Essential Capabilities for building Defense in Depth for Public and Hybrid Cloud

Essential Capabilities for building Defense in Dep...

Whitepaper

Essential Capabilities for building Defense in Depth for Public and Hybrid Cloud

by Chris Zanelli
about the authors
Essential Capabilities for building Defense in Depth for Public and Hybrid Cloud

Share this Whitepaper with a friend.

About the Author

In today’s environment of frequent and persistent cyber attacks by domestic and international bad actors its essential to ensure security safeguards and multi-layered controls are implemented across your public cloud landing zones and hybrid cloud perimeters within your DMZ. Cloud architectures require a significantly different approach to building Defense in Depth for Public and Hybrid Cloud – basically standing traditional perimeter and domain-based controls on their heads and exposing fundamental gaps in how layered, perimeter-based security models and control assurance alone are inadequate for organizations operating part-or-all their operations in Public Cloud.”

So how does one effectively take control of complex cloud deployments, which are highly prone to configuration and human error-driven exploits? How do we design and build Defense in Depth in Public and Hybrid Cloud environments? How can an organization ‘flatten’, simplify, and assure a set of controls and configurations across subscription, landing zone, management hierarchy, identity, resource, service, and object levels? And lastly, how are overlapping controls bolster the 5 pillars of Cyber Security that NIST 800-53 prescribes – Identify, Detect, Protect, Respond, and Recover?

Over a decade ago, security perimeters for most scaled enterprises consisted of a DMZ, internal networks for Production, internal networks for lower SDLC environments, and, optionally, for a tier of mainframe infrastructure. Security was largely focused at the boundaries – DMZ environments containing services for internet, distributed branches, colocation facilities, and B2B circuits / leased lines. Internal applications enjoyed significantly relaxed controls, limited VLAN segregation, and fairly flat network topologies relying mostly on identity authentication and a mix of fine-grained entitlement management solutions tied to corporate identities and groups. Security and Risk officers were given reasonable assurances that exposures on the edge would be remediated aggressively whilst risk exceptions and tradeoffs were frequently made within internal networks to allow for productivity and efficiency.

In the early 2010’s, as cyber security threats and exploits started becoming more of a public occurrence and conversation at the board level, defense in depth because the universally accepted strategy to minimize the occurrences and disruption of the inevitable – eventual catastrophic breach. Significant focus was placed on enhanced network segregation and controls, end user multi-factor authentication, secrets management, enhanced controls over identities (humans and systems) & identity providers, and locking down server & device administrative interfaces and shells. As layered security was being implemented and applied, employees were provided annual education on cyber security threats in an effort to raise awareness beyond the typical response of “my application isn’t external-facing, so what’s the risk?”

As enterprises start to build more of their application functions in the Public cloud, they gain the flexibility and velocity that Public Cloud infrastructure providers offer but they lose out on many of these internal capabilities built over the years – safeguards, guardrails, narrowed jump-host entry, and manual provisioning processes that have been the bulwark of enterprise security strategy for on-premise infrastructure. In contrast, Cloud resource configurations and controls, although continuously improving, still have a razor-thin margin of error that makes an immediate difference between publicly accessible and unencrypted, to identity-oriented object level access.

Leaky cloud services, are often the outcome when misconfiguration errors are combined with the need to manage complex layers of configurations and cloud resource objects. Today our best source of cyber incident research is often the annual DBIR report, although we would expect over time continuing improvements and transparency around breaches and affected cloud service providers. Given the persistent threats and combination of organized crime with unaffiliated individual bad actors, there’s a growing need for better information sharing and coordination with local and federal law enforcement agencies. Regardless of what industry you are in, your enterprise, supply chain and customer information is at risk in the digital age.

Download this whitepaper to read more>

Related Insights

code
See technical discoveries and coding insights from our developers.

Let's talk about your digital transformation

contact us