The acceleration of digital transformation over the past two years has radically shifted the way enterprises need to protect themselves from today’s modern cybersecurity threats. In particular, the move from monolithic applications to a highly distributed modern application architecture is causing the number of workloads and communications within and across clouds to explode.
In fact, nearly two-thirds of global organizations have adopted the microservices model over the past two years. The ensuing shift in traffic patterns is giving resourceful cybercriminals the ability to target workloads to exploit security policy and control gaps to compromise applications. From there, they can move laterally from one application to the rest of the network.
Zero Trust is quickly gaining momentum among enterprises as a counter to these modern threats, providing a far more robust security posture that supports digital transformation instead of hindering it. Based on the principle of “never trusting, always verifying” before allowing access to applications and resources, Zero Trust removes the assumption of trust, limits access, and authenticates based on identity and context.
Also see: Top Cloud Companies
Limitations to a Legacy Approach to Zero Trust
Zero Trust is often used only for securing user access to enterprise networks rather than securing workload-to-workload communication. To protect these increasingly sophisticated, highly distributed applications, enterprise security teams need to secure the workloads themselves completely, without any security gaps or blind spots.
The problem is that traditional firewall solutions are primarily built for the perimeter, and require internal traffic to be backhauled to an appliance in the data center where security policies can be applied—a process that increases latency, saps bandwidth, and adds complexity to network infrastructure. This complexity forces security teams to select what traffic should be monitored and secured.
In a world where an enterprise’s security posture is only as good as its weakest link, this is an unacceptable choice.
Operationalizing Secure Workload Access
Enterprises need a way to operationalize secure workload access at cloud scale. This requires the simplifying of Zero Trust architecture through a software-based, distributed approach that delivers security directly into the hypervisor.
Being able to secure workload-to-workload communication accelerates the adoption of Zero Trust principles, reduces the attack surface, mitigates lateral movement by attackers, prevents advanced threats against applications and, ultimately, unleashes the full power of the multi-cloud, microservices world.
Also see: Top Edge Companies
3 Techniques to Operationalize Secure Workload Access at Cloud Scale
1) Deliver East-West Controls Inside the Workload
Instead of backhauling traffic to the data center where it is hair-pinned through appliances, enterprises need to take a distributed, software-based approach to security.
This allows security teams to create and manage application-aware policies from a central control point and automatically apply them to distributed workloads based on tags. Other security services can be delivered as well—including network traffic analysis (NTA), intrusion detection and prevention (IDS/IPS) and malware analysis with comprehensive network detection and response (NDR) capabilities.
In addition, this provides continuous visibility, security, and compliance for containerized applications from development to production in any private or public cloud environment.
2) Secure Cloud Boundaries and Environments
This software-based, distributed approach to secure workload access also requires the ability to inspect all incoming and outgoing traffic at the cloud edge. This provides comprehensive protection against threats, including signature-based detection, behavior-based detection, network sandboxing and URL filtering as well as Transport Layer Security (TLS) decryption.
When deployed with a load balancer, a gateway firewall can provide multi-cloud load balancing, web application firewall (WAF) functionality, application analytics, and container ingress services. This allows enterprises to erect defenses at the boundary of each cloud deployment.
3) Provide Authoritative Context for Secure Workload Access
Orchestrating all this requires a centralized network services platform that provides unified visibility, control, and governance of network identifiers to simplify management of network identities and provide a framework to implement secure workload access. This creates a complete inventory of all workloads that need to be secured using identifiers such as Internet Protocol (IP) address, Domain Name System (DNS), labels or certificates.
In addition to workload identity, authoritative context may include information about the workload such as the operating system, workload type, software version, known vulnerabilities and misconfigurations and anomalous workload behavior.
The IT stack is rapidly changing, and security needs to keep up. Protecting the digital enterprise from today’s highly sophisticated threat actors requires more than just endpoint or perimeter security. In the never-ending game of cat and mouse with cybercriminals, it is impossible to stay one step ahead all the time. A Zero Trust architecture that includes secure workload access is the only way to root out and stop these attacks.
This three-pronged approach requires the ability to deliver security controls as software to distributed workloads, the ability to erect defenses at the edge of each cloud environment, and a centralized network services platform that provides unified visibility and control of network identifiers.
About the Author:
Vivek Bhandari, Sr. Director, Product Marketing, VMware