Intelligent CIO Logo
CloudEnterprise SecurityMore NewsSoftware

‘Not all cloud software is created equal’ – Fortinet expert

‘Not all cloud software is created equal’ – Fortinet expert

John Maddison, Senior Vice President of Products and Solutions, Fortinet warns that not all cloud software is equal

Enterprises and organisations require scalable, high-performance security solutions to meet the growing demands of the modern marketplace. But they must make informed decisions when selecting a vendor, says John Maddison, Senior Vice President of Products and Solutions, Fortinet, to ensure the solution is the best fit for the organisation’s performance and budgetary requirements.

An assumption made by many security professionals is that any performance differences between physical security devices are eliminated when those security software images are run on identical cloud hardware. But the truth is, there are still significant performance differences between solutions and those differences can be critical both from a processing perspective as well as cost.

Because cloud performance is a baseline requirement for competing in the digital marketplace, organisations cannot afford for security to be a bottleneck. Transactions need to be inspected at digital speeds.

Of course, elastic scalability helps eliminate such bottlenecks, which is why the cloud is such an ideal platform. But scalability comes at a cost. Spinning up additional firewalls unnecessarily, for example, can have a real impact on your cost of doing business.

Part of the challenge is that performance scaling is more complex than it might seem. For simplicity’s sake, let’s divide scalability into two functions scaling out and scaling up.

Scaling cloud resources

When we talk about cloud scalability we are usually referring to the idea of scaling out. This function allows you to meet performance demands by increasing the number of separate virtual instances of a solution. For example, it allows you to automatically spin up and deploy more firewall instances as traffic loads spike and then discard them when traffic returns to normal.

Scaling out is not just about performance, however, but the price of performance as well. For example, a higher performance solution means you don’t have to purchase additional firewall instances out of the cloud marketplace as often as you would with a slower solution. This can be critical for managing expenses while still meeting capacity requirements. And performance, even on software running on identical hardware, can be affected by two things – design and software optimisation.

Architectural design impacts performance

The other kind of scalability that we often overlook is scaling up. This refers to the size of the virtual hardware that a software solution runs on, measured in the number of cores a VM uses. Simple VMs utilise a single core and they scale up from there by doubling the number of cores a VM uses (1, 2, 4, 8, etc.) Determining how large a VM you need in order to effectively run your security solution is one of the more important considerations an organisation makes when designing their cloud environment.

However, scaling up can be significantly affected by how efficiently a solution is able to use available processing power, often referred to as performance per core. If you require a large, multi-core CPU VM, for example, it is vital to understand how much throughput a software solution is actually able to provide for each core you are paying for.

Scaling up is a perfect example of how things that may look the same on the surface – i.e. all vendors may run their solutions on the same VM – can really be quite different in their practical application. The truth is, not all software is architected the same.

Running software on a VM requires an architecture built around a management plane and a data plane. The way different vendors architecture how they distribute those requirements can vary widely. For example, the architecture of many vendors requires that they dedicate an entire core for management – usually, one in four. So, if you buy a two-core system to run their service on, only half of those resources are available for processing traffic and data.

And as you scale up, never less than 25% of core resources are available for processing data. Vendor software that uses this one-in-four architectural model can have a significant impact on performance.

Likewise, many vendors have engineered their software to pin a single session (IKE SA) to a single core rather than being able to distribute IPSec traffic across multiple cores. This architectural design approach also results in diminishing returns for every additional core beyond one.

Parallelisation 

Basically, all computing prefers a parallel architecture built around factors of two (2, 4, 8, 16, 32…) This enables maximum efficiency and impacts potential performance. Effectively using parallelisation is an important reason why one vendor is able to achieve greater performance than another in the same cloud environment. However, because of software architectural choices, often made by vendors without experience in the development of custom hardware, many vendors assign a dedicated core to control plane management.

This design strategy breaks the parallelisation model and reduces efficiency and performance. Not only do you have fewer cores available for inspection and processing, but only having three or six cores available for data inspection, rather than factors of two, seriously impacts the software’s ability to efficiently distribute and process that data, which erodes performance even further.

Not all cloud software is created equal

Some argue that specialised hardware vendors lose their performance advantage in a cloud environment. But full stack optimisation can provide a significant boost in performance, even when all other factors are identical. Engineers have to dramatically optimise their software in order for it to achieve necessary performance in a chip.

Unfortunately, that sort of optimisation across the stack is something that many software vendors never do. Instead, they tend to address the problem by throwing more off-the-shelf CPUs at the problem. Full stack-optimised software can significantly differentiate one vendor from another in the cloud because it directly affects efficiency and performance.

Conclusion

Choosing scalable and high-performance security solutions enables organisations to meet the growing performance demands of today’s digital marketplace. And performance is a critical consideration even when selecting a cloud-based security solution.

Higher performing solutions not only enable you to effectively meet growing consumer demands at digital speeds, but they are also more cost-effective. However, not all cloud security solutions are the same. Careful analysis of a vendor’s underlying design and optimisation approaches will enable you to select the solution that best meets your organisation’s performance and budgetary requirements.