The Path to Secure Cloud Workload Communication

If your business hosts applications in the cloud, you need to ensure that your online application communications are secure, both between the applications themselves and between the application and the data center. With complex connections and demanding security requirements, this is an area crying out for simplification. Therefore, the answer may lie in state-of-the-art cloud workload solutions based on zero-trust technology.

About the Author

Nils Ullmann, Solutions Architect, Zscaler.

When workloads are moved to the cloud, they need to be accessible in different ways and in the multi-cloud scenarios prevalent in enterprises today – this fact is at the heart of the complexity and security debate. For most applications hosted in the public cloud, three communication relationships are required. The workload, which includes the application and associated data, must be accessible by IT for administrative purposes; it must also be able to communicate with other applications via the Internet, and also be connected to the data center. If the required access rights in these directions are not configured correctly, the company can increase its vulnerability to attacks.

The costs and effort involved in securely communicating workloads increase with the number of applications hosted in the cloud and the number of cloud providers used. As hyperscalers tend to use decentralized infrastructure, their application developers and network and security teams face the challenge of ensuring that the communication relationships for each workload and from each cloud provider are up to date. both efficient and secure. If these companies take a traditional approach to network security, managers are often faced with high levels of complexity or high costs.

The latest “State of Cloud (In)Security” analysis from the Zscaler ThreatLabz team, which examined thousands of cloud workloads, shows that security considerations are often overlooked due to the complexity of multi-cloud environments.

Compared to 2020, the spectrum and frequency of cloud security issues increased in 2021. According to the analysis, no software or hardware multi-factor authentication is used for 71% of cloud accounts, compared to 63% the previous year, and 56% of access keys had not been renewed in the last 90 days: a 6% increase over last year. Additionally, 91% of accounts had been granted permissions that had never been used.

The majority of granted permissions were not only unnecessary, but also misconfigured. In another security breach, the analysis revealed that 90% of companies were unaware that they had granted full read rights to third-party vendors.

Confusion and chaos in workload communication

The increase in public cloud workloads over the past two years has left many enterprises with a complex and chaotic system of connections for their cloud applications. This complexity is the result of different requirements for routing data traffic destined for the cloud application, communication between the cloud-based applications themselves, and communication from the application to the data center. Factors such as service availability levels required in different regions and Availability Zones, and even redundant applications, all contribute to convoluted communication paths.

Depending on data volume and with dedicated speeds for terabyte workload synchronization, enterprises are forced to use fiber optic technology or direct connections to hyperscalers. Dedicated point-to-point connections meet the communication needs of the workload to the data center. The only alternatives for companies with lower workload data volumes were a complex VPN tunnel or a combination of carrier packages that could help with the administrative burden.

In this type of complex cloud scenario, the question of who exactly is responsible for securing cloud workloads and all the associated infrastructure is often overlooked. Although responsibilities may have been clearly defined when applications were hosted on the network, with the application team, network team, and security department all playing their roles, the cloud blurs these traditional lines of responsibility.

Simplify security through the cloud

The Zero Trust approach has exploded in popularity in recent years as a way to secure application data traffic over the Internet as well as remote access to applications in data centers or cloud environments. With this approach, secure communication takes place based on defined policies and access rights, in accordance with the principle of least privileged access. A security platform acts as an intermediate security layer to enforce these policies. These security services work between the Internet, applications, and the user to monitor secure communication. In this type of scenario, a cloud-based approach is ideal because it provides the flexibility to scale and requires little management information.

This Zero Trust-based concept can also be applied to structuring and monitoring workload relationships in the cloud, helping to reduce the complexity of these scenarios. Policies are used to grant workload access rights to required applications; these rights are then controlled via a cloud platform. This approach makes network connections obsolete and instead favors granular connections at the individual application level.

Cloud workloads can be connected to defined destinations on the Internet, to implement updates or to communicate with other applications in different clouds or in the same data center. Also in this case, defined access rights to the cloud workload, between workloads and to the data center form the basis for secure communication.

The cloud security platform not only implements access rights, but also manages other security features to monitor data traffic, such as scanning SSL-encrypted traffic for hidden malicious code.

Cloud workloads are no longer a gateway for attacks

This type of approach has a double effect: it reduces complexity while reducing the vulnerability of cloud workloads to Internet attacks. Because communications between applications are encapsulated, the applications themselves are not visible online, preventing unauthorized parties from gaining access.

This method also allows for micro-segmentation – using defined access right policies, the system determines which servers can communicate with other servers and under what circumstances this can take place, without the need to route traffic from data through external network devices to enforce firewall rules. This approach works across different clouds, thwarting the decentralized methodology of hyperscalers.

It also restores the traditional division of responsibilities for application, network, and security. The app developer is only responsible for configuring the app’s path to the cloud security platform; the responsibility for cloud infrastructure security is transferred to the security team once the policies are established. As applications are no longer exposed online for communication purposes, the company also reduces its vulnerability to attacks.

The cloud facilitates the secure communication of workloads in the cloud

Public cloud workload connections should be just as secure as the connections through which individual users access their cloud-based applications. Applying Zero Trust principles of user communication to cloud workloads helps organizations ensure that user communication is simple and secure, while reducing their exposure to attacks over the Internet.

We have presented the best identity management software.

Comments are closed.