momius - Fotolia
Traditional network security protects endpoints and the data center within the perimeter by applying physical and software-based controls to safeguard the infrastructure from unauthorized use. This approach safeguarded servers and other enterprise devices from attacks that could steal or compromise data or other assets.
But security strategies must evolve as enterprises migrate workloads to the cloud. The cloud has propelled transformation, resulting in hybrid architectures where some workloads run in the cloud, while others run on premises.
Secure connectivity is crucial to the stability of these environments and the protection of assets running on them. But this hybrid architecture also presents new complexities as organizations track activity across highly distributed resources. As a result, enterprises are seeking ways to embed effective cloud network security protections across multiple layers of their infrastructures.
Cloud network security encompasses all of the policies, protections and practices required to safeguard the infrastructure, systems and data from unauthorized access or misuse -- deliberate or otherwise. A successful cloud network security strategy builds on the fundamental components of conventional network security: Protect, detect and respond. It also requires companies to understand the unique issues associated with safeguarding on-demand hybrid environments. Here are five essential factors to consider.
1. Shared responsibility
Cloud obscures the traditional lines governing network security. IaaS providers, for example, build controls into their physical and virtual infrastructures and rely on best practices to safeguard the environment. Similarly, SaaS providers embed protections in their applications and facilities. But the enterprise must know its data is protected not just in the cloud, but throughout the entire environment. This isn't easy, given the potential for blind spots where potential vulnerabilities might be hidden. To that end, providers and third-party security vendors offer a variety of add-on tools -- from monitoring software to packet sniffers -- to reinforce cloud network security. Telecom service providers, meanwhile, offer a set of cloud security tools designed to protect data as it traverses the hybrid environment. As a result, IT must understand all the controls providers embed in their services and identify where potential cracks may lie. This is a conversation that should take place before any contracts are signed.
2. Software-defined access
Optimal cloud operations require that security is an intrinsic part of the network. This approach incorporates policy-based software-defined practices, delivered via the cloud into what is known as Secure Access Service Edge (SASE). SASE, in turn, relies on a variety of cloud-based services to protect assets across the hybrid environment -- among them cloud access security brokers, secure web gateways and firewall as a service, as well as functions such as browser isolation. Zero trust, in which all entities are assumed to be potentially harmful until they are authenticated as safe, is an important component of SASE. Many enterprises use zero-trust network access (ZTNA), which obscures IP addresses and segregates application access from network access, to protect network resources from threats like malware running on a compromised system. Application access is only given to authenticated authorized users and devices.
3. Network segmentation
ZTNA can work in conjunction with network segmentation to bolster cloud network security. Network segmentation divides the physical network into smaller pieces. IT can use virtualization to microsegment the network, creating network zones precise enough to support an individual workload. These zones serve as virtual walls to block cyber attackers from moving unhindered through the hybrid environment. Advances in automation now enable companies to create zones based on changing conditions and established policies -- creating new zones as the environment scales up and reducing the number of segments as it contracts.
Enterprises should make sure data is encrypted both at rest and in transit. Cloud providers typically offer encryption services, but beware: Not all are created equal. Moreover, not every application workload requires the same level of encryption. Email, for example, may only need transit-level protection -- where messages are only encrypted as they move across the network -- as opposed to end-to-end encryption, where messages are decrypted when they reach their destination. The former is less secure, but it's also less expensive than the latter.
5. Test and response
A key part of effective cloud network security is testing to ensure the right controls are in place in all the right areas. Conduct penetration tests between audits to expose vulnerabilities so they can be corrected before they are exploited or otherwise compromised. Ongoing testing can also take some of the pressure off during the compliance audit process. Finally, have a strategy in the event a breach occurs. Retain an incident response company to help mitigate the impact of any successful attack. Make sure you have a plan in place to effectively bring systems back online. Automate as much as you can to eliminate manual errors and expedite the restoration of services. And investigate logs to determine the best way to restore your operations.