Cloud Migration Security Strategy

By: Amir Sharif 06.27.2019
Cloud Migration Security Strategy

Cloud migration is altering application architecture, which is upending the nature and demands of network security. Without access to tools designed specifically for a cloud environment (cloud-native) – without a proper security strategy – network security professionals are guaranteed to lose visibility. Without visibility, they will struggle to protect new assets with updated architectures, meaning the chance for bad actors accessing precious data will increase.

The Transformation of the Security Landscape

Cloud migration is transforming the security landscape because old methods will no longer cut it. Traditionally, the main tools of network security have been firewalls, intrusion detection systems (IDS) and intrusion prevention systems (IPS). In addition to firewalls and IDS/IPS systems, administrators tend to segment their networks with subnets, VLANs, and SDN. But here’s the thing: All of these traditional security methods rely on IP address as the means by which to segment a network. Which means they are doomed.

The Problem of Scale

As cloud migration takes effect, these semi-static and network-centric security tools won’t cut it. Why? Because network security can handle a high rate of change if the number of nodes is small, or a high number of nodes if the rate of change is steady and relatively low. But the cloud-native topography is such that both these factors are always present at the same time. This creates a problem of scale: a situation where, in a fabric, a high rate of change and a high rate of computation co-exist.

As network security pros know, with the established methods, we have to track a long list of tables determining which IP addresses can talk to one another. Call this our n-squared number. In traditional network settings that are rooted in servers, this number is fairly predictable and consistent. But as we experience a widespread cloud migration, the amount of nodes increases hugely. On top of this, containerizing workloads makes them more ephemeral, meaning we churn through values much quicker. N-squared increases logarithmically as the rate of both change and computation increases. This means the attack surface gets larger, and you lose visibility. It gets easier to smuggle code in a subnet, and the network doesn’t converge. All of which equals big trouble.

This scale problem means that security that uses IP addresses to provide the means by which they segment a network is certain to fail. Because after cloud migration, relying on IP just isn’t viable. IP addresses are like street addresses: they provide the location, but not the identity. But in the cloud, location changes all the time. Continuing to use IP becomes like trying to catch a criminal who no-one has ever seen, and who moves apartments every hour.

Implementing a Secure Cloud Migration Strategy

A proper cloud migration strategy means starting from a point where nothing is trusted without explicit and well-founded permission. This is the only way to radically reduce the number of rules needed, and therefore reduce the complexity and brittleness of the system, with one effect being a more scalable system that requires less computation overhead. As such, the networks can cope with the cloud landscape, so that visibility is always preserved. Security techniques based on physical networks, IP addresses, and familiar signatures are now obsolete. Security must be abstracted from IP infrastructure to address application segmentation requirements and to improve application risk posture.

In contrast to static API keys, micro-segmentation enables fine-grained security policies to be assigned to data center applications, down to the workload level. This approach enables security models to be deployed deep inside a data center, using a virtualized, software-only approach. This is a powerful capability, and it should be the basis for all network security in the wake of widespread cloud migration.

Aporeto’s Application Security Solution

Aporeto is built on a thorough analysis of these deep changes to the network security landscape, and a thorough understanding of what cloud migration changes mean for cloud security best practices. In essence, we provide application security by segmenting the workload with fine-grained policy control that is portable and persistent, backward compatible and spans a heterogeneous infrastructure for any hybrid or cloud environment, and we do that through application identity, not IP addresses.

With Aporeto, you can get stronger security, based on workload identity and a  Zero Trust security model. The operations get simpler, and the L3 network stays flat. Developers are happier, and the overhead shrinks. DevOps, InfoSec, and Compliance teams are all happy, and your security is tighter.

Cloud migration is making network security specialists blind. And it’s only going to get worse. Aporeto is here to give professionals their visibility back, so they can keep their operations safe.

For more information on how to achieve a successful cloud migration, read our whitepaper on Cloud Security Gaps here.

Recent Posts Aporeto Launches New Identity Federation Capabilities for Kubernetes Pods and Istio Service Mesh, Delivering Security as Code to Accelerate DevSecOps Easy Application Network Encryption and Access Control Without Re-coding Your Application Aporeto Named to 2019 CNBC Upstart 100 List of Most Promising Start-Ups