By now it’s obvious to security-minded developers and IT professionals that as applications move to public cloud, the definition of the “perimeter” changes. You can no longer rely on network perimeters to manage access, prevent attacks, and control traffic since you no longer manage the network. In fact, you can only trust the network in the public cloud to the extent that you understand it and have predictable, efficient ways of managing it. Because the network perimeter essentially no longer exists, or at the very least is expanded to include the virtual boundaries of your cloud environment, your security models start to break down. Most organizations today are either just establishing teams and expertise to focus on the nuances and rapid evolution of cloud security, or in far too many cases they are only beginning to understand that things are different.
When organizations move application workloads to public cloud environments or build greenfield applications that are designed for the cloud from the beginning, there a number of security assumptions in the legacy, datacenter-centric security approach that tend to fail.
Limits of Network Segmentation
One of the most widely deployed security practices is “segmentation”, or the process of separating end-points in different trust domains and controlling interactions between those domains through policy rules. Segmentation manages information flow between domains and therefore reduces the attack surface between them. In essence, it limits the “blast radius,” or the portion of application that can be directly affected if an attacker manages to penetrate one of the trust domains. Segmentation is also commonly sought to reduce compliance scope, as it’s a recognized method for easing PCI compliance.
Segmentation was initially based on IP subnets and VLANs. Operations assumed a static association between services and servers (or IP addresses) and by placing servers in different VLANs, administrators could enforce isolation between services. Firewalls were often deployed to enforce policy rules between VLANs.
Virtualization broke some of the basic assumptions of these implementations since it removed the static association of IP addresses to services. A new a set of proprietary and standard solutions (see IEEE VEB and VEPA) were developed to automate the mapping process of VM end-points to VLANs; firewalls struggled to keep up.