The cloud is the way to securely communicate cloud workloads

How do you keep your online communications secure?

With various applications in the cloud, you face the challenge of ensuring that your online communications are secure. Communication between different apps, as well as between an app and the data center. However, today’s multicloud environments and large hyperscalers can make managing secure workload access a big task. With complex connections and high security requirements, this is an area that needs to be simplified. Advanced cloud workload solutions based on zero trust technology could be the answer.

As workloads move to the cloud, they must be approached in many different ways and according to the multicloud scenarios that exist today. This fact is central to the debate about complexity and security in business life. Most applications hosted in the public cloud require three ‘communication relationships’. The workload, which consists of the application and the associated data, must be accessible to the IT department for management purposes. The application must also be able to communicate with other applications via the Internet and finally also be connected to the data center. If the necessary access rights in these areas are not set correctly, the company can potentially be more vulnerable to attack.

The cost and effort associated with secure workload communication increases with the number of applications hosted in the cloud and the number of cloud providers used. Because hyperscalers tend to use a decentralized infrastructure, their application developers and network security teams face the challenge of ensuring that communication relationships for each workload and from each cloud provider are both efficient and secure. Because these companies regularly have a still traditional approach to network security, those responsible are often faced with a lot of complexity or high costs.

The latest “State of Cloud (In)Security” analysis from the Zscaler ThreatLabz team, which examined thousands of cloud workloads, shows that security considerations are often left out due to the complexity of multicloud environments. Compared to 2020, the spectrum and frequency of security vulnerabilities in the cloud increased during 2021. According to the analysis, 71% of cloud accounts do not use software or hardware-based multi-factor authentication, compared to 63% the year before. 56% of access keys have not been renewed within the last 90 days; an increase of 6% compared to last year. Additionally, 91% of accounts were assigned permissions that had never been used. Most of the permissions were not only never used, but also incorrectly configured. And on top of that, the analysis found that 90% of companies were unaware that they had granted extended read permissions to third-party providers.

Confusion and chaos in workload communication

With the proliferation of public cloud workloads over the past two years, many enterprises are dealing with a complex and chaotic system of connections to their cloud applications. This complexity is due to the different routing requirements for data traffic. This is intended for the application in the cloud, communication between the cloud-based apps themselves, and communication from the application back to the data center. Factors such as the required level of service availability in different regions and even redundant applications all contribute to complicated communication paths.

Monitoring and structuring multicloud environments becomes even more complex when several applications or parts of applications in the public cloud need to communicate with each other, or when parts of applications fall under different hyperscalers. Most complex of all are workloads that are not only redundant but also span multiple regions and cloud providers to create compute networks for massive tasks or for big data applications. When these kinds of complex application scenarios are combined with traditional WANs and hardware-based security architectures, a comprehensive set of firewall rules must be implemented. This is to control the north-south traffic from the server to the Internet and the east-west traffic between the servers.

Depending on the amount of data, companies are forced to use fiber optic technology or direct connections to hyperscalers. The only alternatives for companies with lower data load volumes are a complex VPN tunnel or a combination of different packages from companies that can help with the management burden.

In complex cloud scenarios like this, it’s often overlooked who exactly is responsible for securing cloud workloads and all associated infrastructure. While responsibilities may have been clearly defined when the applications were hosted on the network—with the application team, the network team, and the security department all playing their part—the cloud blurs this traditional delineation of responsibilities. The responsibility for the security of the cloud workload is tacitly placed with those responsible for the cloud application. However, the developers’ skills often lie primarily in application programming; they may not be experts in networking and security infrastructure, which can lead to gaps in security configuration.

Simplifies security through the cloud

The zero trust approach has become extremely popular in recent years as a way to secure data traffic for applications on the Internet and remote access to applications in data center or cloud environments. With this approach, secure communication takes place based on policy and defined access rights in accordance with the principle of least privileged access. A security platform acts as an intermediate security layer to implement this policy. These security services work with the Internet, the applications, and the user to monitor secure communications. In these types of scenarios, a cloud-based approach is ideal because it provides the necessary ability to scale up and requires little management.

This zero-trust concept can also be applied to structure and monitor cloud workloads, reducing the complexity of these scenarios. Policies are used to grant the workload access rights to the required applications; these rights are then monitored via a cloud platform. This approach eliminates the need for network connections and instead favors granular connections at the individual application level. Cloud workloads can be linked to defined destinations on the Internet to make updates or to communicate with other applications in different clouds or in the same data center. Here, too, defined access rights to the cloud workload form the basis for secure communication. Through an encapsulated connection, an intermediary in the cloud monitors the traffic to ensure that only authorized communication relationships are established. The cloud security platform not only implements the access rights, but also manages other security functions to monitor the data traffic, such as analyzing SSL-encrypted traffic for hidden malicious code.

Cloud workloads are no longer an entry point for attacks

This approach has a dual effect: it reduces complexity while reducing the vulnerability of cloud workloads to Internet attacks. Because communication between apps is encapsulated, the applications themselves are not visible online. This prevents unauthorized parties from accessing it.

This method also allows for micro-segmentation: with the help of the defined access rights policy, the system determines which servers can communicate with other servers and under what circumstances this can happen. This without having to route data traffic through external network equipment to apply firewall rules. This approach works across clouds and counters the decentralized methodology of hyperscalers.

In addition, it also restores the traditional division of responsibilities for the application, network and security. The application developer is solely responsible for setting the application’s path to the cloud security platform; Responsibility for the security of the cloud infrastructure is transferred back to the security team once the policy is established. Since the applications are no longer exposed online for communication purposes, the company also reduces its vulnerability to attack.

The cloud enables secure communication with cloud workloads

Workload connections in the public cloud must be as secure as the connections through which individual users access their cloud-based apps. By applying the zero-trust principles of user communication to cloud workloads, enterprises can ensure that this communication is simple and secure, while reducing their exposure to cyber-attacks. This approach reduces complexity by restructuring data flows while strengthening security, making it the perfect solution for the cloud-first route common in enterprises today.

By Nils Ullmann, Solution Architect at Zscaler

Leave a Comment