If your company hosts applications in the cloud, you face the challenge of ensuring that your online application communications are secure, both between the applications themselves and between the application and the data center. With complex connections and stringent security requirements, this is an area that cries out for simplification. So the answer may lie in cutting-edge cloud workload solutions built on zero-trust technology.
About the Author
Nils Ullmann, Solution Architect, Z-climber.
When workloads are relocated to the cloud, they need to be accessed in a variety of ways and in the multi-cloud scenarios that are prevalent in business today; this fact is central to the debate on complexity and security. For most applications hosted in the public cloud, three communication relationships are required. The workload, which is made up of the application and related data, must be accessible to the IT department for administrative purposes; it must also be able to communicate with other applications over the Internet and also be connected to the data center. If the required access rights on these addresses are not configured correctly, the company can increase its vulnerability to attack.
The costs and effort involved in secure workload communication increase with the number of applications hosted in the cloud and the number of cloud providers used. Because hyperscalers tend to use a decentralized infrastructure, their application developers, network and security teams are challenged with ensuring that communication relationships for each workload and each cloud provider are effective and secure. If these companies take a traditional approach to network security, those responsible are often faced with high levels of complexity or high costs.
The latest “State of Cloud (In)Security” analysis by the Zscaler ThreatLabz team, which analyzed thousands of cloud workloads, shows that security considerations often fall by the wayside due to the complexity of the multi-cloud environments.
Compared to 2020, the spectrum and frequency of cloud security issues increased over the course of 2021. According to the analysis, software- or hardware-based multi-factor authentication is not used for 71% of cloud accounts, compared to 63% the previous year. and 56% of access keys have not been renewed in the last 90 days: an increase of 6% over the previous year. Additionally, 91% of accounts had been assigned permissions that had never been used.
Most of the permissions granted were not only unnecessary, but also incorrectly configured. In another security blow, the analysis found that 90% of companies were unaware that they had granted full read rights to third-party providers.
Confusion and chaos in workload communication
The rise of public cloud workloads in the last two years has left many companies facing a complex and chaotic system of connections for their cloud applications. This complexity is the result of different routing requirements for data traffic destined for the cloud application, communication between the cloud-based applications themselves, and communication from the application to the data center. Factors such as required levels of service availability in different regions and Availability Zones, and even redundant applications, contribute to complicated communication paths.
Depending on the volume of data and with dedicated speeds for synchronization of workloads in the terabyte range, companies are forced to use fiber optic technology or direct connections to hyperscalers. Dedicated point-to-point connections address the workload’s communication requirement with the data center. The only alternatives for companies with lower workload data volumes were a complex VPN tunnel or a combination of carrier packages that could help with the administrative burden.
In this type of complex cloud scenario, the question of who exactly is responsible for the security of cloud workloads and all associated infrastructure is often overlooked. Although responsibilities may have been clearly defined when applications were hosted on the network, with the application team, network team, and security department playing their part, the cloud blurs these traditional boundaries of responsibility.
Simplifying security through the cloud
The Zero Trust approach has gained popularity in recent years as a way to protect application data traffic on the Internet, as well as remote access to applications in data centers or cloud environments. With this approach, secure communication takes place based on defined access rights and policies, in line with the principle of least privilege access. A security platform acts as an intermediate security layer to implement these policies. These security services operate between the Internet, applications, and the user to monitor secure communication. In this type of scenario, a cloud-based approach is ideal, as it provides the reach to scale and requires little in the way of administration.
This Zero Trust-based concept can also be applied to the structuring and monitoring of cloud workload relationships, helping to reduce the complexity of these scenarios. Policies are used to grant workload access rights to required applications; these rights are then monitored through a cloud platform. This approach makes network connections obsolete and instead favors granular connections at the individual application level.
Cloud workloads can connect to defined destinations on the Internet, to deploy updates, or to communicate with other applications in different clouds or in the same data center. Here too, defined access rights to the cloud workload, between workloads and to the data center are the basis for secure communication.
The cloud security platform not only implements access rights, but also manages other security features to monitor data traffic, such as scanning SSL-encrypted traffic for hidden malicious code.
Cloud workloads are no longer a gateway for attacks
This type of approach has a double effect: it reduces complexity while reducing the vulnerability of cloud workloads to Internet attacks. Because communications between apps are encapsulated, the apps themselves are not visible online, preventing unauthorized people from accessing them.
This method also enables micro-segmentation: using defined access rights policies, the system determines which servers can communicate with other servers and under what circumstances this can happen, without the need to route any data traffic through external network devices. to apply firewall rules. This approach works across clouds, which counteracts the decentralized methodology of hyperscalers.
It also restores the traditional division of responsibility for application, network, and security. The application developer is only responsible for configuring the application path to the cloud security platform; Responsibility for cloud infrastructure security is transferred back to the security team once policies are established. Since applications are no longer exposed online for communication purposes, the company also reduces its vulnerability to attack.
The cloud makes it easy to securely communicate cloud workloads
Public cloud workload connections must be as secure as the connections through which individual users access their cloud-based applications. Applying Zero Trust principles of user communication to cloud workloads enables enterprises to ensure that this communication is direct and secure, while reducing their exposure to attacks on the Internet.
We have introduced the best identity management software.