Zero Trust Segmentation

Is Your Cloud Vendor’s Cybersecurity Enough?

Nearly half of all breaches originated in the cloud in the last year

In the last year, 47% of all security breaches happened in the cloud, according to the Illumio Cloud Security Index 2023. Why so many? Likely because organizations are relying solely on their cloud vendor’s security, while attackers are relentless and increasingly sophisticated.

As more businesses move to the cloud, it's important for them to know that their cloud provider's security services might not be enough. Cloud providers will secure storage, compute, networking, and the physical infrastructure. But cloud security still needs a backstop. It’s crucial to get better visibility and control to better protect against attacks and keep your apps and data safe.  

Ignoring cloud security could put you at risk of attacks, losing data, and noncompliance.  

Find out why you can't rely only on your cloud provider's security alone to keep your cloud safe from cyberattacks.

What is the Shared Responsibility Model in the cloud?

Cloud providers like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) often promote their security under a Shared Responsibility Model. This model explains how security duties are shared between the cloud provider and the customer:

  • The provider secures the cloud infrastructure, including physical data centers, hardware, and basic software.
  • The customer secures the data and applications they store in the cloud. They are also responsible for how they set up cloud settings.

While this model clearly divides the tasks, it can create a false sense of security. In fact, many security experts call the model an “uneven handshake.” It’s easy to think that the cloud provider’s strong infrastructure security is enough to protect all your organization’s assets in the cloud.

But relying only on the cloud’s built-in security can leave big gaps and blind spots. Security teams must be aware of these risks and address them with their own cloud security solutions.

The 5 biggest security gaps in the cloud

Today's cloud vendors have powerful infrastructure security built into their solutions. This helps prevent breaches and ransomware attacks, but it’s not enough to reduce cloud security risks entirely. Attackers can still exploit gaps left by security that only focuses on the cloud infrastructure.  

Here are five of the most common security gaps in the cloud:

  • Application security: Cloud providers make sure the infrastructure is secure, but customers need to handle security for their applications. Since the cloud is always changing, it's hard to keep track of how applications, users, and resources interact. Without this knowledge, fully protecting applications is nearly impossible. This can leave them open to attacks like ransomware, SQL injection, cross-site scripting (XSS), and denial of service (DoS).
  • Data security: Cloud vendors encrypt data at rest, but customers need to secure data both at rest and in transit. Without consistent security across different cloud environments, there can be gaps. It’s important to use security solutions that can protect data across the cloud, endpoints, and data centers on a single platform.
  • Misconfigured cloud settings: One of the biggest problems with cloud security is settings that aren't set up right. It's crucial to configure the cloud correctly, using secure default settings, doing regular checks, and following best practices. Tools like AWS Config, Azure Policy, and Google Cloud's Config Validator can help monitor and enforce these settings. But it's the customer's job to use and manage these tools properly.
  • Lack of visibility: Because the cloud changes so often, it's hard to see everything happening in the whole hybrid multi-cloud. Poor visibility makes it difficult for security teams to know what is running in their clouds. Cloud vendors can show what's happening on their platform, but they can't show everything across the entire network. This leaves blind spots in traffic monitoring.
  • Compliance issues: Different industries and regions have specific cybersecurity regulations, like GDPR, HIPAA, or security standards such as PCI-DSS. Cloud providers have compliance certifications, but organizations must make sure they follow these rules when using the cloud. This means managing where data is stored, doing regular checks, and keeping detailed records.
Clouds above a highway exchange

Cloud security approaches that don’t work

Many security teams already know they need more layers of security beyond what cloud vendors can provide. But with so much misinformation around cloud security, many teams are choosing approaches that continue to leave vulnerabilities.

Don’t take shortcuts when it comes to building cloud security. Make sure you’re aware of these common cloud security approaches that aren't enough to completely secure your cloud.

Traditional on-premises security

When you move assets from on-premises data centers to the cloud, you can't expect traditional cybersecurity to follow. Security tools that work well on-premises will struggle in the cloud.

This is because traditional security practices rely on the concept of a network perimeter. With a clear network perimeter, firewalls, intrusion detection systems, and other security measures can protect it.  

But the cloud is designed to be flexible and elastic, allowing resources to scale up and down as needed. Teams can also now build and run cloud-native apps with third-party vendors managing servers and their security. This used to only happen on physical servers in on-premises data centers where everything was managed on location.

These key differences make the traditional fixed network perimeter much more fluid, often blurring or erasing it entirely. Without this defined perimeter, traditional on-premises security will leave gaps in protection.

Vulnerability management tools

To combat the gaps created by traditional on-premises security solutions, many organizations have used vulnerability management approaches. These tools scan

systems and applications for known vulnerabilities and apply patches.  

But these tools have some important challenges:

  • They might miss unknown vulnerabilities or fail to keep up with applications or workloads that change quickly.
  • While they are good at scanning hosts and systems, they don't have enough visibility into the complex traffic flows in cloud environments. This makes it difficult for them to spot anomalies and potential vulnerabilities.
  • They don’t provide complete security because they focus on identifying problems rather than fully solving them.
Cloud-native security platforms

Cloud-native platforms like CNAPPs, CSPM, CWPPs, and CIEM offer security specifically for the cloud. But they can lack the granularity, real-time adaptability, and comprehensive visibility that are required to fully secure cloud environments. These tools must be paired with security solutions that extend visibility and security controls across the entire network to contain attacks.  

Read our guide to learn more about cloud security challenges.

Zero Trust Segmentation: Consistent security across the hybrid multi-cloud

The key to cloud security is consistency. Many cloud security approaches fail because they create isolated security and visibility gaps. It's crucial to see your network's traffic flows in real time and apply detailed, flexible security across all environments and cloud platforms.

The best way to do this is by adopting a Zero Trust security strategy, which means "never trust, always verify." Zero Trust Segmentation (ZTS) is an essential part of Zero Trust; you can't achieve Zero Trust without it.

Unlike traditional security tools that might only detect attacks or identity potential vulnerabilities, ZTS provides a consistent approach to microsegmentation across the hybrid, multi-cloud attack surface. This lets you understand risks, set proactive security controls, and stop the spread of ransomware and breaches across your cloud, endpoint, and data center environments.

Build robust, end-to-end cloud security with Illumio CloudSecure

Illumio CloudSecure extends Zero Trust Segmentation to the cloud:

  • End-to-end cloud visibility: See cloud traffic flows, resources, and metadata.
  • Proactively prepare for cloud attacks: Build and test security controls using workload labels and IP addresses. Create trusted communication between applications.
  • Contain cloud attacks: Stop attackers from spreading through the network by adapting segmentation policies in real time, even in ever-changing cloud environments.

Test drive Illumio CloudSecure. Start your free 30-day trial now.

Related topics

Related articles

Pair ZTNA + ZTS For End-to-End Zero Trust
Zero Trust Segmentation

Pair ZTNA + ZTS For End-to-End Zero Trust

Learn why your network has security gaps if you aren’t pairing ZTNA + ZTS.

Getting Segmentation Right With Structured Policy Control
Zero Trust Segmentation

Getting Segmentation Right With Structured Policy Control

Ultimately, Zero Trust Segmentation controls are about making and enforcing security rules to prevent the spread of breaches across systems and environments.

3 Reasons Why It's Time to Implement Zero Trust Segmentation
Zero Trust Segmentation

3 Reasons Why It's Time to Implement Zero Trust Segmentation

Now more than ever, it’s evident that microsegmentation, or Zero Trust Segmentation, is the way forward in cybersecurity.

Why 93% of Security Leaders Say Cloud Security Requires Zero Trust Segmentation
Zero Trust Segmentation

Why 93% of Security Leaders Say Cloud Security Requires Zero Trust Segmentation

Get insight from new research on the current state of cloud security and why Zero Trust Segmentation is the key to cloud resilience.

100% Cloud? You Still Need Zero Trust Segmentation
Zero Trust Segmentation

100% Cloud? You Still Need Zero Trust Segmentation

Learn why being 100% cloud does not negate the need for breach containment with Zero Trust Segmentation and how Illumio can help.

Zero Trust Segmentation Is Critical for Cloud Resilience
Zero Trust Segmentation

Zero Trust Segmentation Is Critical for Cloud Resilience

Cloud resilience starts with Zero Trust. Learn the top three cloud issues solved by Zero Trust Segmentation, as shared by ZTS creator John Kindervag.

Assume Breach.
Minimize Impact.
Increase Resilience.

Ready to learn more about Zero Trust Segmentation?