/
Zero Trust Segmentation

How a Zero Trust Strategy Built on Microsegmentation Solves Cloud Risks

The age of the data center is over. We’re in the age of the cloud – with no sign of slowing down any time soon.

Organizations are handing off the task of maintaining the underlying hosting infrastructure to cloud vendors. This is giving them more time to focus on their applications and data, streamlining their continuous deployment operations.  

But as cloud offerings and benefits increase, so do the new opportunities for cybercriminals.  

In this blog post, we’ll explore the top cloud security risks, how they impact your cloud environments, and why a Zero Trust approach — powered by microsegmentation — can help you get ready to contain inevitable cloud breaches.

4 cloud security challenges leaving you vulnerable

The cloud offers unmatched flexibility and scalability. But it also brings new security risks that organizations can’t ignore. Here are the top cloud security issues that are keeping your organization at risk.

1. Cloud vendors secure the infrastructure but not your data

This is far too often an assumption — until a breach occurs.  

Cloud vendors will apply a best-effort approach to securing their hosting infrastructure. For example, they'll address priorities such as network traffic engineering and preventing distributed denial-of-service (DDoS) attacks through their hosting infrastructure.  

But the task of securing applications and data deployed onto that infrastructure is the customer’s responsibility.  

In reality, this is an uneven handshake. A bulk of the cloud security responsibility falls on customers despite the important security features cloud vendors build into their platform. Assuming otherwise is a quick path to a breach.

2. You’re never fully in control of your cloud environments

One of the benefits of the cloud is that it’s easy to create compute instances and fully automate resources and all dependencies between them. This means that DevOps can include operations details in their orchestration solution which eliminates manual processes.  

But not all resources are in your full control:

  • Fully controlled resources include corporate-owned cloud virtual machines (VMs) or cloud storage.
  • But if there are any dependencies on third-party access, such as partners, contractors, or remote access into those resources, they’re only partially in your control.

The average hybrid cloud environment has a large mix of resources with varying levels of control — from cloud to data center to remote access devices — all within the same overall architecture.

A diagram showing a network of interconnected nodes representing various entities and systems.
You can fully control some resources but not all of them.

You can use best practices to secure your own corporate cloud resources. But can you trust your partners or contractors to properly secure the resources they’re using to access yours?  

3. Basic human error is a top cloud risk

You have to assume that not all owners of cloud resources are applying security best practices — despite what they may claim or even believe.  

And it’s likely that the starting point of their cloud security issues is basic human error. This means your own teams can potentially make similar mistakes.  

In fact, more than half of all security breaches that originate in the cloud are due to human error. All it takes is a simple mistake: choosing weak passwords, not regularly rotating SSH keys, or not patching at-risk cloud workloads.  

This requires a security solution that pushes the trust boundary as close as possible to every workload without impacting DevOps priorities.  

4. You can secure what you can’t see

Cloud environments change all the time. And many organizations use multiple cloud vendors to make up a hybrid, multi-cloud strategy. This introduces unique visibility challenges for security teams.  

Applications, workloads, and dependencies are constantly changing across multiple cloud vendors. This complexity makes it difficult to fully understand traffic flows and resource relationships in real time. Without this critical visibility, security decision-makers are forced to rely on guesswork when configuring protections. This leaves potential gaps of which attackers will take advantage.

The right visibility tool should address this gap by providing deep, real-time visibility into all traffic and application dependencies across your entire cloud environment at any scale. Look for solutions that can visualize these relationships at both macro and micro levels, helping you identify anomalies and potential threats before they can cause harm.  

Zero Trust: The best approach to modern cloud security

A Zero Trust security architecture enables this – and it’s absolutely required. The cloud has become cybercriminals’ playground. Here are some of the recent examples of cloud-sourced threats:

  • Kobalos uses a compromised host as a command and control (C2) server to steal sensitive data from cloud workloads.
  • FreakOut uses a compromised host for cryptojacking on cloud VMs. It mines cryptocurrency for free, driving up someone else’s cloud costs.  
  • IPStorm uses open peer-to-peer (P2P) sessions between cloud hosts to deliver and execute malicious code.  
  • Drovorub exfiltrates data from cloud hosts using open ports.  

These examples share one thing in common: Once they land on a compromised cloud workload, they quickly spread to other workloads. This allows them to compromise a large number of hosts fast — often before a threat-hunting tool can even detect them.  

This is why threat-hunting solutions often struggle to prevent malware from spreading. While they excel at detecting threats, by the time a threat is identified, it has often already spread. At that point, stopping the spread becomes a higher priority than uncovering the threat’s intent.

The bottom line is that threats need to be blocked from spreading before they’re detected.  

Microsegmentation is the foundation of any Zero Trust strategy

Any Zero Trust architecture needs to begin with enforcing the one common vector used by all threats to spread: the segment.

Segments can be created large or small:

  • Macrosegments secure a collection of critical resources called a protect surface.
  • Microsegments push the trust boundary directly to every cloud workload at any scale.

Microsegmentation is the desired goal. It enforces every workload directly at the source, even if several are deployed on the same underlying cloud segment.

Microsegmentation needs to be able to scale to potentially large numbers. This means it needs to be decoupled from segmentation scaling limits set by traditional network-based solutions. Network segments exist to address network priorities, but workload segments exist to address workload priorities. One solution doesn’t map well to the other.  

Illumio CloudSecure: Consistent microsegmentation across the hybrid multi-cloud

While cloud providers offer tools to secure their own workloads, those tools usually don’t work across multiple clouds, data centers, or endpoints. And using separate security tools for each environment creates silos. This makes it harder to see security blind spots and connect the dots during a security breach, slowing down your breach response.

As part of the Illumio Zero Trust Segmentation (ZTS) Platform, Illumio CloudSecure delivers consistent microsegmentation for cloud workloads, seamlessly aligning with workloads deployed across data centers and endpoints — all within a single platform. Illumio’s platform lets you see and control all network traffic across any environment at any scale.

Network traffic flow between endpoints, two data centers, and two cloud environments.
Illumio enables one global view of all traffic, enforcing everything end to end.

CloudSecure helps you see and enforce cloud workloads with an agentless architecture. It discovers all network traffic and application dependencies directly from the cloud. It uses the same policy model throughout the network, deploying enforcement through cloud-native security tools like Azure Network Security Groups (NSG) and AWS Security Groups.

A detailed architectural diagram showcasing the dependencies and interactions between various AWS and Azure cloud components.
Illumio CloudSecure visualizes application dependencies across the cloud.

For example, if DNS is left open between workloads, Illumio will keep monitoring that DNS traffic to check for normal behavior. Typically, DNS traffic is under 500 bytes per query. But if Illumio detects 10 gigabytes of data moving through a DNS session, it’s likely a red flag that something suspicious is hiding in the DNS traffic. Illumio will block this traffic right away, without waiting for a threat-hunting tool to find and analyze it first.

The result is a Zero Trust architecture where you can clearly see and protect all segments in one seamless solution – whether the environment uses an agent-based or agentless approach.

Contain cloud breaches without the complexity

Cloud security can no longer be an afterthought.  

While the cloud offers unmatched flexibility and scalability, it also opens new opportunities for cybercriminals. To stay secure, organizations need a Zero Trust approach grounded in microsegmentation to contain breaches before they spread.  

By building microsegmentation with Illumio CloudSecure, you can gain the visibility and control you need to protect workloads at scale across any environment.  

Be prepared for the next inevitable cloud breach. Download The Cloud Resilience Playbook.

Related topics

Related articles

Deloitte Recognizes Illumio as a Tech Fast 500 Winner
Zero Trust Segmentation

Deloitte Recognizes Illumio as a Tech Fast 500 Winner

The Deloitte Technology Fast 500 recognizes the fastest growing technology companies based on percentage fiscal-year revenue growth over the last three years.

6 Microsegmentation Requirements for Modern Applications
Zero Trust Segmentation

6 Microsegmentation Requirements for Modern Applications

A great deterrent for hackers, organizations are implementing microsegmentation as an essential part of a defense-in-depth security ecosystem.

Meet Illumio at Gartner Security & Risk Management Summit
Zero Trust Segmentation

Meet Illumio at Gartner Security & Risk Management Summit

Meet Illumio Zero Trust Segmentation (ZTS) experts at this year's Gartner Security & Risk Management Summit in London on 26-28 September.

100% Cloud? You Still Need Zero Trust Segmentation
Zero Trust Segmentation

100% Cloud? You Still Need Zero Trust Segmentation

Learn why being 100% cloud does not negate the need for breach containment with Zero Trust Segmentation and how Illumio can help.

Why Traditional Cloud Security Is Failing — And 5 Strategies To Fix It
Cyber Resilience

Why Traditional Cloud Security Is Failing — And 5 Strategies To Fix It

Learn why traditional security tools can’t provide the flexible, consistent security needed in the cloud and five strategies to build modern cloud security.

Why Cloud Security Starts With Complete Visibility
Illumio Products

Why Cloud Security Starts With Complete Visibility

Learn why cloud visibility matters now, why traditional visibility approaches are failing, and how ZTS with Illumio CloudSecure can help.

Assume Breach.
Minimize Impact.
Increase Resilience.

Ready to learn more about Zero Trust Segmentation?