Connect with us

Hi, what are you looking for?


Cloud Security

Security Performance in the Cloud: Not All Solutions Are Created Equal

An assumption made by many security professionals is that any performance differences between physical security devices are eliminated when those security software images are run on identical cloud hardware. But the truth is, there are still significant performance differences between solutions, and those differences can be critical both from a processing perspective as well as cost.

An assumption made by many security professionals is that any performance differences between physical security devices are eliminated when those security software images are run on identical cloud hardware. But the truth is, there are still significant performance differences between solutions, and those differences can be critical both from a processing perspective as well as cost.

Because cloud performance is a baseline requirement for competing in the digital marketplace, organizations cannot afford for security to be a bottleneck. Transactions need to be inspected at digital speeds. Of course, elastic scalability helps eliminate such bottlenecks, which is why the cloud is such an ideal platform. But scalability comes at a cost. Spinning up additional firewalls unnecessarily, for example, can have a real impact on your cost of doing business.

Part of the challenge is that performance scaling is more complex than it might seem. For simplicity’s sake, let’s divide scalability into two functions: scaling out and scaling up.

Scaling Cloud Resources

Cloud Security PerformanceWhen we talk about cloud scalability we are usually referring to the idea of scaling out. This function allows you to meet performance demands by increasing the number of separate virtual instances of a solution. For example, it allows you to automatically spin up and deploy more firewall instances as traffic loads spike, and then discard them when traffic returns to normal. 

Scaling out is not just about performance, however, but the price of performance as well. For example, a higher performance solution means you don’t have to purchase additional firewall instances out of the cloud marketplace as often as you would with a slower solution. This can be critical for managing expenses while still meeting capacity requirements. And performance, even on software running on identical hardware, can be affected by two things: design and software optimization.

Architectural Design Impacts Performance

The other kind of scalability that we often overlook is scaling up. This refers to the size of the virtual hardware that a software solution runs on, measured in the number of cores a VM uses. Simple VMs utilize a single core, and they scale up from there by doubling the number of cores a VM uses (1, 2, 4, 8, etc.) Determining how large a VM you need in order to effectively run your security solution is one of the more important considerations an organization makes when designing their cloud environment. However, scaling up can be significantly affected by how efficiently a solution is able to use available processing power, often referred to as performance per core. If you require a large, multi-core CPU VM, for example, it is vital to understand how much throughput a software solution is actually able to provide for each core you are paying for.

Advertisement. Scroll to continue reading.

Scaling up is a perfect example of how things that may look the same on the surface—i.e. all vendors may run their solutions on the same VM—can really be quite different in their practical application. The truth is, not all software is architected the same. 

Running software on a VM requires an architecture built around a management plane and a data plane. The way different vendors architecture how they distribute those requirements can vary widely. For example, the architecture of many vendors requires that they dedicate an entire core for management—usually, one in four. So, if you buy a two-core system to run their service on, only half of those resources are available for processing traffic and data. And as you scale up, never less than 25 percent of core resources are available for processing data. Vendor software that uses this one-in-four architectural model can have a significant impact on performance. Likewise, many vendors have engineered their software to pin a single session (IKE SA) to a single core rather than being able to distribute IPSec traffic across multiple cores. This architectural design approach also results in diminishing returns for every additional core beyond one.


Basically, all computing prefers a parallel architecture built around factors of two (2, 4, 8, 16, 32…) This enables maximum efficiency and impacts potential performance. Effectively using parallelization is an important reason why one vendor is able to achieve greater performance than another in the same cloud environment. However, because of software architectural choices, often made by vendors without experience in the development of custom hardware, many vendors assign a dedicated core to control plane management. 

This design strategy breaks the parallelization model and reduces efficiency and performance. Not only do you have fewer cores available for inspection and processing, but only having three or six cores available for data inspection, rather than factors of two, seriously impacts the software’s ability to efficiently distribute and process that data, which erodes performance even further. 

Not all cloud software is created equal

Some argue that specialized hardware vendors lose their performance advantage in a cloud environment. But full stack optimization can provide a significant boost in performance, even when all other factors are identical. Engineers have to dramatically optimize their software in order for it to achieve necessary performance in a chip. Unfortunately, that sort of optimization across the stack is something that many software vendors never do. Instead, they tend to address the problem by throwing more off-the-shelf CPUs at the problem. Full stack-optimized software can significantly differentiate one vendor from another in the cloud because it directly affects efficiency and performance.


Choosing scalable and high-performance security solutions enables organizations to meet the growing performance demands of today’s digital marketplace. And performance is a critical consideration even when selecting a cloud-based security solution. Higher performing solutions not only enable you to effectively meet growing consumer demands at digital speeds, but they are also more cost-effective. However, not all cloud security solutions are the same. Careful analysis of a vendor’s underlying design and optimization approaches will enable you to select the solution that best meets your organization’s performance and budgetary requirements.

Written By

John Maddison is EVP of Products and CMO at Fortinet. He has more than 20 years of experience in the telecommunications, IT Infrastructure, and security industries. Previously he held positions as general manager data center division and senior vice president core technology at Trend Micro. Before that John was senior director of product management at Lucent Technologies. He has lived and worked in Europe, Asia, and the United States. John graduated with a bachelor of telecommunications engineering degree from Plymouth University, United Kingdom.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cloud Security

Cloud Disaster Recovery - Ingredients for a Recipe that Saves Money and Offers a Safe, More Secure Situation with Greater Accessibility