If your company hosts applications in the cloud, you face the challenge of ensuring that your online app communications are secure – both between the apps themselves and between the app and the data center. With complex connections and demanding security requirements, this is an area that is crying out for simplification. Therefore, the answer may lie in cutting-edge cloud workload solutions based on zero trust technology.
Nils Ullmann, Solution Architect, Zscaler.
When workloads are relocated to the cloud, they need to be accessed in a variety of ways and in the multi-cloud scenarios that are prevalent in business today – this fact is central to the complexity and security debate. For most applications hosted in the public cloud, three communication relationships are required. The workload, which is comprised of the application and the related data, needs to be accessible by the IT department for administrative purposes; it must also be capable of communicating with other applications via the internet, and also be connected to the data center. If the required access rights in these directions are not set up properly, the company may increase its vulnerability to attack.
The costs and effort involved in secure workload communication rise with the number of applications hosted in the cloud and the number of cloud providers used. As hyperscalers tend to use a decentralised infrastructure, their application developers and network and security teams are faced with the challenge of ensuring that the communication relationships for each workload and from each cloud provider are both effective and secure. If these companies adopt a traditional approach to network security, those responsible are often confronted with high levels of complexity or high costs.
The latest “State of Cloud (In)Security” analysis by the Zscaler ThreatLabz team which looked at thousands of cloud workloads shows that security considerations often fall by the wayside due to the complexity of multi-cloud environments.
Compared to 2020, the spectrum and frequency of cloud security problems increased over the course of 2021. According to the analysis, no software, or hardware-based multifactor authentication is used for 71% of cloud accounts, compared to 63% the previous year, and 56% of access keys had not been renewed in the last 90 days: an increase of 6% on last year’s figure. Furthermore, 91% of accounts had been assigned permissions that had never been used.
The majority of permissions granted were not only unnecessary, but also incorrectly configured. In yet another blow to security, the analysis found that 90% of companies did not know that they had granted comprehensive reading rights to third-party providers.
Confusion and chaos in workload communication
The increase in public cloud workloads over the past two years has left many companies facing a complex and chaotic system of connections for their cloud applications. This complexity is the result of the different routing requirements for data traffic destined for the application in the cloud, communication between the cloud-based apps themselves, and communication from the application back to the data centre. Factors such as the required levels of service availability in different regions and availability zones, and even redundant applications, all contribute to convoluted communication paths.
Depending on the data volume, and with dedicated speeds for workload synchronization in the terabyte range, companies are forced to employ fiber-optic technology or direct connections to hyperscalers. Dedicated point-to-point connections address the requirement for workload communication back to the data center. The only alternatives for companies with lower workload data volumes were a complex VPN tunnel or a combination of packages from carriers who could assist with the administrative burden.
In this kind of complex cloud scenario, the question of who exactly is responsible for the security of cloud workloads and all of the associated infrastructure is often overlooked. Although responsibilities may have been clearly defined when the applications were hosted on the network, with the application team, network team and security department all playing their part, the cloud blurs these traditional delineations of responsibility.
Simplifying security via the cloud
The Zero Trust approach has exploded in popularity in recent years as a way of securing application data traffic on the internet as well as remote access to applications in data center or cloud environments. With this approach, secure communication takes place based on policies and defined access rights, in line with the principle of least-privileged access. A security platform acts as an intermediate security layer to implement these policies. These safety services operate between the internet, the applications, and the user to monitor secure communication. In this kind of scenario, a cloud-based approach is ideal as it provides the necessary scope for scaling and requires little input in terms of management.
This Zero Trust-based concept can also be applied to the structuring and monitoring of cloud workload relationships, helping to reduce the complexity of these scenarios. Policies are used to grant the workload access rights to the required applications; these rights are then monitored via a cloud platform. This approach renders network connections obsolete, and instead favors granular connections at individual application level.
Workloads in the cloud can be connected to defined destinations on the internet, to implement updates or to communicate with other applications in different clouds or in the same data center. In this case, too, defined access rights to the cloud workload, between workloads and to the data center, are the basis for secure communication.
The cloud security platform not only implements the access rights but also manages other security functions to monitor data traffic, such as analyzing SSL-encrypted traffic for hidden malicious code.
Cloud workloads are no longer a gateway for attacks
This type of approach has a two-fold effect – it reduces complexity while also reducing the vulnerability of cloud workloads to internet attacks. As communications between apps are encapsulated, the applications themselves are not visible online, thus preventing unauthorized parties from accessing them.
This method also allows for micro segmentation – using the defined access right policies, the system determines which servers can communicate with other servers and in which circumstances this can take place, without needing to route any data traffic via external network devices to apply firewall rules. This approach works across different clouds, counteracting the decentralized methodology of hyperscalers.
It also restores the traditional division of responsibility for the application, the network, and security. The application developer is only responsible for setting up the application’s path to the cloud security platform; responsibility for the security of the cloud infrastructure is transferred back to the security team once the policies are established. As the applications are no longer exposed online for communication purposes, the company also reduces its vulnerability to attack.
The cloud facilitates secure cloud workload communication
Workload connections in the public cloud need to be just as secure as the connections through which individual users access their cloud-based apps. Applying the Zero Trust principles of user communication to cloud workloads allows companies to ensure that this communication is straightforward and secure, while also reducing their exposure to attacks on the internet.
