What is Cloud Enclaving?
Cloud enclaving is a way of performing segmentation in the cloud to restrict access to internal applications and to prevent over-privileged access.
Let’s start with enclaving
Sometimes referred to as a network enclave or secure enclave, cloud enclaving is a way of providing workload protection without the complexity and security weakness of network segmentation. The enclave is separated from the rest of the network, with access defined by common security policies. The purpose of a secure enclave is to restrict internal access to critical computing devices through the use of firewalls, VPNs, virtual local area networks (VLANs), and network access controls.
Segmenting a network through a secure enclave helps establish a defense-in-depth security strategy by enforcing a principle of compartmentalization and least-privileged access at the network-service level
Taken to the cloud
As organizations began moving their apps and data to the cloud, they also adopted the practice of enclaving. A cloud enclave utilizes a software-defined perimeter (SDP) security model to create a protected IaaS instance with which organizations can deploy role-based access control, trust assessment, certificate management, and additional security functions. A cloud enclave can also protect IaaS and SaaS applications from network-based cyberattacks, including self-propagating malware.
Similar to network segmentation…
If enclaving sounds a lot like network segmentation, that’s because it is. Network segmentation divides a network into multiple zones and applies security protocols to each zone to manage security and compliance. Typically, it involves segregating traffic between the network segments using VLANs, after which security is applied via firewalls to protect applications and data.
One of the differences between enclaving and network segmentation is the degree of segmentation you impose upon the network. Enclaves are more thoroughly segmented from the general network environment and often described as “enhanced network segmentation.”
In addition, cloud enclaving uses identity to achieve segmentation that is simpler for operations while being more secure than network segmentation. Cloud enclaving looks beyond network addresses to verify the secure identity of the communicating application software and workloads, in public or private clouds, hybrid clouds, on-premises data centers, or container environments
Segmentation and enclaving protect against different types of attack scenarios. Network segmentation helps prevent external cyberattacks that cross broad zones or perimeters, while enclaving also helps to prevent lateral movement of threats. It not only minimizes insider threats by providing protection that is much closer to the workload itself, it also prevents the spread of outsider threats after the perimeter has been breached and the attacker has made landfall inside the environment.
Added security can add complexity
Segmentation and enclaving practices exist to increase network and data security in the face of an ever-increasing barrage of cyberattacks. Corporate networks are under attack as never before. Cybercriminal organizations target specific organizations or people within organizations and develop sophisticated attacks to evade security protocols. Therefore, organizations must continually adapt and strengthen their security efforts.
Many organizations adopt proactive security methods to prevent cyberattacks, trying to anticipate and fix any potential risks or vulnerabilities. In addition to stacks of security hardware in the data center or the deployment of security delivered as a service, organizations employ various techniques that reduce their risk, and such methods include network segmentation and enclaving.
A downside to implementing a network enclave environment is the added implementation and maintenance costs—access lists must remain current, traffic must be monitored, and more. And in today’s world of complicated networks distributed across multiple clouds and data centers, network segmentation isn’t much better.
Cloud enclaving, however, is more robust, more reliable, and far simpler to manage. You can protect a segment with just a few identity-based policies instead of hundreds of address-based rules.
Cloud enclaving creates secure segments, simply
Cloud enclaving is a way to isolate workloads from one another and secure them individually. It’s designed to enable granular partitioning of traffic for greater protection.
IT teams can tailor security settings to different traffic types, creating policies that limit network and application flows between workloads to those that are explicitly permitted. In this zero trust model, a company could set up a policy, for example, that states that a business application, e.g., Active Directory, can only talk to other Active Directory application components to prevent unauthorized software from communicating with Active Directory and compromising it. And if a workload moves—for example, new instances of Active Directory servers are stood up or migrated from one environment to another—the security policies and attributes move with it.
By applying segmentation rules down to the workload or application, organizations can reduce the risk of an attacker moving from one compromised workload or application to another. Through the use of software-identity verification and by following a zero trust model, organizations are assured of the strongest level of protection for their workloads, independent of network changes.