Building a cloud network is different from building traditional models in-house. Internally, the enterprise has control over all the network layers. In the cloud, there are no switch-layer controls, and all the surrounding controls are software-defined.
While enterprises might not miss hardware-centric network platforms, they have to make use of the tools available from cloud providers, which may not be what they're used to.
There are a number of options for developing a reasonable defense-in-depth, cloud-based network, but they will likely require some different tools and services. Some vendors may not have products that work in the cloud. Also, the idea of inline network equipment is somewhat deprecated in the cloud because enterprises have no control over the hypervisor.
What network components change in the cloud?
The simple answer: almost all of them. This is due to the software-defined components in place and a potential lack of vendor resources for cloud network security.
Other key changes include:
- Large, flat networks. In the cloud, many subnets are essentially flat, and systems can just talk to each other with no real challenge unless you build proper controls.
- No east-west traffic monitoring natively available. Monitoring traffic between systems requires either convoluted architectural and routing changes or host-based monitoring. Tools like VPC Flow Logs can log access attempts within network segments.
- Limited routing control. Routing in the cloud using the tools and controls the providers offer can leave a lot to be desired. Most routing controls are simple, without much flexible internal and public routing, though BGP routing is now available in some cloud environments.
- Simple, native firewalls and network access controls. Most firewalls are still operating at layers 3 and 4, and some aren't fully stateful. AWS subnet ACLs are a good example of this.
- Traffic capture or inline intrusion detection. These capabilities are rarely easy to implement, although tools like Azure Network Watcher show promise to tap into software-defined network traffic and improve visibility.
- Content-based inspection. Malware sandboxing and network DLP tools are scarce today, although the vendor products in this market are starting to improve.
How to build a strong cloud network security strategy
There are a number of strategic ways an organization can build a mature cloud network security strategy.
First, embrace cloud-native technologies like Security Groups in AWS and Network Security Groups in Azure. However, you will still need security tools from leading firewall and intrusion prevention vendors.
Most enterprises still require robust, enterprise-grade traffic control in the cloud, and this is usually done using a hybrid approach. As a starting point, let the cloud-native controls handle the workload-to-workload access controls -- thus managing east-west traffic -- while all the traffic coming into the various subnets from the internet or a data center can pass through virtual appliances. Traffic that admins need to inspect more carefully can be routed within the cloud via these appliances as needed.
Second, plan to isolate networks using Virtual Private Cloud (VPC) on AWS or a Virtual Network (VNet) on Azure, and then pair these together strategically. This allows for the most isolated use cases, and the enterprise can build a dedicated VPC or VNet for all the security monitoring and controls that traffic must pass through, with a more finite degree of control over which segments talk to one another.
Third, plan to enable any Flow Logs you can, send these to a central storage node, and then employ cloud-native tools like AWS GuardDuty or third-party platforms to monitor long-term behavioral patterns of traffic, as well as obvious attack attempts.
As a final consideration, look into hybrid tools for microsegmentation and zero-trust access control models that may work both in the cloud and within your own data center. This approach focuses on application behavior and system affinity and is likely to grow in importance over time. A number of vendors offer products that can do this.