Cloud providers are facing a rude awakening. In the latest round of evaluations from Austin-based CyberRatings.org, the long-trusted watchdog on cybersecurity product quality, hyperscaler native cloud firewalls have once again proven to be more style than substance. With results showing a crude 0% effectiveness, it appears that the Big Three—AWS, Microsoft Azure, and Google Cloud Platform—are struggling to keep up with the fundamentals of firewall protection. For IT administrators and Windows enthusiasts, these findings offer a wake-up call about the security tools that underpin your cloud deployments.
CyberRatings’ Q1 2025 Comparative Test Report scrutinized cloud network firewalls (CNFW) across major hyperscaler environments by pitting native firewall solutions against third-party security products. The extensive evaluations were not a one-off exercise but part of an ongoing commitment to rigorously assess cybersecurity products in our ever-evolving threat landscape.
Key elements of the test included:
The answer lies in priorities. Hyperscale cloud providers are designed primarily to store and distribute data at massive scale; perfecting a first-line defense mechanism like a firewall isn’t exactly in their DNA. This isn't about a single vulnerability or an exploitable zero day—it's a matter of basic architectural choices. To borrow a metaphor from CyberRatings CEO Vikram Phatak, it’s like having a car where the airbags don’t work. The fault isn’t that you can break in if you "knock on the window three times"—it's that the fundamental safety mechanisms are simply missing.
This shortfall not only diminishes Azure’s defensive capabilities but also forces IT administrators to question whether their cloud deployments are genuinely secure. For Windows users who rely on Azure for hosting mission-critical applications or hybrid environments, this finding should spark immediate contemplation about integrating more robust third-party security tools.
The implications include:
Some experts argue that this might be partly due to the different focus areas of cloud providers versus cybersecurity firms. Cloud providers are driven by scalability and availability—crucial factors for a company whose primary mission is to ensure their customers’ data is always accessible. However, when security is treated as an afterthought, the risks multiply.
Imagine your trusted car that always gets great mileage but whose safety features never deploy in an accident. That’s the sobering reality facing many enterprises today. With the stakes so high, complacency is a luxury no organization can afford.
For Windows administrators and IT professionals engaged in hybrid environments, this report reinforces the need for a multi-layered approach: one that doesn’t overly rely on any single provider’s native tools. Instead, integrating dedicated cybersecurity solutions into the broader infrastructure—much like how regular Windows updates and Microsoft security patches are vital—can help bridge the gap.
In today’s digital landscape, where threats are continuously evolving, there is no room for complacency. It’s time to take a hard look at our security postures and ensure that every firewall, whether in the cloud or on-premises, is up to the task of protecting our data and critical applications.
Ultimately, this is more than just a technical report—it’s a clarion call for a more secure future in the cloud. By embracing third-party solutions and maintaining rigorous security standards, enterprise IT teams can build resilient systems that safeguard against modern threats while keeping pace with the rapid evolution of technology.
Source: SDxCentral Hyperscaler cloud firewalls (again!) fail to meet basic security standards
A Closer Look at the Testing Methodology
CyberRatings’ Q1 2025 Comparative Test Report scrutinized cloud network firewalls (CNFW) across major hyperscaler environments by pitting native firewall solutions against third-party security products. The extensive evaluations were not a one-off exercise but part of an ongoing commitment to rigorously assess cybersecurity products in our ever-evolving threat landscape.Key elements of the test included:
- False Positives: 2,760 samples of business-critical files and applications were used to ensure legitimate traffic wasn’t mistakenly blocked.
- Exploits: 2,028 attack samples stemming from widely exploited vulnerabilities common in enterprise environments.
- Evasion Tactics: 2,500 attacks covering 27 distinct evasion techniques were unleashed to assess the firewalls’ ability to detect and thwart threats.
- Performance & Stress Tests: 46 different stress and capacity tests measured how these tools held up under a variety of heavy workloads.
- Stability & Reliability: Seven extended tests simulated prolonged real-world attack scenarios, producing insights into the robustness of each solution.
Revelatory Results: Native vs. Third-Party Firewalls
The results were as stark as they come. While third-party firewalls from Check Point, Fortinet, Juniper Networks, Palo Alto Networks, and Versa Networks nearly achieved perfect scores—between 99.61% and 100%—the native firewalls offered by AWS, Azure, and GCP received a dismal 0%. How can this be?The answer lies in priorities. Hyperscale cloud providers are designed primarily to store and distribute data at massive scale; perfecting a first-line defense mechanism like a firewall isn’t exactly in their DNA. This isn't about a single vulnerability or an exploitable zero day—it's a matter of basic architectural choices. To borrow a metaphor from CyberRatings CEO Vikram Phatak, it’s like having a car where the airbags don’t work. The fault isn’t that you can break in if you "knock on the window three times"—it's that the fundamental safety mechanisms are simply missing.
Deep Dive Into the Testing Layers
Understanding how firewalls are evaluated is key to appreciating the severity of these findings:- Layer 3 (Network Layer): This is where IP packets operate and is critical for ensuring correct routing and preventing direct data interception. Missing an evasion at this layer resulted in massive point deductions—a full 50% per category, potentially wiping out an entire category’s effectiveness.
- Layer 4 (Transport Layer): Here, the TCP and UDP protocols manage the flow of data. A failure at this level led to a 20% deduction per category. If attackers can bypass these protocols, they can eventually deliver just about any payload.
- Layer 7 (Application Layer): While deductions here were less severe (only 1% per category), a miss still contributed to overall insecurity because modern applications depend on robust application-layer defenses.
The Azure “Decryption Dilemma”
Among the cloud giants, Microsoft Azure stands out for another critical flaw: its inability to decrypt encrypted traffic effectively. With roughly 80% of internet traffic safeguarded by HTTPS encryption, failing to decrypt this traffic means that Azure’s firewall must rely on a third-party proxy for decryption. This architectural workaround effectively says, “Offload your decryption elsewhere,” allowing unencrypted traffic to slip through the firewall unchecked.This shortfall not only diminishes Azure’s defensive capabilities but also forces IT administrators to question whether their cloud deployments are genuinely secure. For Windows users who rely on Azure for hosting mission-critical applications or hybrid environments, this finding should spark immediate contemplation about integrating more robust third-party security tools.
Broader Implications for Enterprise Security
For enterprises heavily invested in cloud computing, these findings stress that native firewalls should not be assumed to be sufficient. Instead, administrators are urged to lean on third-party security solutions, which have repeatedly demonstrated superior performance in detecting and blocking a wide array of exploits and evasion techniques.The implications include:
- Enhanced Cybersecurity Postures: Third-party firewalls offer robust security, effectively mitigating risks and ensuring that vulnerabilities at core layers are not exploited.
- Need for Rigorous Testing: Just as enterprises routinely apply Windows 11 updates and Microsoft security patches, they must also rigorously validate and test their firewall configurations. Relying solely on default hyperscaler settings is no longer an option.
- Cost vs. Benefit: While native firewalls might save administrative overhead, the potential expense of a breach could be far greater. Investing in dedicated cybersecurity tools may represent the best cost-benefit decision for securing cloud environments.
Considerations for IT Administrators and Windows Enthusiasts
For those managing hybrid environments that blend on-premises Windows infrastructures with cloud services, these revelations are particularly salient. Here are some tailored considerations:- Review Your Cloud Security Strategy:
Evaluate whether your current cloud firewall deployments rely solely on native solutions. If so, consider supplementing them with proven third-party offerings. - Integration with Existing Security Measures:
Many third-party firewall providers offer integrations that complement Microsoft’s ecosystem. This can be especially beneficial when deploying comprehensive cybersecurity advisories and ensuring alignment with Windows 11 updates and Microsoft security patches. - Stay Informed with Regular Testing:
Similar to how Windows administrators adopt regular patch cycles and security updates, continuously testing your cloud defenses should be part of your security regimen. Tools like Keysight’s CyPerf v5.0, used in this study, can provide critical insights into how well your defenses stand up under pressure. - Mitigate HTTPS Decryption Issues:
For Azure users, exploring enhanced or alternative decryption solutions may be necessary. Since encrypted traffic is the norm rather than the exception, ensuring that your firewall can inspect HTTPS content without a hitch is critical.
Lessons for the Road Ahead
The CyberRatings Q1 2025 report shouldn’t be seen as an isolated critique but rather as part of an ongoing narrative concerning public cloud security. Hyperscale providers have repeatedly demonstrated that while they excel at data storage and distribution, their native firewall and security solutions lag significantly behind dedicated cybersecurity tools.Some experts argue that this might be partly due to the different focus areas of cloud providers versus cybersecurity firms. Cloud providers are driven by scalability and availability—crucial factors for a company whose primary mission is to ensure their customers’ data is always accessible. However, when security is treated as an afterthought, the risks multiply.
Imagine your trusted car that always gets great mileage but whose safety features never deploy in an accident. That’s the sobering reality facing many enterprises today. With the stakes so high, complacency is a luxury no organization can afford.
The Broader Cybersecurity Context
While hyperscalers wrestle with these persistent firewall shortcomings, the broader landscape of IT security continues to evolve at a rapid pace. Here’s how this ties into larger cybersecurity trends:- Windows 11 Updates & Microsoft Security Patches:
Just as Microsoft pushes regular Windows 11 updates to patch vulnerabilities, organizations must ensure that cloud security measures are not left behind. Security patches and system updates are effective only when the underlying security protocols are robust. - Cybersecurity Advisories:
Regular cybersecurity advisories remind us of the dynamic threat landscape. The fact that native firewalls are failing to detect basic evasion attacks should be a clear signal that even trusted cloud infrastructures require constant scrutiny and augmentation with advanced security tools. - Interoperability of Security Systems:
In today’s hybrid IT environments, seamless integration between on-premises solutions (like Windows-based servers) and cloud services is essential. The vulnerabilities in cloud native firewalls can have cascading effects on overall network security, underscoring the need for integrated security solutions that span all layers of the infrastructure.
Recommendations for a Secure Future
Given the insights from the CyberRatings report, organizations should consider the following recommendations to bolster their cybersecurity defenses:- Deploy Multi-Layered Security:
Implementing a defense-in-depth strategy that combines robust third-party firewalls with native cloud security features can create a more resilient barrier against sophisticated attacks. - Conduct Regular Cybersecurity Assessments:
Just as Windows environments benefit from regular system scans and patch management, cloud security should be rigorously tested. Independent benchmarks and stress tests are invaluable in identifying weak points before a real attacker does. - Invest in Advanced Threat Detection:
Leverage threat intelligence platforms and machine learning-based analytics to identify and respond to evasion techniques in real time. Proactive threat detection is the key to mitigating risks before they escalate. - Educate Your IT Team:
Continuous training on emerging security trends, combined with practical demonstrations of where cloud native solutions fall short, can empower your team to make informed decisions about security investments and architecture changes.
Conclusion: A Call to Action
The harsh reality exposed by CyberRatings’ Q1 2025 report is that hyperscaler cloud firewalls—from AWS, Azure, to GCP—are not meeting the basic security standards expected of modern cybersecurity tools. With major firewalls scoring 0% effectiveness and third-party solutions delivering near-perfect performance, enterprises would do well to rethink their cloud security strategies.For Windows administrators and IT professionals engaged in hybrid environments, this report reinforces the need for a multi-layered approach: one that doesn’t overly rely on any single provider’s native tools. Instead, integrating dedicated cybersecurity solutions into the broader infrastructure—much like how regular Windows updates and Microsoft security patches are vital—can help bridge the gap.
In today’s digital landscape, where threats are continuously evolving, there is no room for complacency. It’s time to take a hard look at our security postures and ensure that every firewall, whether in the cloud or on-premises, is up to the task of protecting our data and critical applications.
Ultimately, this is more than just a technical report—it’s a clarion call for a more secure future in the cloud. By embracing third-party solutions and maintaining rigorous security standards, enterprise IT teams can build resilient systems that safeguard against modern threats while keeping pace with the rapid evolution of technology.
Source: SDxCentral Hyperscaler cloud firewalls (again!) fail to meet basic security standards
Last edited:
