New Amazon VPC Ingress Routing—What Does it Mean for Security?

We welcome the introduction of Amazon Virtual Private Cloud (Amazon VPC) Ingress Routing, a new solution from Amazon Web Services (AWS) designed to allow companies like ShieldX to simplify the integration of security appliances designed to monitor and block network traffic without the need to apply special routes or forego details such as public IP address routing between subnets. (For more, Amazon’s blog is here).

One of the biggest questions facing every senior security professional is figuring out how to secure enterprise networks as they fundamentally change over time. This requires a level of flexibility and scale heretofore unknown in the security industry. Traditional appliance-based solutions were built monolithically and are not well suited to cloud architectures. And new cloud friendly products do not provide the depth of security required to protect environments from the variety of attacks typically deployed.

As noted recently in CSO Online:

Contrary to what many might think, the main responsibility for protecting corporate data in the cloud lies not with the service provider but with the cloud customer. “We are in a cloud security transition period in which focus is shifting from the provider to the customer,” Heiser says. “Enterprises are learning that huge amounts of time spent trying to figure out if any particular cloud service provider is ‘secure’ or not has virtually no payback.”

Eventually, security professionals will find themselves asking:

  • How did we become totally marginalized as the businesses just went around us and built whatever they wanted directly in the cloud?
  • What does security entail in this new cloud architecture and can I secure critical assets as they move to the cloud?
  • Can I achieve the agility promised by the cloud, while ensuring proper visibility and control over the digital assets?
  • How do you automate enforcement of security policy as apps change without human intervention?
  • Do any of my traditional security tools provide value in the new cloud environment?
  • How can I enforce scalable and flexible access control in virtualized and cloud deployments (microsegmentation)?

Amazon VPC Ingress Routing:  What does it mean?
With AWS’s new announcement, the CISO’s job just got a whole lot easier. Moving to the cloud means you can easily cover the two major traffic concerns that inhibit public cloud adoption for data centers. How?

Amazon VPC Ingress Routing is a service that helps customers simplify the integration of network and security appliances within their network topology. With Amazon VPC Ingress Routing, customers can define routing rules at the Internet Gateway (IGW) and Virtual Private Gateway (VGW) to redirect ingress traffic to third-party appliances, before it reaches the final destination. This makes it easier for customers to deploy production-grade applications with the networking and security services they require within their Amazon VPC.

With ShieldX, enterprises can protect East/West traffic flows.  Most enterprise traffic, as you move to the cloud, has become East/West traffic. Analysts report East/West traffic (traffic within the data center and traffic between data centers) represents nearly 85 percent of total traffic in flow. This represents a gigantic blind spot in which basic visibility, compliance and enforcement become impossible.

With ShieldX, users can overcome significant management and security challenges, by adopting a full range of security controls to provide users the ability to view traffic, identify anomalies and block attacks traversing both north/south and east/west all from a single management console.

Here’s a video overview illustrating how ShieldX works to secure AWS.

So, today’s news from AWS should be widely welcomed by the broad security community.  We can finally embrace cloud security and economics at once.