Cloud Enclaving Definition
Cloud enclaving is a method of segmenting workloads in a cloud environment to prevent overprivileged access to an organization’s internal resources as well as secure cloud infrastructure, apps, and sensitive data against self-propagating malware, data breaches, and other cyberattacks.
Cloud enclaves use a software-defined perimeter (SDP) to create protected infrastructure as a service (IaaS) in which organizations can deploy role-based access control, trust assessment, certificate management, and other essential cloud security functions.
Cloud enclaving is also called cloud workload segmentation or cloud microsegmentation.
What Is an Enclave?
An enclave is a portion of a network that’s separated from the rest of the network and governed by granular security policies. The purpose of a secure enclave is to enforce least-privileged access to critical resources as part of a defense-in-depth security strategy.
How Does Cloud Enclaving Differ from Traditional Cybersecurity?
Cloud enclaving is built to meet the needs of modern digital business in a way legacy security solutions aren’t. Let’s put this into historical context to understand why.
Years ago, when applications and data resided in an organization’s on-premises data center—and employees largely worked from those same premises—traditional perimeter-based network security offered a reasonable level of security. Today, globalization and hybrid work have pushed cloud computing to the fore, rendering older models ineffective.
In the cloud, a single organization’s different critical workloads can sit with multiple cloud service providers (e.g., Amazon Web Service [AWS], Microsoft Azure), and users access them over the internet. In practical terms, this means there’s no longer a “network perimeter,” which opens up many more avenues for possible attacks. Cloud enclaving counters this by making room for tailored security policies that limit traffic to and from specific workloads to only what’s explicitly permitted.
Network Segmentation vs. Cloud Enclaving
Network segmentation is best used for north-south traffic (between your environment and locations outside it), while cloud enclaving adds a layer of protection for east-west traffic (server-to-server, app-to-server, web-to-server, and so on inside your environment). Let’s look at both in a little more detail.
Compared to a perimeter-based model that only secures a network from the outside, network segmentation is a more nuanced approach. Namely, it divides a network into “subnets” and applies security and compliance protocols to each. Traffic between segments is typically separated using a VLAN before passing through a firewall.
Unfortunately, because this approach is based on IP addresses, it can only identify how a request arrived (i.e., its originating IP address, port, or protocol), not the context or identity of the entity making the request. Communications deemed safe are allowed, even if IT doesn’t know exactly what they are. Then, the entity is trusted once it’s inside a segment—even if they’re a malicious actor looking to move laterally inside the environment.
Network segmentation creates a “flat” network, leaving unprotected pathways that allow attackers to move laterally and compromise workloads in cloud and data center environments. Beyond that, the cost, complexity, and time required to manage network segmentation using legacy firewalls or virtual machines (VMs) tend to outweigh the security benefits.
Cloud enclaving—that is, cloud-based microsegmentation—enables more granular traffic control while minimizing an organization’s attack surface, achieving segmentation in a way that’s operationally simpler and more secure than network segmentation. It does this by looking beyond IP addresses, ports, and protocols to authenticate requests by identity and context. Furthermore, it delivers granular protection at the level of individual workloads to more effectively control communications between them.
Cloud enclaving not only minimizes insider threats by providing protection much closer to the workloads themselves, but also prevents the spread of outside threats after the perimeter has been breached.
What Are the Benefits of Cloud Enclaving?
Like network segmentation, cloud enclaving exists to strengthen network and data security in the face of a growing, evolving cyberthreat landscape. Organizations are under threat across regions and industries as cybercriminals develop ever-more sophisticated techniques to evade security measures. To keep up, organizations and their security need to adapt.
An effective cloud-based microsegmentation approach offers:
- Proactive network and IT security: Cloud enclaving creates application-aware policies that travel with all apps and services, containing potential data breaches to affected assets, not your entire environment. Some enclave services leverage automation to identify all communications, recommend zero trust policies, and let you apply these policies with one click.
- Reduced vulnerability: Instead of static controls that rely on IP addresses, ports, and protocols, your security team can fingerprint each workload to provide consistent protection while they operate in an internal data center or the cloud. Fingerprinting decouples workload security from IP address constructs, so you can avoid issues with IP-based controls.
- Continuous risk assessment: Cloud enclaves let you automatically measure your visible attack surface to quantify risk. The most effective enclave services verify an entity’s identity each time it makes a request, which further mitigates risk, supports regulatory compliance mandates, and provides intel for visualized risk reports
- Easier policy management: Because cloud enclave policies apply to workloads rather than IP addresses, ports, protocols, or hardware, they remain intact even if your infrastructure changes. This means your security team can extend one set of controls anywhere and protect a segment with just a few identity-based policies instead of hundreds of address-based rules.
Is Cloud Enclaving a Best Practice?
Cloud enclaving addresses numerous cloud security use cases that traditional approaches simply weren’t built to support. Where network segmentation relies on coarse, management-intensive controls, microsegmentation applies controls to individual workloads, which then follow the workloads throughout your cloud environment. In our world of global hybrid workforces, distributed data, and increasingly clever attacks, cloud enclaving is an essential means of achieving:
Visibility Across Your Environment
Cloud enclaves offer greater context around which your security team can build policies based on application, environment, compliance, and more by focusing on identity instead of only point of origin. This enables your team to create more granular policies, in turn bolstering your security posture.
Protection Across Providers and Deployments
An effective microsegmentation approach secures your workloads consistently across cloud providers, freeing you up to create hybrid and multicloud environments that best suit your budget and deployment needs. Increased flexibility lets you more easily adopt containers, serverless computing, and more.
Reduced Capex and Opex Costs
Cloud enclaving will save both labor and resources in the long run. Rolling out, managing, and maintaining cloud-based microsegmentation is far less expensive, work-intensive, and time-consuming than doing so for firewalls and other hardware.
Zscaler and Cloud Enclaving
Zscaler Workload Segmentation™ (ZWS™) is a new way to create secure enclaves in the cloud. With one click, you can enhance security by allowing ZWS to reveal risk and apply identity-based protection to your workloads—without any changes to the network.
ZWS provides gap-free protection with policies that automatically adapt to environmental changes, eliminating your network attack surface. What’s more, Zscaler Workload Segmentation is API-driven, meaning it can integrate with existing security tools and DevOps processes, enabling one-click auto-segmentation.
Built on zero trust, Zscaler allows only verified workloads to communicate in your public, private, or hybrid cloud environment, mitigating risk and offering the highest level of data breach protection.
Zscaler Workload Segmentation includes:
Software Identity-Based Protection
ZWS looks beyond network addresses to verify the secure identity of the communicating application software and workloads in public or private clouds, hybrid clouds, on-premises data centers, or container environments.
Policy Automation Engine
ZWS uses machine learning to automate the entire policy life cycle for microsegmentation and workload protection. There’s no need to build policy manually during deployment or ongoing operations, and ZWS will recommend new or updated policies when apps are added or changed.
Attack Surface Visibility and Measurement
ZWS automatically builds a real-time application topology and dependency map down to the process level. It then highlights the required application paths and compares them to the total available network paths, recommending policies to minimize the attack surface and protect what’s needed.