Written by Raghu Nandakumara, Head of Industry Solutions, Illumio.
Digital transformation is driving the rapid adoption of public cloud platforms and cloud-native services. In fact, Gartner predicts spending on public cloud services will grow 20.7% in 2023 to $591.8billion, with multi-cloud architectures now increasingly common as organisations push to leverage best-of-breed services.
But as cloud adoption grows, so too do the risks facing organisations. Many are now operating across a mix of cloud architectures, using different tools, exposing mission critical data and computing services to new cloud-based cyberthreats.
At first glance, securing cloud assets is conceptually no different than securing them in the data centre. Identity, access control, secure connections – all that is the same. But when you don’t own the infrastructure layer – and many of the services are only an API call – the reality is security in the cloud is quite different.
The timeless adage of “you can’t secure what you can’t see” is more relevant to the cloud than possibly any other technology space. As organisations increasingly adopt a wider range of services from cloud service providers, their ability to truly understand their interactions, what they are accessing, and how they are secured becomes the most significant and ever-growing gap that needs to be plugged.
Without consistent visibility, organisations have little insight into how their services are communicating and which are relevant – and without this understanding, securing cloud services becomes a nearly impossible task.
The importance of Zero Trust Segmentation
To help gain visibility and reduce risks in the cloud, many organisations are turning to Zero Trust Segmentation. A critical pillar of any Zero Trust architecture, Zero Trust Segmentation helps contain the spread of breaches and ransomware in the cloud by continually visualising how workloads and devices are communicating, creating granular policies that only allow wanted and necessary communication, and automatically isolating breaches by restricting lateral movement proactively or during an active attack.
There are three main ways that Zero Trust Segmentation secures the cloud from the spread of cyberattacks.
1. Total visibility into network communication flows
With many of the services, applications, and data stores used in the cloud just an API call away, traditional network flow analysis often can’t produce a usable understanding of cloud connectivity. Segmentation solves this problem by enriching connection flow data for the cloud services with contextual information about each cloud resource from the cloud system inventory to build an application dependency map.
As a result, the application dependency map isn’t based on infrastructure constructs such as IP addresses, but instead, on the metadata your organisation has already invested time and effort into creating.
This map provides comprehensive coverage, from compute instances, to Kubernetes and containerised objects, PaaS services, and almost anything that exposes a network interface.
The information is neatly organised by application and service and named so that cloud, infrastructure, and security teams can read and understand the map and the relationships between resources.
2. Automated and optimised segmentation policy
Once you understand how things are connected with your application dependency map, you need to know how well these connections are protected. What is the risk that any of these services could be improperly accessed or interrupted?
Zero Trust Segmentation includes policy automation and optimisation so that a true Zero Trust, least-privilege outcome is easy to achieve and maintain.
The same application dependency map that informs the security team of communication flows can also inform policy automation code. It can analyse the necessary connections, compare those connections against the current security policy, and then make recommendations on how to optimise and tighten it so that necessary connections are permitted and everything else is denied.
The resulting policy recommendation can then be implemented directly into the cloud-native security controls.
3. All-in-one visibility and control for cloud, data centre, and endpoint environments
No cloud is an island. Users and administrators access the cloud, and the cloud talks to systems in data centres and co-location facilities.
Zero Trust Segmentation provides a single policy model, visualisation, and policy distribution layer to bring all of these different environments together into a collaborative, smooth workflow. Systems visualised from cloud APIs appear on the same screen with systems discovered in the datacentre or VDI instances or user endpoints.
When deployed with endpoints, Zero Trust Segmentation provides identity-driven segmentation and access control for cloud workloads.
Removing cloud blind spots from the enterprise
To ensure good cloud security, organisations must understand the communication paths among their cloud and on-premises workloads. Starting from the premise of “assume breach,” Zero Trust Segmentation puts a priority on gaining consistent, context-based visibility everywhere and provides an iterative process by which to constantly improve cloud security. Ultimately, it is this combination of visibility and least privilege access that generates the confidence to adopt and migrate to the cloud, improves resilience, and enhances customer trust. This can only be accomplished with a mature Zero Trust practice – and Zero Trust Segmentation – in place.