Who wouldn’t want to segment in the cloud? Network segmentation is a proven security strategy that lets you set strict rules for which services are permitted between accessible zones. Designating sensitive data and resources within zones ensures only designated hosts and users belonging to other approved zones can reach them. This is helpful for constraining attacks by making lateral movement across the network difficult. Hackers and malware can’t portscan to identify your critical assets if they’re blocked, let alone access them to exfiltrate data.
But the common perception is segmentation can’t work in the cloud because clouds are too dynamic. In the cloud, application development teams spin up resources in seconds and take them down just as quickly. This dynamic provisioning, coupled with the scalability of unlimited resources, makes clouds attractive to businesses, but also more complex to manage from a security perspective. Many people also believe segmentation demands rigid policies defined by IPs, which is fine for on-premise networks, but not for cloud infrastructures or SDN. Structured zones, they contend, can’t work if the environment is dynamic and the goal posts are in continual flux.
Are they right?
The fact is many organizations today are segmenting cloud environments to bolster cloud security and ensure compliance, proving that segmentation doesn’t need to be so rigid. If you can dynamically assign new servers, users, or security groups to a zone in your environment (or create a new zone), you can segment in the cloud. Dynamic challenges require automation—rapid changes require security solutions that run in parallel.
The key is ensuring that the change management process is as agile as your cloud environment’s changes. You need to integrate security policy into change management to automate the tracking of all objects in your network, and not just IP addresses, but user and security groups and tags (more on that last one below). Utilizing an IPAM (IP address management) system, for example, provides the ability to update each zone as changes to the hybrid network are made. With automated change management, and automated IP address management, you’ll reflect the revisions in real time.
Organizations that only use the cloud benefit from tags for segmentation. Tags are assigned to security groups and applications to easily apply consistent security policy changes for connections between all points with the same tag. It is an ideal solution for managing segmentation in the cloud, but only for those companies that are cloud native.
Combining the security controls of your physical network with those of your cloud environment to automate security policy changes enables holistic enforcement of a unified security policy across both environments. Indeed, there are proven tools on the market that offer the necessary visibility, management, and automation across the entire infrastructure to deliver segmentation capabilities in the cloud.
But cloud segmentation needs more than effective technologies. It requires a change in mindset. Your security team knows what security and compliance look like. It knows which services, resources, and connectivity are secure and which are not. The problem, however, is application development teams generally focus on application development and connectivity, not security. The traditional approach of building an application and sending it to security for review is time-consuming and undermines the business agility offered by the cloud. Putting development teams in charge of cloud security rather than security staff may get products to market faster, but cloud security and cloud compliance often fall by the wayside.
It doesn’t have to be this way. The choice shouldn’t be between business agility and security. The solution is integrating security into application development and deployment, and educating developers on what security should look like. When all stakeholders understand what’s permissible and what’s not, all stakeholders can apply security policy in the cloud. When a PCI-protected server needs to be launched, for example, developers should know it must talk only to PCI-tagged applications through specific services. If you automate this process, you can meet the rapid change requirements of your application developers. They’ll spin up resources as needed and if they violate compliance, your security team will know about it and can note necessary access as an exception.
Additionally, you should undertake cloud segmentation concurrent with creating zones in your onprem network. Designating zones across the onprem and cloud network in parallel provides the ability to consolidate zones if they serve the same purpose even if one uses subnets and the other security groups to ensure manageability. And don’t microsegment at first. It’s true that deploying granular zones at the application level will limit access within your cloud environment even more tightly. But with hundreds of active applications and new ones spinning up all the time, microsegmentation threatens to overwhelm your staff with the complexity of ever-changing security rules. Let them climb the learning curve prior to microsegmenting.
Network segmentation is an ongoing process as your business evolves, driven by new requirements and opportunities. Consequently, your security policies will always evolve. Proceed thoughtfully and gain experience. Your reward will be cloud security and compliance.
The bottom line is cloud segmentation is quite possible even in the most fluid of environments, as long as you use automation to preserve and further enable business agility. You just need to automate change management and integrate security into the development and deployment of applications and services. This way security policies will always keep pace with changes in the cloud, and instead of being at loggerheads, security and agility will work harmoniously to advance your business needs.
If you’re ready to start, or continue, your network segmentation make sure to utilize our Practical Guide to Network Segmentation.