Adaptive Segmentationmicro-segmentation January 11, 2022

Cloud Security: Turning False Assumptions into Assurances With Illumio

Anders Viden, Senior Director, Product Management

In our previous blog post, I explained at a high level why it was a mistake to ignore the risks of inadequate cloud security. And I introduced two false assumptions that many organizations make when adopting cloud services to support their businesses.

In this post, we'll examine three more assumptions and how you can easily harness the power of Illumio CloudSecure for better cloud-native visibility and control.

Assumption #3: Cloud services are isolated from the Internet.

To help customers make the most of their investments, cloud vendors provide them with infrastructure as a service (IaaS) and platform as a service (PaaS) infrastructure resources. These can include virtual machines, containers, serverless functions and managed cloud databases.

But these cloud services can be open to the Internet, often by default. So, they can be points of entry for a potential breach. Limiting their access is the responsibility of the customer, not the cloud provider. Remember, the cloud is not “least privilege” by default. Instead, it operates on “excess privilege.” This means you need to determine which resources can communicate with each other and block everything else.

Without visibility into which applications are in the cloud and what’s communicating with them, you could be hosting critical resources in the cloud without adequate controls. This is especially dangerous if you have workloads and process functions in the public cloud that are exposed to internal data center resources.

To ensure good cloud security, you must understand the communication paths among your cloud and on-premises workloads. Just as you do with the data center, you need to know exactly what’s connected to the Internet. Then you should ensure that these connections don’t become paths for hackers or malware to enter your network.

Assumption #4: There are no limits to scaling cloud services.

From a security standpoint, public clouds like AWS and Microsoft Azure limit the number of segments that can be created to manage security. This prevents you from achieving fine-grained control of your cloud applications and data.

The cloud providers’ answer to segmenting is the virtual network segment — in the case of Amazon, the Virtual Private Cloud (VPC), and in the case of Microsoft, the Azure Virtual Network (VNet). For these environments, security groups create the perimeter in and out of the segment.

But the number of security groups that can exist in a virtual network segment is limited. If you need more than the limit, you must use multiple hosts in a segment. But to scale efficiently, every segment should have only one host.

Multiple hosts on one segment generate more management complexity and greater security risk. If one host is breached, you don’t want it talking to (and possibly infecting) another host. To scale, you’ll need additional help beyond what your cloud providers offer for segmenting access. Otherwise, you’ll face the same problems organizations have encountered with traditional data center segmentation: poor visibility, complex policy management, and the need to manually “rewire” network configurations and firewalls.

Assumption #5: Once you secure a workload, your work is done.

When people think about workload security, many mistakenly assume their workloads stay in one place. But in the cloud, your workloads can move across multiple public clouds, with each having its own policy model. When that occurs, it’s unlikely the security segments will share the same security controls. And even if they do, your security team must constantly monitor this movement to ensure the workloads are protected by appropriate policy.

All compute resources, serverless resources and objects in the cloud are dynamic. As these resources and cloud objects move, their IPs change, too. They may change where they reside inside a public cloud. They can also move across multiple cloud providers. They may even “die,” only to come back to life with a new IP address.

As a result, you can no longer write policy using a traditional approach. Instead, examine your cloud workloads to understand how the application components talk to one another. Once you have clear insight into your application behavior, you can write appropriate enforcement policies.

The key takeaway is that all cloud applications, regardless of where they live or what associated resources they use, must be protected as diligently as any application running on a server in a traditional data center.

Security is a key business enabler for the cloud

As organizations large and small move or consider moving more workloads to the cloud, what motivates them? The speed, flexibility, and scale the cloud offers. Nevertheless, security — the “orphan child” — is often not part of discussions about moving to the cloud. Why? Because security is considered a “business complicator,” not a business accelerator.

But security planning should be part of any cloud migration effort, not an afterthought. CloudSecure continuously monitors and protects cloud-native apps, virtual machines and containers, as well as serverless, PaaS and IaaS infrastructure. So, you can embrace the cloud with confidence.

Learn more about how to build stronger security for your multi-cloud and hybrid environments: 

Adaptive Segmentationmicro-segmentation
Share this post: