There are many tools and controls that can help monitor treatments and data in the hybrid cloud. But above all, to design a dynamic security architecture, it is necessary to adopt the model without trust, or zero trust .
For this, safety and operational teams need to focus on two key concepts. First, security must be integrated with the processes themselves, so that they can track instances and data as they move between internal and external cloud environments. Then, the actual behavior of the applications and services running on each system will need to be better understood. Relationships between systems and applications will need to be examined more closely than ever before to facilitate the adoption of a model without very restrictive trust.
As hybrid cloud architectures spread, a growing number of companies are looking closely at automation, far beyond what can be seen in traditional computing centers.
To automate the implementation of a granular micro-segmentation strategy, it is necessary to have good visibility on network traffic and processing configurations. This is really the key to turning a segmentation strategy into a strategy that follows the principles of trustlessness.
By creating a policy enforcement layer that accompanies the treatments wherever they run, organizations strengthen their ability to protect data, no matter where the instance is run. In a way, this moves security policy and access control to individual instances rather than within the network itself. But hybrid cloud architecture concepts do not easily adapt to traditional network segmentation models.
Dynamic resources such as virtual instances and containers are difficult to position behind the application points of “fixed” network policies. It is therefore necessary to adopt a micro-segmentation security strategy that only allows approved traffic between systems, regardless of the environment in which they are located.
The contributions of micro-segmentation to a zero trust approach
Micro-segmentation prevents attackers from using untrusted connections to move sideways from an application or compromised system, regardless of the environment.
The trustless approach facilitates the creation of “affinity policies”, where the systems have approved relationships and where any communication attempts are evaluated and compared against these policies to determine if they can be allowed.
This control is provided continuously. Ideally, the control system will also embed machine learning capabilities to perform analytic processing of behavioral attempts, and dynamically adapt over time to changes in processing and application environments.
By potentially eliminating sideways movement, a micro-segmentation-free trustless security model also reduces the risk of an attacker compromising an asset in the cloud environment or the data center. Sometimes we talk about limiting the area of breath, namely the perimeter threatened by the initial compromise.
This works by controlling communications between assets, but also by monitoring running applications and what they are trying to do.
These are just a few of the benefits of micro-segmentation applied to a non-trusted architecture, but they show how the approach can help companies implement granular access control policies in their hybrid environments.