Using Zero Trust Networking in Cloud Migrations

Moving workloads to the cloud has many benefits, and one that is often overlooked is the opportunity to modernize your network.

In a traditional “perimeter-based” architecture, users and devices are authenticated and authorized on a device-by-device basis when connecting remotely via VPN.

The perimeter approach to securing access worked reasonably well when the majority of data was kept within company walls and accessed by a few employees, but as the past few years have shown us: workers are increasingly remote, probably using their own devices but most definitely increasing their thirst for data and cloud-based services.

Something’s gotta give!

The Zero Trust security framework (or architecture) allows you to protect your data without burdening your users with excessive authentication and authorization processes. As companies accelerate their cloud migrations today, mature organizations are seizing the opportunity to holistically rethink how they secure their data and applications. The perimeter network model is often the last to go, but consider this:

Limit your Blast Radius

Network and account segmentation reduces the attack surface for workloads in the cloud.

In our data centers, or “on premises”, network segmentation often meant that we would have one production environment and host all of our applications there.  One breach though, and an attacker could often move laterally from one production app to another.  In the cloud, we can cheaply (read: free) segment each production application into its own network, and make the only interface to data via secure APIs.

Sure, this requires planning and configuration to be properly implemented, but a cloud migration initiative is the perfect time to do this:  You have the skills and resources spun up already, and often the desire to improve the status-quo.

Your Identities are the Perimeter!

With data securely stowed away behind your application layer, the path to access that data is secured via authentication and authorization (IAA).  As technology has evolved, so have our behaviors and expectations.

Nowadays, we benefit from the more secure Multi-factor authentication (MFA) in a variety of applications from GMail and Microsoft 365, to Facebook and more.  Users are so accustomed to this in their personal computing, that introducing MFA into corporate settings is no longer a change management problem.

In addition to MFA, modern cloud IAA systems allow you to configure conditional access policies which allow you to provide additional layers of security for sensitive data by requiring additional credentials from users.

So What?

More secure, and more predictable migration timelines.

With a Zero Trust approach to your cloud architecture, if when a threat actor gains access to one instance of a workload, they are far less likely to then be able to “pivot” or move laterally through the network.

Using zero trust networking can help you deal with the complexity of migrating workloads to the cloud, making your migration initiative faster and more predictable. One of the ways this is achieved, is by employing templates and modules of infrastructure code such as terraform and being able to stamp out additional environments more quickly and repeatedly, without having to worry about IP planning, network peering, firewall rules and other traditional networking concerns.

Summary

Zero trust’s approach to networking aims to secure applications by assuming that attackers may have already breached other parts of your systems. It requires you to think about cloud as a different paradigm, and avoid re-creating your on-premises network topologies in the first place.

Reach out if you have stories about how pivoting from hub-and-spoke only networking in the cloud to isolated VPCs and VNETs has improved your performance or opsec.  I’d love to hear.

-–

David Colebatch is the Chief Migration Hacker at Tidal. Connect on twitter at @dcolebatch or follow on LinkedIn.