Barracuda deepens Azure support with two new capabilities

Both Barracuda Cloud Security Guardian for Microsoft Azure and new support for the Office 365 control plane through the Barracuda Cloud Generation Firewall have significant implications for channel partners.

Barracuda Cloud Security Guardian for Microsoft Azure

Cybersecurity vendor Barracuda is making a pair of announcements that relate to the upcoming Microsoft Inspire event, and to the Azure Cloud in particular. The first is the extension of their Cloud Security Guardian to Microsoft Azure. It provides end-to-end visibility into the security posture of cloud workloads by ensuring continuous compliance and automated remediation of security controls. The second is the addition of support to Barracuda Cloud Generation Firewall for the Office 365 control plane in Microsoft Azure Virtual WAN.

Barracuda has been a key security partner for Microsoft in the Azure cloud since 2016.

“Our two main products there are our Web Application Firewall, and our next- generation firewall, which we have rebranded as Cloud Generation Firewall” said Tim Jefferson, SVP of Data Protection, Network and Application Security, Barracuda. “These have been uniquely tuned to the public cloud. They both follow the same construct, which is about thinking how to leverage the native services as oppose how to virtualize an on-prem firewall. We support highly distributed use cases there with microservices. We scale elastically, and we offer a commercial model that isn’t just ‘pay-as-you-go’ with metered billing.”

Cloud Security Guardian is a tool that helps risk professionals automate their security controls and visibility into public cloud environments. An agentless SaaS solution that provides end-to-end visibility into the security posture of public cloud workloads, it ensures continuous compliance, and automates remediation of security controls. It can also automatically deploy, configure, and operationalize Cloud Generation Firewalls and WAFs when it assesses a security need. In addition, its orchestration and security management capabilities extend to Microsoft’s Azure Firewall, which Cloud Security Guardian can deploy and configure when required.

“We have learned how risk professionals struggle on instrumenting security controls,” Jefferson said. “A lot of security control infrastructures are written around data centre architectures, so in the public cloud they create friction. Cloud Security Guardian allows us to look at each cloud provider’s native services and ingest as much telemetry as we can. We then provide the risk professional or developer with a visual view, and give them a vehicle that automates remediation.”

Barracuda’s existing version of Cloud Security Guardian for AWS leverages the AWS CloudTrail service, which logs API calls to enable governance, compliance, operational auditing, and risk auditing. This Azure version uses the Azure Security Graph API to the same effect in conjunction with Barracuda’s own threat intelligence library.

“Instead of doing things like adding another firewall rule, this leverages Azure’s own Security Graph API to provide security scores and alerts,” Jefferson indicated. That is translated to one of five threat levels in the alert.

“This is a complete net-new capability for us in Azure,” Jefferson said.  “We have been very successful in securing the data plane with Web Application Firewall, but customers need the visibility around the management plane as well. Developers had been stopped from using these services because it wasn’t known if they were doing them securely. It takes a net-new process like this to enable the visibility to assess risk and use compliance posture to assess that risk.”

Barracuda sees two primary sets of buyers for this offering. The first, and the one of lesser importance, is larger organizations with security teams.

“That’s because Fortune 500 companies tend to build their own tools,” Jefferson said. “We think that the real sweet spot is from startups up to the midmarket, particularly where the digital aspect is the product.” This particularly empowers  developers, who Barracuda expects will be their evangelists for the offering within their organizations.

Barracuda also expects to see partner enthusiasm for this because it provides them with a way to offer managed services that fits the resource capabilities of partners who lack deep security specialization and SOCs.

“Many partners tell us they have been struggling to pivot their practice to customers working workloads into public cloud, because it has been difficult to hire, maintain and keep experience for those practices,” Jefferson said. “This is an ideal way for them to engage customers to offer managed services. It allows them both to define policy and implement remediation – both of which are high value services. Many partners have been limited to be involved in recommending vendors – which is not a great strategic place to be. This allows them to help rearchitect things, and have the vehicle to continuously monitor those resources and be programmatically engaged with the customer and have a more strategic relationship.”

Barracuda Security Guardian is sold on a simplified licensing scheme based on number of resources being protected, and is available now in the Microsoft Azure Marketplace.

The second new Microsoft-focused offering, which is actually being formally announced next week, involves enabling Barracuda Cloud Generation Firewall to further improve connectivity to Office 365 and the Microsoft Azure cloud by enforcing Office 365 local breakout policies in Microsoft Azure Virtual WAN.

“We have seen that while firewalls are the first step in customers’ public cloud migration, for a lot of customers, their first ‘cloud’ is really Office 365,” Jefferson said.  “A common issue is that as customers migrate from on-prem Office they run into significant challenges in WAN with bandwidth.”

Barracuda has addressed this here by enabling the Barracuda Cloud Generation Firewall to reduce or eliminate potential network-related performance issues by enforcing Office 365 policies in Azure Virtual WAN. It lets Azure Virtual WAN customers specify the Office 365 traffic categories that they trust for direct internet breakout, allowing them to bypass proxies and route directly from the user location to the nearest Microsoft network location. This both improves experience and cuts WAN costs.

“This provides Cloud Generation Firewall with a zero-touch deployment model that automates breakout policies to help branch offices that don’t have a lot of expertise so don’t have the ability to do that themselves,” Jefferson said. “Azure’s Virtual WAN determines the best route for Azure traffic, but it may not be the best route for Office 365. Our automation ensure that the Office 365 traffic will be served at the endpoint that has best latency for it specifically.”

For the many channel partners who work with Office 365, and are always looking for valuable services they can sell on top, this should be extremely attractive, Jefferson said.

“It’s a huge service offering,” he indicated. “We have a lot of partners who have successful Office practices, but to expand value proposition long term, this lets them get involved with customers’ networking. As part of an Office 365 engagement, they can now ask about customer WAN needs and help give guidance and best practices about how to optimize that. It’s a classic ‘land and expand’ strategy.”

The integration is available now, and the new functionality can be leveraged by organizations using Azure Virtual WAN.