Beyond Native Cloud Security Controls

Ratinder Ahuja

Ratinder Ahuja

August 28, 2019

One thing you tend to get with a move to the cloud is a flat network. You have a virtual network perimeter, but inside the network, you’ve got no points of control unless you put them there by hand. If you logically group your workloads along the lines of an old-school tiered architecture, you can put in virtual appliances such as next-gen firewalls, but you have to do this manually and it’s not a setup that really delivers on your need to scale workloads dynamically. At the end of the day, this means security remains a drag on the business and no one wants to be “the guy” who slows things down.

This was all spelled out in a great article that recently appeared on In the article, Dave Shackleford spelled out his laundry list of what’s wrong with a non-cloud approach to securing cloud infrastructure:

  1. Flat networks abound
  2. No native monitoring of east-west traffic
  3. Limited routing control
  4. Network access control is often primitive
  5. Inline intrusion detection are difficult to implement
  6. Content-based inspection capabilities are scarce

He goes on to point out that it’s possible to remedy some of these ills using some of the native capabilities in cloud environments, such as security groups in AWS and network security groups in Azure. While I agree that it’s possible to tighten up a network this way, there are some important ways in which this approach falls short when even mildly stressed. The primary issue is complexity—lots of workloads and lots on interconnections among them—and this has to be countered with automation. You simply must have automation to handle the process of configuring the microsegments that connect all the workloads on your network.

Bottom line: you need to get the logic of your security controls expressed directly in the interconnections of your network architecture. Again, you could in theory do this by hand using the tools I’ve mentioned, but if your infrastructure is of any size or complexity at all, you really need the next level of tools to automate this. Not only that, but you need these tools to dynamically follow the changes in server workloads on your network on an ongoing basis and readjust policies and microsegments on the fly.

As ShieldX is deployed, it automatically creates a summary of your workload assets and then uses a machine learning algorithm to discern what kinds of processes are running on each workload. If your organization uses containers and has developed a discipline of tagging your workloads, these tags are used to directly and automatically deploy policies to govern the microsegmentation of your network. Otherwise, the grouped workloads are presented to you in a user interface that makes it easy to express policies for kinds of workloads.

From all of this, logical tiers are created and dynamically updated so that the tiers continue to govern communications among workloads as workloads scale up or down within various tiers. This elastic tiering is unlike anything offered by any other vendor and—another unique characteristic—this is done without the need to deploy agent software onto each workload.

Why does it matter whether software agents are used? For one thing, in legacy situations it sometimes just isn’t possible. Perhaps more importantly, this runs counter to the very idea of containerization, where you want one service or function encapsulated per container (and often isn’t possible even if you don’t care about the aesthetics of it). Either way, you wind up with a microsegmentation capability that leaves critical workloads out of the equation.

ShieldX doesn’t use agents. It also doesn’t rely on the manipulation of ACLs, the problem being that ACLs are an inherently IP-address-centric approach. More agile microsegmentation is possible using approaches such as Cisco Underlay Networks and Azure User-Defined Routes.

To conclude, the ideal multi-cloud solution would:

  • Automate and continuous discovery of assets.
  • Autogenerate security policy.
  • Auto deploy controls to fulfill dictated policies.

Without this level of automation, security teams continue to exist in a perpetual hamster wheel. The cloud—along with cloud native solutions—bring the promise of automation and economics that traditional vendors have failed to leverage.  In the old days, IT teams manually managed networks but eventually migrated to SDN.  Now, with ShieldX, its security can enjoy the same level of agility.