An internal network allows the enterprise to have control over every network layer, but as enterprises invest in cloud infrastructure, they’re finding that cloud network security requires a different approach. There are no controls for the switch layer, and all available controls are software-defined.
There aren’t any network engineers mourning the loss of hardware-based network platforms, but there is a need to learn new tools and techniques for managing cloud network security. Some options exist for securing a cloud-based network, but because enterprises don’t control the hypervisor, these defense-in-depth types of tools can be limited.
It’s Different in the Cloud
There are changes to almost every network component when translated to the cloud largely because it is software-defined. Other changes include:
Flat Networks: When shifted to the cloud, subnets are basically flat, and systems easily communicate unless there are controls put in place.
Lack of East-West Traffic Monitoring: You’ll need to make significant routing and architectural changes or use host-based monitoring for traffic between systems.
Limits to Routing Control: There are tools in the cloud, but they are rarely adequate for what most enterprises want to do. They tend to be simple and without public or internal routing flexibility.
Firewall Simplicity: Firewalls are generally operating at layers 3 and 4, and network access controls tend to be simplistic as well.
Inline Intrusion Detection and Traffic Capture: These options tend to be challenging to implement, though providers are taking steps to improve visibility.
Inspection: Content-based tools such as malware sandboxing tend to be rare, though small improvements are emerging.
Building Cloud Network Security
Enterprises looking for ways to secure their cloud network have a number of strategies available to them:
Invest in technologies that are cloud-native. While you will still need firewall and intrusion prevention, cloud-native technology has network security built into the solution. In addition, businesses wanting to prioritize enterprise-level cloud traffic control will use a hybrid approach to handle workload-to-workload access control. When traffic needs a higher level of inspection, it can be routed in the cloud and passed through virtual appliances.
Use a Virtual Private Cloud (VPC) and a Virtual Network paired together strategically to develop a higher degree of control over how segments communicate with one another.
Monitor long-term behavioral patterns in your network traffic – identifying any attack attempts through a Flow Log.
Invest in hybrid tools that support zero-trust access control and micro-segmentation that work well with your data center. These tools tend to put the focus on application behavior and will likely grow in their importance to cloud network security.
Cloud network security is vastly different from securing an in-house, hardware-based network. Contact us at eXemplify to help you identify vulnerabilities in your network security strategy and leverage the tools that will best protect your data and your systems.