Cyber Resilience

Cloud Security: Turning False Assumptions into Assurances With Illumio

In our previous blog post, I explained at a high level why it was a mistake to ignore the risks of inadequate cloud security. And I introduced two false assumptions that many organizations make when adopting cloud services to support their businesses.

In this post, we'll examine three more assumptions and how you can easily harness the power of Illumio CloudSecure for better cloud-native visibility and control.

Assumption #3: Cloud services are isolated from the Internet.

To help customers make the most of their investments, cloud vendors provide them with infrastructure as a service (IaaS) and platform as a service (PaaS) infrastructure resources. These can include virtual machines, containers, serverless functions and managed cloud databases.

But these cloud services can be open to the Internet, often by default. So, they can be points of entry for a potential breach. Limiting their access is the responsibility of the customer, not the cloud provider. Remember, the cloud is not “least privilege” by default. Instead, it operates on “excess privilege.” This means you need to determine which resources can communicate with each other and block everything else.

Without visibility into which applications are in the cloud and what’s communicating with them, you could be hosting critical resources in the cloud without adequate controls. This is especially dangerous if you have workloads and process functions in the public cloud that are exposed to internal data center resources.

To ensure good cloud security, you must understand the communication paths among your cloud and on-premises workloads. Just as you do with the data center, you need to know exactly what’s connected to the Internet. Then you should ensure that these connections don’t become paths for hackers or malware to enter your network.

Assumption #4: There are no limits to scaling cloud services.

From a security standpoint, public clouds like AWS and Microsoft Azure limit the number of segments that can be created to manage security. This prevents you from achieving fine-grained control of your cloud applications and data.

The cloud providers’ answer to segmenting is the virtual network segment — in the case of Amazon, the Virtual Private Cloud (VPC), and in the case of Microsoft, the Azure Virtual Network (VNet). For these environments, security groups create the perimeter in and out of the segment.

But the number of security groups that can exist in a virtual network segment is limited. If you need more than the limit, you must use multiple hosts in a segment. But to scale efficiently, every segment should have only one host.

Multiple hosts on one segment generate more management complexity and greater security risk. If one host is breached, you don’t want it talking to (and possibly infecting) another host. To scale, you’ll need additional help beyond what your cloud providers offer for segmenting access. Otherwise, you’ll face the same problems organizations have encountered with traditional data center segmentation: poor visibility, complex policy management, and the need to manually “rewire” network configurations and firewalls.

Assumption #5: Once you secure a workload, your work is done.

When people think about workload security, many mistakenly assume their workloads stay in one place. But in the cloud, your workloads can move across multiple public clouds, with each having its own policy model. When that occurs, it’s unlikely the security segments will share the same security controls. And even if they do, your security team must constantly monitor this movement to ensure the workloads are protected by appropriate policy.

All compute resources, serverless resources and objects in the cloud are dynamic. As these resources and cloud objects move, their IPs change, too. They may change where they reside inside a public cloud. They can also move across multiple cloud providers. They may even “die,” only to come back to life with a new IP address.

As a result, you can no longer write policy using a traditional approach. Instead, examine your cloud workloads to understand how the application components talk to one another. Once you have clear insight into your application behavior, you can write appropriate enforcement policies.

The key takeaway is that all cloud applications, regardless of where they live or what associated resources they use, must be protected as diligently as any application running on a server in a traditional data center.

Security is a key business enabler for the cloud

As organizations large and small move or consider moving more workloads to the cloud, what motivates them? The speed, flexibility, and scale the cloud offers. Nevertheless, security — the “orphan child” — is often not part of discussions about moving to the cloud. Why? Because security is considered a “business complicator,” not a business accelerator.

But security planning should be part of any cloud migration effort, not an afterthought. CloudSecure continuously monitors and protects cloud-native apps, virtual machines and containers, as well as serverless, PaaS and IaaS infrastructure. So, you can embrace the cloud with confidence.

Learn more about how to build stronger security for your multi-cloud and hybrid environments: 

Related topics

No items found.

Related articles

Did Cybersecurity Predictions for 2023 Come True? Here’s What We Found
Cyber Resilience

Did Cybersecurity Predictions for 2023 Come True? Here’s What We Found

Learn how 3 key predictions for the cybersecurity industry in 2023 played out this year.

How Illumio Lowers ACH Group’s Cyber Risk — With Nearly Zero Overhead
Cyber Resilience

How Illumio Lowers ACH Group’s Cyber Risk — With Nearly Zero Overhead

"Good lives for older people" is the tagline of ACH Group, a nonprofit organization based in Australia. But if ACH's IT systems get taken down by cybercriminals, its ability to support those they serve could be harmed.

Microsoft Exchange, SolarWinds, Verkada Breaches: Why Security Hygiene is More Important Than Ever
Cyber Resilience

Microsoft Exchange, SolarWinds, Verkada Breaches: Why Security Hygiene is More Important Than Ever

Security hygiene is healthy security behaviours amplified through the implementation of supporting processes and technical controls.

No items found.

Assume Breach.
Minimize Impact.
Increase Resilience.

Ready to learn more about Zero Trust Segmentation?