Written by Chris Steffen on September 24, 2018
Maintaining Consistent Security When Moving to the Cloud
The inability to deliver consistent secure access can limit an organization’s adoption of cloud, but security shouldn’t get in the way. Find out why.
There are plenty of purpose-built security solutions that work for the cloud. But often, these security solutions only work in the cloud. At the same time, there are security solutions that only work on-premises or have been pieced together to work in the cloud. The result? Inconsistent security across both on-premises and cloud environments and separate ways of managing polices and permissions for these different workloads.
That's where the problem lies – it is complicated, difficult, expensive, and dangerous to migrate to the cloud. For many organizations, however, cloud adoption can make a huge difference in efficiency and capabilities.
As an example, let’s look at a securities regulatory organization that analyzes massive volumes of financial data across multiple markets to detect potential fraud, overseeing up to 75 billion market transactions every day. It decided that it wanted to migrate to AWS, but without a secure access solution and a way to easily demonstrate compliance, the cloud wasn’t an option.
Overcoming Traditional Network Security Limitations
Often, like with the securities regulatory organization, a proven and consistent secure access solution is needed in order to get buy in from the business to migrate some services to the cloud.
But traditional network security doesn’t support this: it was developed to secure a perimeter-based world. Employees were at the office, working in in a single network. Today’s world is perimeterless - users are everywhere and apps must be secured on any platform, in any location, meaning that security must translate from on-premises to the cloud and everywhere in between.
Yet as more workloads migrate to the cloud, it is time consuming to create new security groups or add resources to existing ones. Cloud security groups also lack the contextual control needed to protect critical systems.
However, delivering consistent access doesn’t need to be hard or resource-intensive. Whether in the cloud or an on-premises environment, users are dynamic, and security needs to adapt based on what users are doing, where they are doing it, and when. By applying dynamic and context-sensitive access policies on the users, organizations benefit from consistent, automated security.
One way of implementing this strategy is to apply Zero-Trust with a Software-Defined Perimeter. It dynamically creates one-to-one network connections between a user and the resources they access. It is rooted in zero-trust by applying the principle of least privilege where access rights are limited for users to the bare minimum permissions they need to perform their work. SDP is designed around user identity, not an IP address, to build a multi-dimensional profile of a user or device to review and authorize users before granting access.
By enforcing dynamic and context sensitive policies with a SDP, organizations can move to the cloud with consistent security policies across all environments.
Let’s revisit the securities regulatory organization. After investigating a variety of security options, it chose to work with Cyxtera AppGate SDP. Already a successful on-premises customer, the organization used Cyxtera to help with its migration to AWS.
By adopting Cyxtera’s Software-Defined Perimeter, the organization is able to ensure that all endpoints attempting to access a given resource (whether in the cloud or on-premises) are authenticated and authorized prior to accessing any resources on the network. All unauthorized network resources are made inaccessible. This not only applies the principle of least privilege to the network, it also reduces the attack surface area by hiding network resources from unauthorized or unauthenticated users.
Using AppGate SDP, the organization gained an identity-centric, highly granular access control solution. Every user obtains a dynamically adjusted network perimeter that’s individualized based on their specific requirements and entitlements. This ensures that the context of the user and the device is evaluated before AppGate SDP provides network access to the user-authenticated instances and services in the AWS environment.
Learn more about how AppGate