Top CISO and Security Architect Pain Point in Public Clouds
In the past couple of months, I have attended many security conferences and when panelists were asked if they can discuss some of their top security pain points in public clouds. Everyone seemed to agree that the cloud model provides agility but without any governance. This means security becomes an afterthought and is a blocker for an enterprise’s digital transformation.
This is a common trend that cloud security architects are always under pressure when the enterprise’s digital transformation slows down; fingers always point towards them. So, what should you do as a CISO or Cloud Security Architect to make sure your cloud environment is completely protected without impacting the pace of digital transformation?
Security Architecture – Must Have
Several blogs, many documents, and hundreds of pages of books are written on this very topic which are all overwhelming for security architects trying to apply their On-Prem experience and mandate the traffic patterns which go against cloud objectives like agility and time to market.
If I must provide you with just one Must Have, it would be “Embedded Network Security.” This is security embedded in your cloud network, closest to the applications, without relying on “many point” solutions, and has four components:
1. Zero Trust Architecture
3. Secure User Access and Edge
4. Operational Visibility
Zero Trust Architecture
The word “Perimeter” has an entirely different meaning in the cloud than in the on-prem world. In cloud, the internet is right next to the applications. In the data center world, enterprises have complete control of network elements such as physical security and the number of racks, which makes it much easier to designate the network perimeter where enterprises deploy specialized security appliances. Perimeter security solutions in the public cloud are not sufficient and cannot help with lateral movement. An enterprise cloud network must provide embedded inspection, IDS/IPS services, and L7 policy-based service insertion where required.
A cloud network must be capable of baselining network traffic behavior and providing anomaly intelligence if anything deviates from the baseline, similar to the way credit card companies can detect any anomaly in their customers’ credit card transactions.
Automated remediation goes hand in hand with anomaly intelligence. If a network finds data exfiltration, Botnet operations, or crypto mining in the enterprise’s cloud environment, the network must be able to block these threats in real time by creating firewall rules and notifying network admins. When the threat is over, the network must also have the intelligence to remove these unnecessary firewall rules automatically. Cloud networks must also assume the responsibility of agentless applications scanning for vulnerability and virus/malware detection closest to the source.
A typical enterprise has at minimum three environments: Production, Development, and Testing (Prod, Dev, and Test). The enterprise never wants Test to bring down Prod. Today, Dev is Dev but tomorrow it will become part of Prod, and therefore requires the same level of protection as Prod. Enterprises must have a cloud network that provides both Macro- and Micro-level segmentation support. This means Micro support at the VPC/VNet/VCN level and Macro support at the subnet and application level, and both must be consistent across regions and cloud service providers (CSPs). For example, if an enterprise’s applications are spread across multiple regions or CSPs, it must be able to create segmentation between regions and/or CSPs that has the same meaning across regions and CSPs.
Compliance is incomplete without Encryption. Not all applications are encrypted, which makes it exceedingly difficult for Security teams to differentiate and apply extra controls on non-encrypted applications. A typical enterprise has hundreds if not thousands of applications, making it very difficult for security teams to standardize encryption. So, what is the solution? Enterprises require encryption both at rest and in motion without compromising performance. High performance data-plane encryption is a comprehensive solution because it means security teams do not have to know which applications are encrypted and which are not.
Secure User Access and Edge
Enterprises do not want to provide the same level of access to contractors, partners, and employees. What they need is profile-based policy control. Cloud networks provide this zero-trust model so that now, a contractor can only access authorized resources and nothing else while employees are authorized to access a larger pool of resources.
For now, certain On-Prem applications cannot be moved to the cloud. Enterprises need to build hybrid cloud connectivity with their data centers and branches, and there are always partners and end-customers that require access to the enterprise’s cloud applications. Since the cloud operational model has already proved its value, it is up to us to bring the cloud model to On-Prem and increase its agility, time to market, and operational visibility. We can do this by using the same cloud network’s secure, high-performance hybrid cloud connectivity to the data center, branches, IoT devices, and smart retail stores.
Visibility is an extremely critical component of the enterprise Embedded Network Security architecture which must provide end-to-end observability with the common and advanced troubleshooting tools like ping, traceroute, packet captures, latency monitors, and “free always” on NetFlow data. A dynamic cloud network with application information is critical for operationalizing your cloud environment along with the option to replay the topology like a home DVR so you can reduce mean time to resolution and help with auditing and accountability. Visibility means you should not be receiving traffic from any business in certain parts of the world where you do not do business, and your network must be able to provide you with geo-based traffic patterns and protection against threats in a visualized manner.
Embedded Network Security—closest to the source—is the simplest and most effective approach and accelerates enterprise digital transformation. The most important aspect of Embedded Network Security is a common control plane that makes the overall security architecture consistent across multi-region, multi-cloud, and hybrid-cloud environment.