Public cloud environments often contain dynamic workloads, with instances created and deprecated frequently. As applications transition to the cloud, it's crucial that they have the same protection as they would in an on-premises data center. In data centers, identity (as it applies to security policy) is closely linked to static elements like hostnames, subnets, and IP addresses.

However, the elastic nature of the public cloud can make static approaches challenging, potentially leading to business delays and increased security risks. Protecting workloads in the cloud requires dynamic policy constructs for workload identification, and for this, cloud native attributes and user-defined tags are effective tools.

Attributes offer deterministic methods for managing workloads, such as OS type, VPC ID, subnet ID, and security group ID. However, tags are particularly interesting due to their customizability, mature enforcement capabilities, and widespread usage among customers. These tags/attributes are key–value pairs associated with each cloud resource.

As user-defined tags have developed, security teams have sought ways to incorporate them into security policies. Some security solutions can use tags in security policies, but operationalizing tags in these solutions is challenging due to:

Limited scalability
Challenges in cross-account deployments
Difficulties in supporting overlapping IP address space

Announcing zero trust security for cloud workloads using cloud native tags and attributes

Zscaler Workload Communications is the modern approach to securing your cloud applications and workloads. With secure zero trust cloud connectivity for workloads, you can eliminate your network attack surface, stop lateral threat movement, avoid workload compromise, and prevent sensitive data loss. It uses the Zscaler Zero Trust Exchange™ platform to secure cloud workloads, enabling your organization to stop malicious access with explicit trust-based security that leverages identity, risk profiles, location, and behavioral analytics.

We’re pleased to announce support for AWS user-defined tags and attributes in security policies within the Zero Trust Exchange. Customers can apply security policies to cloud workloads using the tags and attributes associated with those workloads. There are three main components to the solution

1. Workload Discovery service

This Zscaler-managed service finds workloads and corresponding tags/attributes in an AWS account associated with AWS resources like VMs, VPC, Subnets, and ENI. Customers don't need to install any additional components in their AWS account.

The service discovers tags per AWS region and can be targeted to the regions where workloads are located. Permissions are configured via the Zscaler administration portal, enabling AWS accounts to be onboarded in minutes.

Once onboarded, all tags and their associated workloads in an account are discovered and ready to be used in Zscaler security policies. The service supports both pull and push modes for tag discovery.

Figure 1 shows the Workload Discovery service operating in Zscaler's AWS account, identifying the workloads in Acme Corp’s AWS account.

Figure 1: Workload Discovery service

2. Tag metadata propagation

Once identified, user-defined tags, attributes, and associated workload information is automatically transmitted to the Cloud Connectors linked with the corresponding AWS account. Cloud Connectors are lightweight virtual machines that act as traffic forwarding gateways in customer VPCs/accounts. They securely tunnel the egress traffic from workloads to the Zero Trust Exchange, where security policies are applied.

Customers can leverage both Zscaler Internet Access™ (ZIA™) and Zscaler Private Access™ (ZPA™) policies to protect workload communications with public applications on the internet or private applications in the same or different cloud/region. Zscaler provides and maintains the OS and software for these connectors.

Figure 2 shows how the Workload Discovery service propagates the tag and associated workload information to Cloud Connectors linked to Acme Corp’s AWS account. This metadata contains the IP address, the key–value pairs for user-defined tags and attributes, and other information needed to identify the workload.

Figure 2: Tag metadata propagation

3. Rules engine

Tags- or attributes-based security policies are incorporated into the Zero Trust Exchange platform’s rules engine. A new policy object has been introduced to group one or more tags or attributes together. Customers can now utilize logical Boolean operators to create a workload group and apply policies accordingly.

As shown in figure 3, a user creates a workload group for API servers in a production environment (Tag-Name=App, Tag-Value=Api) & (Tag-Name=environment, Tag-Value=production). This user can then configure security policies for this group.

Figure 3: Creating a group of API servers in a production environment

Figure 4 demonstrates a user creating a policy to apply URL filtering to this group of API servers in the Zero Trust Exchange rules engine.

Figure 4: Zero Trust Exchange Rules Engine Extension

This includes support for advanced security policies like SSL inspection, URL classification (for Domain and Path), data loss prevention, and firewall policies with AppID. These capabilities enable granular and consistent application of security policies in dynamic cloud environments

A simpler alternative for managing security in cross-account deployments with overlapping IP addresses

The gateway load balancer (GWLB) VPC endpoints offer the ability to direct workload traffic from a workload VPC to a central security VPC. This is achieved without the need for transit gateway (TGW) or VPC peering by using the AWS PrivateLink service. The workload and security VPCs can exist in the same or different AWS accounts.

This arrangement can simplify cloud deployments by centering egress traffic in a single security VPC, eliminating the need to configure TGW attachments for each workload VPC. It can also reduce the AWS data charges. Moreover, GWLB VPC endpoints enable workload VPCs with overlapping IP addresses to connect to the same central VPC.

Zscaler's tagging support can seamlessly address both of these situations. Customers can apply tag/attributes-based policies for cross-account architectures and overlapping IP address scenarios. This ensures that the right policies are applied to the intended workloads

Enhanced protection at cloud scale, offering both granularity and flexibility

1. Cloud native scale

Zscaler supports the maximum number of tags allowed by the cloud service provider, including individual resource-level tags as well as VPC and subnet tags. In situations where SecOps/DevOps teams cannot fully enforce tags, Zscaler supports the use of provider-generated attributes. These attributes (VPC ID, Subnet ID, Security Group, etc.) can also be used in security policies.

2. Flexibility

As cloud deployments evolve, many customers utilize a mix of (a) distributed and/or centralized security, (b) single- and/or multi-account architecture, and (c) unique and/or overlapping IP addressing. Zscaler's approach is compatible with all these combinations.

3. Advanced security capabilities

Tags can be used across the Zero Trust Exchange platform’s suite of services, including advanced security features such as:

SSL inspection and URL filtering, which supports both domain and path
Advanced firewall policies to protect web and non-web traffic using network applications, network services, and destination domains, among others
Comprehensive inspection with DLP, supporting Exact Data Match (EDM), Indexed Document Match (IDM), and Optical Character Recognition (OCR)

Securing workloads in the public cloud requires a scalable, adaptable solution that can apply consistent policies based on workload identity. This latest addition to Zscaler Workload Communications product suite allows you to apply security policies using cloud service provider tags and attributes. Natively integrated with the Zero Trust Exchange, this capability is available to all Zscaler customers, without any need to deploy additional components.

To find out more, visit our product webpage and watch the webinar.