Refocus on Cloud Security: How Zero Trust Segmentation Secures the Cloud
We continue our Cybersecurity Awareness Month series by turning our attention to the public cloud.
At first glance, securing cloud assets is conceptually no different than securing them in the data center. Identity, access control, secure connections – all that is the same.
But when you don’t own the infrastructure layer – and many of the services are only an API call to a DNS address – it ends up not being very much the same at all.
It’s hard to know exactly what connections are needed to which IP addresses. Cloud-native firewalls have basic, text-driven interfaces that rely completely on IP addresses and manual processes.
They can be automated sure, but who writes that code? The already busy DevOps team? Isn’t that just another manual effort? And that effort ends up decoupled from the access policies in the data center, requiring another layer of translation and manual effort.
Happily, there is a better way to secure the cloud: Zero Trust Segmentation.
There are 4 main ways that Zero Trust Segmentation secures the cloud from the spread of cyberattacks.
Get the highlights from Nathanael Iversen, Illumio's Chief Evangelist, in his video:
And keep reading to learn more.
1. Total visibility into network communication flows
When many of the services, applications, and data stores used in the cloud are themselves just an API call away, traditional network flow analysis often doesn’t produce a usable understanding of cloud connectivity.
Zero Trust Segmentation starts with a connection directly to the cloud system inventory and connection tables. This means that anything with an elastic network interface (ENI) is automatically discovered, its metadata is ingested and used for naming, and it is placed on an application dependency map.
As a result, the application dependency map isn’t based on constantly changing IP addresses, but instead on the naming and object conventions your organization has already invested time and effort into creating.
This map provides comprehensive coverage from EC2 instances, to Kubernetes and containerized objects, SaaS services, cloud applications and service brokers – almost all communication flows.
The information is neatly organized by application and service and named so that everyone on the cloud, infrastructure, and security teams can read the map. This view shows the true connection topology, independent of VPCs, subnets, and zones.
2. Automated and optimized segmentation policy
Once we understand clearly how things are connected with the application dependency map, it’s natural to ask how well the connections are protected. What is risk that any of these services could be improperly accessed or interrupted?
Zero Trust Segmentation includes policy automation and optimization so that a true Zero Trust, least-privilege outcome is easy to achieve and maintain.
The same application dependency map that informs the security team of communication flows can also inform policy automation code that:
- Analyzes the necessary connections
- Compares those connections against the current VPC policy
- Then makes recommendations on how to optimize and tighten the security policy so that necessary connections are permitted and everything else is denied.
The resulting policy recommendation can then be implemented directly into the cloud-native firewalls – without any agents.
Because Zero Trust Segmentation writes to the native firewall, it can control traffic, regardless of destination. EC2 to EC2? Yes. EC2 to Kubernetes cluster? Sure. SaaS service to Lamba function? Of course.
Zero Trust Segmentation provides automated, agentless segmentation that is fully API-driven and API-accessible. Because it uses metadata from the cloud, it means that segmentation-as-a-service is now available.
CloudOps and automation teams can access a dependable, metadata-driven, abstraction layer that handles all the translation back to IP addresses and firewall policy – and even keeps up with application topology changes automatically.
3. All-in-one visibility and control for cloud, data center, and endpoint environments
We’ve just explored some of the cloud-native capabilities Zero Trust Segmentation offers, but the best news is that these capabilities still include full visibility and control for data center and endpoint environments, too.
No cloud is an island.
Users and administrators access the cloud, and the cloud talks to systems in data centers and co-location facilities. Oftentimes, communication across cloud providers flows constantly.
Zero Trust Segmentation provides a single policy model, visualization, and policy distribution layer to tie all of these different environments together into a collaborative, smooth workflow. Systems visualized from cloud APIs appear on the same screen with systems discovered in the data center or VDI instances or user endpoints.
When deployed with endpoints, Zero Trust Segmentation provides identity-driven segmentation and access control for cloud workloads.
4. Improve operational resilience
Having a universal hub for segmentation policy means that it is easy to include all systems in a common policy.
Many organizations want to bolster incident response by pre-provisioning proactive and reactive segmentation policies. The idea is simple and based on what everyone knows they need to do the instant they discover a breach – tighten segmentation controls.
What emergency policies would you wish to immediately implement in the event of a cyberattack to protect the most critical systems?
Zero Trust Segmentation lets you create and implement those policies ahead of time, so they are ready to activate at a moment’s notice. Best of all, these policies will extend to cloud, data center, and endpoint environments.
Zero Trust Segmentation makes it easy to have a base policy to which all systems should adhere and then enforce that policy everywhere – from cloud-based container deployments to virtual machines in the data center.
Bolster your cloud security posture with Zero Trust Segmentation
Organizations move to the cloud to gain availability, agility, automate global deployments, and more.
Zero Trust Segmentation provides the visibility, automation, and coverage needed to provide segmentation-as-a-service. It begins with automated visibility and connection mapping, with information streamed direct from cloud provider APIs. This data then feeds powerful automation and optimization code that suggests how to optimize and tighten segmentation policy.
When these policies deploy, they can be pushed to the cloud, data center, and endpoint systems as required. While the cloud has its differences from the data center, it turns out that taking advantage of cloud metadata, connection information, and APIs means that organizations can drive automated segmentation policy in their cloud deployments.
Finally – there is fully automated cloud segmentation that optimizes for Zero Trust principles.
Cybersecurity Awareness Month provides a great opportunity to step back and consider capabilities like Zero Trust Segmentation that would most impact your security posture in the cloud.
Next week, we’ll continue our series on topics to refocus on during Cybersecurity Awareness Month.
Want to learn more about cloud security? Read our ebook: 5 Things You Might Not Know About Cloud Security