How containerization improves security

top cybersecurity companies

New forms of cyber attacks are developing rapidly. That’s why firewalls must be able to adapt quickly to protect against constantly evolving threats. Containerization and container orchestration enable Sophos to make our software more flexible and adaptable – and also easier for our customers to update.

In the past, network protection solutions were monolithic. Firewalls were designed as a large, powerful package of technologies, but they could not be compartmentalized or modularized, they had to be developed and updated as a whole. As a result, they could only be changed slowly.

This was less of an issue back when security systems were designed to protect specific devices and applications. The monolithic products were deployed in one place and stayed there. But the way we all work has changed, and enterprise systems are increasingly distributed — with multiple devices spread across a variety of networks.

Flexibility has become a key factor in good working practices. As the area to be protected changes, security systems must be flexible. It’s not just about new ways of working. New forms of cyberattacks mean your security systems must be able to evolve as quickly as the malware.

To help you keep up, we’ve changed the way we design new network security products, including firewalls. We look for ways to incorporate modularity and flexibility to ensure security products and services can be updated quickly as new threats emerge. One way to achieve this is through containerization.

Flexible and agile by design

Imagine the software functions were Lego bricks. The containers are the different colored building blocks and they can be put together to form different systems. By putting different functions in separate blocks, we can choose exactly the functions we need for a specific security task or deployment topology, e.g. B. the protection of local applications against cloud data.

The containerization of workloads gives us the speed and flexibility to add or update features as new types of cyberattacks increase the importance of different features. A firewall today can contain dozens of functions. With containerization, we can easily move these features in the future to optimize protection against new threats in ways that are not possible in old, monolithic systems, or even quickly replace some of the features with new features.

Standardize your protection

We can also use the same type of building block in more than one product, increasing consistency and therefore protection across different solutions. By containerizing functionality, policy, and configuration management, we can improve your ability to take a single, coherent view, regardless of the mix of solutions you deploy.

For example, a firewall can contain the same features and policies whether implemented on-premises or in the cloud. And when it comes to securing access to enterprise data, containers make it easy to enforce consistent policies and decision points across firewalls/gateways, whether the resources are on-premises, in the cloud, or via a Zero Trust Network Access (ZTNA) solution are accessible.

If you want to integrate special solutions to further extend the capabilities of your firewall, we can work with a certified third party. We can use their container with this special function and run it on our system.

This allows us to create an ecosystem of partnerships and alliances, where we work with leading vendors to develop new technologies and strategies, giving you control of best-of-breed solutions in a single space.

Creating a secure, integrated infrastructure

A practical example of how containerization can accelerate our response to evolving threats is how users access remote applications.

When companies move to a Zero Trust approach, we don’t want a virtual private network (VPN) to punch big holes in firewalls to access multiple different applications. Instead, we want to use a Zero Trust Network Access (ZTNA) gateway to micro-connect to the remote application. And then we will add another layer of security by deploying a Web Application Firewall (WAF) between the gateway and the remote application itself.

Currently these are two separate processes, but using containerization we can add the WAF brick to the ZTNA gateway to create a single, secure solution. This means there is less infrastructure to provision and manage, simplifying the environment and keeping labor and costs down.

Seamless technology upgrade

Now comes the really smart part: Just because containerization speeds up development doesn’t mean your software updates and patches will be more of a hassle. The opposite is the case. With containers, we can update your firewall software seamlessly with no downtime.

By using Blue/Green Deployment, we let the old and the new version run in parallel until all your data traffic has been switched to the updated software. Only then do we remove the outdated version. This way the update doesn’t interrupt your system’s traffic and gives us the opportunity to implement new updates and technologies without ever having to shut down your environments.

This approach also eliminates the need for monolithic, time-consuming implementations. If you just want to update your WAF, you can do that. With containerization, operational complexity and downtime are reduced so you can quickly adopt the latest protections.

The building blocks of the future

The beauty of containerization is that it’s as easy to maintain as it is to create. You can manage your Sophos Firewall along with your other Sophos solutions in the Sophos Central Management platform, giving you a single place to see and control everything. Your policies and functions can be integrated and centrally managed across all your applications. This unified management and development approach is the model of the future.

If you would like to learn more about the new functions and possibilities of our firewalls, contact your Sophos representative or a certified Sophos Firewall partner in your area today.

Leave a Reply

Your email address will not be published.