Architectural considerations for cloud security

There is not a “one size fits all” model for architecting cloud security.

A great first step and best practice is to insert a control point between cloud workloads and the internet. Depending on your needs, you can use a centralized, distributed, or hybrid model.

Although the idea of centralized control and enforcement sounds great in principle, it’s not always the best approach. For example, centralized control with distributed (or local) enforcement may work better in many cases because it avoids sending traffic across trust boundaries to secure it. Some applications may also require more isolation for compliance reasons. Knowing which model is right for your multicloud environment requires understanding the benefits and drawbacks of each approach.

The single solution model provides global definition and management of policies across large multicloud deployments. This model allows you to define consistent policies regardless of the application’s underlying infrastructure while providing visibility across all security events. A centralized control point also avoids single point of failure of legacy architectures by implementing centralized controls with cloud-native design patterns — including multi-availability-zone (AZ) and multi-region architecture, along with elastic cloud-native services.
The cloud provider-specific solution model utilizes cloud native security tools from each cloud provider that you must integrate to work together. This enables more granular security controls, but also lowers your visibility across multiple clouds and creates redundancies or inconsistencies. Management and support costs increase in this model.

Centralized enforcement is when you deploy the enforcement components into a network that your workloads and applications can route their traffic through. This allows you to put all security tools into a single inspection point that can autoscale based on the traffic of all applications and workloads in aggregate. Depending on your architecture, centralized enforcement may result in increased bandwidth cost.
Distributed enforcement is when you deploy the enforcement components into the same network as your applications and workloads, which can scale up as each application scales. This works well when each workload needs to be fully self-contained. Depending on your architecture, distributed enforcement may result in increased cloud compute cost.

A mixture of both distributed and centralized enforcement can provide a suitable blend that provides comprehensive security while balancing the management overhead and cloud provider cost to deploy.