The 5 Pillars of Secure Cloud Transformation
by Dr. Amit Sinha - Zscaler's CTO and Executive Vice President of Engineering and Cloud Operations
Cloud adoption can change not just the way an enterprise works, but the way it's IT leadership manages applications, connectivity and security. Transition to the cloud offers an opportunity for enterprise IT leaders to reevaluate network architecture and optimize user experience. IT stakeholders looking to optimize network performance for a cloud environment must understand how architecture impacts cloud access. The new blueprint for enterprise IT connectivity infrastructure is comprised of five functional components: inline security, modern identity/access management, smart endpoint management, dynamic security information and event management (SIEM) and direct-to-cloud connectivity.
1. Don’t build castles around your network. Protect users wherever they are.
Enterprise IT stakeholders moving to a cloud model must recognize the subsequent impacts on security and network performance, particularly with regard to mobile users. When doing so, it’s important to:
- Move security as close as possible to users, and ideally, inline. If users are distributed and remote, put security nearby, even if that means distributing data centers or leveraging a cloud-based security tool with local points of presence. Recognize and account for scalability costs as user traffic increases.
- Invest in tools that allow fast, secure, policy-based access between users and applications they need to connect to, regardless of the network. Security is important, but not at the cost of user experience.
- Monitor dynamically. Using identity alone is not sufficient. Policy should be conditioned on dynamic attributes such as a user’s device, location, threat posture, behavioral anomalies, etc. Both Forrester Research’s Zero Trust framework and Gartner’s CARTA approach preach the gospel of a default-deny policy with comprehensive oversight of data in transit, including secure sockets layer (SSL) encrypted traffic.
2. Invest in a federated identity and access management (IAM) platform.
When doing so, it’s key to:
- Sunset legacy directories for a modern IAM that supports single sign-on (SSO) and leverages protocols like security assertion markup language (SAML) to integrate with your cloud ecosystem.
- Simplify partner access. Giving a partner access to a particular application should not mean giving them full access to your network. If an employee at your partner’s organization leaves, you should not have to worry about whether they still have access to your application.
3. Revisit your endpoint management system.
As workers move to the cloud, IT leaders must reevaluate endpoint management. Will corporate endpoint management processes adapt to a “cloud way of work”? Two practices to consider incorporating for endpoint management in a cloud environment:
- Integrate endpoint management into security operations center (SOC) workflows. Infected machines and devices must be controlled and isolated.
- Establish policy-based orchestration. Updates (such as for configuration or patches) should be controlled, and policy should be able to be set at a granular level, e.g., “Push this setting out to all Macs running version X tonight.”
4. Consolidate logs in a SIEM system.
Event management, like most traditional hub-and-spoke network functions, has to evolve to function properly (read: securely) in a cloud environment. IT leaders moving to the cloud need to ensure SIEM can handle the impacts of the transition. When doing so:
- Ensure the “new SIEM” can handle the explosion of data from multiple cloud services and have the smarts to correlate events and glean actionable insights.
- Avoid sampling. Sampling logs can lead to missed security events and issues with compliance and regulatory requirements when you have audits.
- Integrate SIEM with SOC workflows. As with endpoint management, IT leaders must ensure SIEM and SOC workflows are integrated and automated as much as possible.
5. Assess alternatives to your hub-and-spoke network with software-defined wide-area networking (SD-WAN).
SD-WAN is a more direct-to-internet connectivity model. Conceptually, SD-WAN separates network control from hardware, effectively virtualizing WAN management. When utilizing SD-WAN:
- Use local internet breakouts instead of backhauling traffic from branch offices to headquarters over multiprotocol label switching circuits.
- Make sure you have consistent security available everywhere. Refer to point 1 above.
If your organization is moving applications to the cloud, starting with these five pillars can help transform both your security and your network.