savings , the reality is mixed , and anybody who's ever done anything with the cloud could have told you that that was the case . So that part's interesting , but , specifically , they get into things .
Like you know , a lot of the cloud professionals , a lot of the IT professionals , are saying that their organization's hybrid approach to cloud is also severely lacking . It's extremely complex and hard to manage , which , again , this is bread and butter , I think .
At work , we probably say this a hundred times a day to various people , because it's very true , it's an absolutely true statement .
And yeah , and despite that , though , actually very few people of those surveyed right by SolarWinds have actually engaged a third party value added reseller or professional services contractor to actually help them with their hybrid cloud approach or their hybrid cloud journeys .
So you know , they also mentioned things about like OK , people also are not trusting the cloud security stack , which apparently they shouldn't . And yeah , like I said , it's from SolarWinds . It's an interesting observation .
I do , again , take it with a little bit of salt because it's from a very on-prem , heavy vendor , but I do think that people really do feel this way , that people feel that hybrid cloud is extremely uh complex and that that uh just the the benefits of cloud right , like you know , going all the way back to the our one of our original episodes , where all the
cloud cost savings , like that's it's still true today , um . So , yeah , it's , it's interesting article uh kind of affirms what I think a lot of us already knew . But it's .
It's tough because , like we , obviously we see this a lot with our , with our day job just because you know like we almost have to let customers learn the hard way how hard things are to do in the cloud .
Right If , if I went to talk to someone before they even really started moving into cloud and tried to express like , hey , right , if I went to talk to someone before they even really started moving into cloud and tried to express like , hey , this is going to be a problem . This is what hurts once you get to a certain scale .
It's not going to resonate until they've actually done it and had that pain kind of rise to the top on their own right . I think one of the most notable quotes in this article is in a hybrid cloud world with increasingly complex network systems , devices and applications , managing microservices and containers adds to the challenge .
Without proper planning and comprehensive visibility , organizations risk finding themselves in a dire situation . Tool sprawl , information silos and alert fatigue can all lead to an unpleasant cloud experience . So that's like to me , it's just like it's a planning thing right .
Yeah , it's like like if you , if you .
I mean , I'm not saying everyone gets it right on the first go , but like there are there's enough learnings out there in the world where , like you can , you can be better at this stuff you can know what works , what doesn't work , what needs to stay on premprem .
There's a bit of talk in here about , you know , customers saying like , oh , we had to repatriate workloads back and like I think that is repatriation in the context of you know , moving to something in the cloud or building it to run in cloud and then moving it back on-prem seems like , oh well , we did this because it was a failure , right , that we had to
move it back on-prem . It's because it was a failure , right , that we had to move it back on frame . I don't think that's always the case .
I think you just kind of realize that like things run better in certain scenarios in a different place and it costs less as well , for sure , um , but like I don't think it's always always implies that things failed to run in the cloud . I think it was just kind of a shift in the organization , uh , many times .
So , like you said , there's a lot of , there's probably many grains of salt that you have to take when reading this article , but it was . It was very interesting .
All right , and so , uh , a bit of a short one today , but we'll go ahead and uh , start wrapping it up here . I think , uh , yeah , so we'll go ahead and wrap it here and hopefully everybody is following us on blue sky .
We have a cables to clouds on blue sky now and uh , yeah , so go ahead and follow us there and do all the other things that we always tell you to do you know them by now and yeah , by now you've probably heard them a hundred times , so I won't repeat them . Uh , yeah , yeah , but I , you know , I just had a thought .
Uh , this one is going to come out like right before Christmas . Is that right , or or right ?
after Christmas . Uh , yeah , this will . This will come out on the 18th . Oh , this will come out .
Christmas , is it the 18th ? Oh yeah , that's right . 18th , all right . So yes , 18th of December . So uh , yeah . Hopefully you're getting up for your time off work . Hopefully you're . You know you're really .
Hopefully you're at work and hopefully you're at the point where you're really phoning it in Like you're you're barely , you're barely paying attention . You're already . You know , you've got , you've got , uh , you know , yuletide thoughts in your head . You don't do any work .
I took this last week off because I was certain , absolutely 100% certain , I was going to be sick coming back from re-invent . I was the only person on my team that was not sick . Yeah , everybody else had COVID or flu or something .
And then of course I just , you know , did a bunch of stuff at home that needed to get done , that I'd been putting off , but so it wasn't a waste of time . But , hey , I'm not going to look a gift horse in the mouth on that one . Yeah right , all right , everyone , thanks for joining us and we'll see you next time .
Hi everyone , it's Tim and this has been the Cables to Clouds podcast . Thanks for tuning in today . If you enjoyed our show , please subscribe to us in your favorite podcast catcher , as well as subscribe and turn on notifications for our YouTube channel to be notified of all our new episodes . Follow us on socials at Cables2Clouds .
You can also visit our website for all the show notes at Cables2Cloudscom . Thanks again for listening and see you next time .