Get the latest Zscaler blog updates in your inboxSubscribe
Public cloud environments often contain dynamic workloads, with instances created and deprecated frequently. As applications transition to the cloud, it's crucial that they have the same protection as they would in an on-premises data center. In data centers, identity (as it applies to security policy) is closely linked to static elements like hostnames, subnets, and IP addresses.
However, the elastic nature of the public cloud can make static approaches challenging, potentially leading to business delays and increased security risks. Protecting workloads in the cloud requires dynamic policy constructs for workload identification, and for this, cloud native attributes and user-defined tags are effective tools.
Attributes offer deterministic methods for managing workloads, such as OS type, VPC ID, subnet ID, and security group ID. However, tags are particularly interesting due to their customizability, mature enforcement capabilities, and widespread usage among customers. These tags/attributes are key–value pairs associated with each cloud resource.
As user-defined tags have developed, security teams have sought ways to incorporate them into security policies. Some security solutions can use tags in security policies, but operationalizing tags in these solutions is challenging due to:
- Limited scalability
- Challenges in cross-account deployments
- Difficulties in supporting overlapping IP address space
1. Workload Discovery service
This Zscaler-managed service finds workloads and corresponding tags/attributes in an AWS account associated with AWS resources like VMs, VPC, Subnets, and ENI. Customers don't need to install any additional components in their AWS account.
The service discovers tags per AWS region and can be targeted to the regions where workloads are located. Permissions are configured via the Zscaler administration portal, enabling AWS accounts to be onboarded in minutes.
Once onboarded, all tags and their associated workloads in an account are discovered and ready to be used in Zscaler security policies. The service supports both pull and push modes for tag discovery.
Figure 1 shows the Workload Discovery service operating in Zscaler's AWS account, identifying the workloads in Acme Corp’s AWS account.
Figure 1: Workload Discovery service
2. Tag metadata propagation
Once identified, user-defined tags, attributes, and associated workload information is automatically transmitted to the Cloud Connectors linked with the corresponding AWS account. Cloud Connectors are lightweight virtual machines that act as traffic forwarding gateways in customer VPCs/accounts. They securely tunnel the egress traffic from workloads to the Zero Trust Exchange, where security policies are applied.
Customers can leverage both Zscaler Internet Access™ (ZIA™) and Zscaler Private Access™ (ZPA™) policies to protect workload communications with public applications on the internet or private applications in the same or different cloud/region. Zscaler provides and maintains the OS and software for these connectors.
Figure 2 shows how the Workload Discovery service propagates the tag and associated workload information to Cloud Connectors linked to Acme Corp’s AWS account. This metadata contains the IP address, the key–value pairs for user-defined tags and attributes, and other information needed to identify the workload.
Figure 2: Tag metadata propagation
3. Rules engine
Tags- or attributes-based security policies are incorporated into the Zero Trust Exchange platform’s rules engine. A new policy object has been introduced to group one or more tags or attributes together. Customers can now utilize logical Boolean operators to create a workload group and apply policies accordingly.
As shown in figure 3, a user creates a workload group for API servers in a production environment (Tag-Name=App, Tag-Value=Api) & (Tag-Name=environment, Tag-Value=production). This user can then configure security policies for this group.
Figure 3: Creating a group of API servers in a production environment
Figure 4 demonstrates a user creating a policy to apply URL filtering to this group of API servers in the Zero Trust Exchange rules engine.
Figure 4: Zero Trust Exchange Rules Engine Extension
This includes support for advanced security policies like SSL inspection, URL classification (for Domain and Path), data loss prevention, and firewall policies with AppID. These capabilities enable granular and consistent application of security policies in dynamic cloud environments
A simpler alternative for managing security in cross-account deployments with overlapping IP addresses
The gateway load balancer (GWLB) VPC endpoints offer the ability to direct workload traffic from a workload VPC to a central security VPC. This is achieved without the need for transit gateway (TGW) or VPC peering by using the AWS PrivateLink service. The workload and security VPCs can exist in the same or different AWS accounts.
This arrangement can simplify cloud deployments by centering egress traffic in a single security VPC, eliminating the need to configure TGW attachments for each workload VPC. It can also reduce the AWS data charges. Moreover, GWLB VPC endpoints enable workload VPCs with overlapping IP addresses to connect to the same central VPC.
Zscaler's tagging support can seamlessly address both of these situations. Customers can apply tag/attributes-based policies for cross-account architectures and overlapping IP address scenarios. This ensures that the right policies are applied to the intended workloads
Enhanced protection at cloud scale, offering both granularity and flexibility
1. Cloud native scale
Zscaler supports the maximum number of tags allowed by the cloud service provider, including individual resource-level tags as well as VPC and subnet tags. In situations where SecOps/DevOps teams cannot fully enforce tags, Zscaler supports the use of provider-generated attributes. These attributes (VPC ID, Subnet ID, Security Group, etc.) can also be used in security policies.
As cloud deployments evolve, many customers utilize a mix of (a) distributed and/or centralized security, (b) single- and/or multi-account architecture, and (c) unique and/or overlapping IP addressing. Zscaler's approach is compatible with all these combinations.
3. Advanced security capabilities
Tags can be used across the Zero Trust Exchange platform’s suite of services, including advanced security features such as:
- SSL inspection and URL filtering, which supports both domain and path
- Advanced firewall policies to protect web and non-web traffic using network applications, network services, and destination domains, among others
- Comprehensive inspection with DLP, supporting Exact Data Match (EDM), Indexed Document Match (IDM), and Optical Character Recognition (OCR)
Securing workloads in the public cloud requires a scalable, adaptable solution that can apply consistent policies based on workload identity. This latest addition to Zscaler Workload Communications product suite allows you to apply security policies using cloud service provider tags and attributes. Natively integrated with the Zero Trust Exchange, this capability is available to all Zscaler customers, without any need to deploy additional components.