According to Gartner, through 2022, 95% of cloud security failures will be the customer’s fault. Using the cloud securely on AWS means building a cloud security strategy that faces the challenges head on, with a full understanding of the shared responsibility model and its blind spots.
Securing Containers in AWS
One of the biggest issues when using AWS is securing the container network. This is due to the lack of context that the VPC has for any overlay network running on top. Amazon Security Groups can apply security policies to each cluster, but are unable to do this with individual pods, making this technology insufficient. When your business is attempting to troubleshoot or to gain better visibility into communications, insight will stop at the traffic between the hosts in the cluster rather than the pods resulting in security blind-spots.
As a result, you need two solutions to control your cloud hosted network. One handles your VM policies, while another governs your containers. As such, creating network policies for a single application that includes both containers and VMs requires using separate solutions.Your business now has two sets of controls to manage, with all the maintenance and administration that comes with it. This adds complexity and risk, when your move to the cloud was probably meant to make your infrastructure and security easier, not more complicated.
Lack of visibility in AWS
62% of IT decision makers at large enterprises believe that their on-premises security is stronger than their cloud security. On premises, these security experts feel that they have control over their IT environment and the data and communications within, and by moving to the cloud, they lose that control and visibility.
With smart micro-segmentation, this doesn’t have to be the case. Going further than AWS security groups, Guardicore Centra provides enhanced visibility, automatically discovering all applications and flows down to process level (Layer 7). It includes an AWS API that can pull orchestration data and labels to get valuable context for application mapping, and allows you to baseline your infrastructure in an intelligent and informed way, understanding how your applications behave and communicate, which in turn enables detecting and alerting on changes. As the Centra solution works across multiple cloud vendors, businesses can use it to gain visibility and apply policy controls across a heterogeneous environment without being tied to any one cloud vendor or infrastructure.
Application-Aware Policy Creation and Control
On premises, companies are used to being able to utilize NGFWs (Next-Gen Firewalls) to protect and segment applications. In the cloud, AWS doesn’t provide the same functionality. Segmenting applications can be done using AWS security groups in a restricted manner, only supporting controlling traffic down to Layer 4, ports and IPs. With Centra, you can benefit from application-aware security policies that work with dynamic AWS applications down to process level. Rather than manage two or more sets of controls, Centra works across any infrastructure, including multi-cloud and hybrid data centers or multiple IaaS providers, physical servers on premises, containers and microservices. As the policy follows the workload, enterprises can enjoy dynamic flexibility without compromising security.
One solution across all of these environments promotes an atmosphere of simplicity in your data centers, with smart labeling and grouping that provides one ‘single pane of glass’ view into the most complex of infrastructures. Your staff have easy navigation and insight into problems when they occur, and can define segmentation policy in a matter of minutes, rather than relying on trial and error.
Navigating the Blind Spots to Securely Benefit from AWS
Using AWS securely means understanding that it is your role as the customer to stay on top of securing customer data, as well as platform, application, identity and access management, and any OS, network or firewall configuration. Cloud users need to be prepared to go above and beyond to ensure that their workloads are safe, especially when working across multi or hybrid-cloud environments.
When implemented correctly, micro-segmentation offers a simple way to secure a hybrid environment, including solving the unique challenges of containers on AWS and providing the ability to create dynamic application policies down to process level. We believe the best solutions start with foundational visibility, automatically discovering all network flows and dependencies. This allows your business to take advantage of the latest technological advancements without increasing risk or complexity for your security teams.