Frankly Speaking 7/5/21 - Managing network security in a cloud world
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
Hope everyone had a great July 4th weekend! I can’t believe it’s been a month since I started to write again, and it’s helped a lot of my thinking around security strategy in various environments.
I write this newsletter in my free time and on weekends. Please support me by purchasing a paid subscription!
LET’S BE FRANK
In the past, I written that smart VCs shouldn’t invest in network security. It was based on the premise that as companies move to the cloud and adopt hybrid work environments, corporate perimeters start to deteriorate, focusing more on endpoints and identity. Moreover, the cloud provides limited network visibility for traditional network security tools to be effective. With all that, it makes sense to have a new paradigm for securing the network in a cloud-first world.
In this newsletter, I’ll discuss various network threats in the cloud world, and how we are able to address them with a variety of techniques and tools.
I’ve been thinking a lot about how to secure networks for cloud environments, especially given the limited visibility into the network. The real question is what threats should we be concerned about. Most modern environments will take a zero-trust architecture, and this is one of the best vendor-agnostic roadmaps I’ve found. Although it’s made by Cloudflare, they don’t try to only sell Cloudflare products.
Anyway, what network threats should be concerned about in a cloud environment. Traditional intrusion detection systems (IDS) don’t translate well into the cloud, especially in a zero trust environment. The assumption is that we assume all network traffic is malicious and verify at the endpoints. This actually gives us a good starting point to think about how to mitigate network threats.
The most important thing to note is that the environment doesn’t assume a priori that certain traffic is secure unlike in a traditional company with a perimeter where traffic inside that perimeter is considered secure. One major implication is that in this case, we don’t treat insider threats differently than any other threat because there is no notion of an “inside.”
How do we get started? Well, since we don’t have a perimeter and need to verify at endpoints, we should establish a corporate identity. This identity will be used to authenticate and authorize actions at endpoints. This can usually be done with tools like Okta, Azure AD, Ping, etc. and is usually set up by the IT team.
Next, although we don’t trust any network traffic in the environment, it’s still good security posture to block malicious internet traffic threats, such as blocking high-risk DNS requests and threats behind SSL/TLS. This can typically be done with a form of secure web gateway product offered by Cloudflare, ZScaler, Netskope, etc. The goal is to reduce the threat surface by monitoring user traffic that is leaving the organization. Since sometimes users generate this traffic, such by visiting websites, etc., it’s important to monitor and restrict this traffic.
Now, we have to monitor the traffic within the organization. The idea here is that we want to prevent lateral movement as a result of a compromise. This is a large undertaking as an organization has to inventory and segment network access. There are native tools in the cloud, such as AWS GuardDuty, etc. that give very rudimentary protection. However, to properly do this, companies need to buy products that provide zero trust network access and use broadband internet for branch to branch connectivity. This is particularly useful, but the undertaking requires coordination among various organizations including infrastructure/DevOps, security, and IT. A simple thing that could be done is to close all inbound ports and use a zero trust reverse proxy to expose a web application securely. This eliminates the network port attack vector that scanning technologies commonly pick up.
Up until now, we have talked specifically about network traffic as a broad concept without discussing any particular type of traffic. One type of traffic is particularly notable is data traffic, specifically in relation to data loss prevention (DLP) products. The cloud and SaaS products have totally changed the game on this, and there can be a post just about this. However, I think it’s necessary to touch on this briefly.
Before, applications were installed on premise, and companies had network perimeters. Even in this fully controlled setting, it was difficult to implement DLP and inspect all the traffic to make sure sensitive data was not leaving. However, this model no longer exists as SaaS and cloud have made on-premise applications obsolete. So, how we handle this new world?
We have to handle it similarly to what was done with network traffic. We have to address the various problems separately instead of having a universal and “catch-all” solution. Specifically, we need to look at the following things and address them piecewise: traffic in sensitive applications, SaaS data and configuration, and sensitive data within an application.
Although it is possible to address these with one platform, it seems difficult to address them with a singular solution. This is going to be a tough problem going forward and one that generate more issues as data is no longer centralized in a singular infrastructure.
Some outstanding questions here:
When does it make sense for an organization to undergo a network segmentation project?
As infrastructure has changed and created new challenges, do it change how security teams are organized and operate? Should there be a data security team? How should we organize it?
Are there any platform plays that can solve a number of these challenges, especially around data? It seems that Zscaler and Cloudflare have solved many around the network traffic, but can that sustain as traffic becomes more decentralized with the emergence of data clouds, like Snowflake and Databricks?