Want to learn more about how Zscaler Workload Segmentation can protect your organization? Request a demo to get started.
As more organizations move away from on-premises solutions and toward digital business models centered around cloud computing, their data and applications migrate to the cloud through cloud providers such as AWS, Microsoft Azure, and Google Cloud. This migration presents challenges for protecting data moving between applications and SaaS as they communicate with one another in different cloud environments and data centers, all connecting over the internet.
Namely, there’s a litany of vulnerabilities to seal up when it comes to securing cloud workloads. A cloud workload security solution enables organizations to identify, manage, and secure these workloads to decrease risk, increase compliance, ensure greater application scalability, and improve overall security posture.
Cloud workload security, also known as cloud workload protection, revolves around workload segmentation, wherein application workloads are segmented into smaller pieces to simplify and secure traffic inspection.
Cloud workload security solutions allow organizations to discover, monitor, and secure cloud accounts, compute and storage instances, and the control plane. This decreases the likelihood of misconfigurations upon deployment, making it possible to develop and release more cloud native applications at scale while reducing the risk of cybersecurity issues.
In a modern environment powered by cloud infrastructure, applications and services should be—but are often not—at the center of an overall security strategy. Most traffic in a cloud environment moves east-west (within the environment), and traditional security controls typically protect traffic that moves north-south (into or out of the environment) through a perimeter gateway, so it’s no longer sufficient to define software by its traffic route.
Security controls must be workload-centric and decoupled from the cloud platform. It’s crucial to move access controls and permissions away from the network paths that applications travel on and tie them directly to the identity of the communicating applications and services. Not doing so makes it easier for network-borne threats to get into your cloud systems.
Legacy security tools work on a trust model that’s no longer relevant in the modern threat landscape as more applications live in the cloud and communicate over the internet. Network security perimeters are disappearing, and traffic inspection is more difficult because almost all traffic is encrypted.
Outdated security controls that can’t decrypt, inspect, and re-encrypt traffic could be overlooking cyberattacks such as ransomware and other malware. To defend themselves against these attacks, organizations using private and public clouds need to focus on protecting themselves at the workload level, not just at the endpoint.
Let’s explore the necessary strategies for strong cloud workload security.
Microsegmentation is a method of creating secure, secluded zones within a data center, network, or cloud environment that allows workloads to be individually isolated and secured. It’s designed to enable granular partitioning of traffic for better protection from attacks.
With microsegmentation, IT security teams can tailor security settings to different types of traffic, creating policies that limit flows between workloads to those that are explicitly permitted. Applying segmentation rules and granular policies down to the workload or application can reduce the risk of an attacker moving undetected from one compromised workload or application to another.
This is not to be confused with network segmentation, which involves using stateful inspection firewalls or next-generation firewalls to split the network into smaller, more easily monitored chunks. This strategy has been effective in the past, but it has particular limitations for cloud and multicloud environments.
Another key strategy is zero trust network access (ZTNA), also known as a software-defined perimeter (SDP). ZTNA is achieved with a set of technologies that operate on an adaptive trust model, where trust is never implicit, users must be verified, and access is granted on a need-to-know, least-privileged basis defined by granular policies.
Gartner predicts that by 2023, 60% of enterprises will phase out their remote access virtual private networks (VPN) in favor of ZTNA. This is true for a number of reasons—not least for improved protection and security for cloud workloads.
Microsegmentation and ZTNA can both help secure an organization’s traffic and applications at runtime, but using a cloud workload protection platform will ensure full cloud workload security coverage.
Here are some of the ways cloud workload security helps you decrease risk and simplify security for your organization:
In a service-oriented architecture, tracking asset and policy inventories is difficult, and every cloud instance change affects dependencies, creating management and availability issues. Additionally, dataflow mapping in a cloud is complex because services can change location, increasing the number of data points to monitor and manage. Cloud workload security simplifies tracking and protection, and anticipates the impact of change by focusing on applications rather than their environment.
Traditional security tools that use IP addresses, ports, and protocols as the control plane are not ideal for cloud use cases. The dynamic nature of cloud services makes these static security controls unreliable because they can change at any time. To counter the problem of address-based controls, cloud workload security platforms provide consistent workload protection and don’t require any cumbersome architectural changes.
Continual Risk Assessment
Most security professionals know their corporate networks are vulnerable to compromise, but most can’t quantify the risk, particularly related to application exposure. Cloud workload security solutions can automatically measure your visible network attack surface to understand how many possible application communication pathways are in use, quantify risk exposure based on the criticality of communicating software, and recommend the fewest number of security policies to reduce your risk of data breach.
When selecting a cloud workload security platform, be sure it can:
Ultimately, you want to ensure your cloud workload security platform can help your security team answer these questions:
Today’s cloud workloads need security that provides comprehensive zero trust coverage while simplifying management for DevOps and SecOps. What you need is a proven platform built in the cloud, for the cloud—a platform only Zscaler can provide.
John Arsneault, CIO Goulston & Storrs
Zscaler Workload Segmentation™ (ZWS™) is a new way to segment application workloads. With one click, you can enhance security by allowing ZWS to reveal risk and apply identity-based protection to your workloads—without any changes to the network.
ZWS provides gap-free protection with policies that automatically adapt to environmental changes, therefore eliminating your network attack surface. What’s more, Zscaler Workload Segmentation is API-driven, meaning it can integrate with existing security tools and DevOps processes, enabling one-click auto-segmentation.
Built on zero trust, Zscaler allows only verified workloads to communicate in your public, private, or hybrid cloud environment, mitigating risk and offering the highest level of data breach protection.
Zscaler Workload Segmentation includes:
Software Identity-Based Protection
ZWS looks beyond network addresses to verify the secure identity of the communicating application software and workloads in public or private clouds, hybrid clouds, on-premises data centers, or container environments.
Policy Automation Engine
ZWS uses machine learning to automate the entire policy life cycle for microsegmentation and workload protection. There’s no need to build policy manually during deployment or ongoing operations. Workload segmentation recommends new or updated policies when apps change or are added.
Attack Surface Visibility and Measurement
ZWS automatically builds a real-time application topology and dependency map down to the process level. It then highlights the required application paths and compares them to the total available network paths, recommending policies to minimize attack surface and protect what’s needed.