Protecting cloud workloads

Cloud transformation is an opportunity for organizations to radically rethink network security.

Through the cloud, organizations can more easily implement layered defenses for comprehensive visibility into all assets, protect against application-specific threats (such as SQL injection or other software vulnerabilities) and scale traditional network security to meet their organization's needs. Next, we take a look at key considerations such as main objectives, network segments, use cases, and critical capabilities your security solutions need.

Main objectives

Simplify multicloud security

Organizations need a single solution that addresses all multicloud network security needs from a single controller and manages security across private clouds and all major public clouds—including AWS, Azure, GCP, OCI—with a single policy. This simplifies the security stack by replacing inefficient and costly point solutions with a built-in, comprehensive multicloud network security solution.

Gain multi-directional protection

It’s important to protect your cloud data by providing ingress, egress, and east-west traffic inspection across your clouds and VPCs.

Realize greater operational efficiency

Cloud-native automation built directly into your cloud network solution should reduce overhead and speed time to value. Using IaC in your strategy allows you to optimize and scale your multicloud security footprint to meet demand.

Reduce risk

Cloud architects can't protect what they can’t see, which is why consistent visibility and control across public and private environments is critical. A solution that offers a bird’s eye view through real-time asset discovery allows you to see more, enabling strategic placement of security controls to close gaps—significantly helping reduce risk and meet compliance requirements.

Traffic paths (network segments)

To stop malicious activity across your cloud infrastructure, applications, and services, you need to secure both the perimeter (ingress and egress, or north-south traffic) and lateral traffic (east-west).

Ingress covers traffic initiated by another location to your cloud workloads. Examples include general public access to a website or application, and partner access to an API gateway. The direction is inbound and client-initiated. Securing ingress traffic protects your cloud applications from internet-facing attacks and unauthorized external access.

Egress covers workloads initiating traffic to somewhere else, or what your cloud deployment needs to access to perform an operation or function. Examples of access include external payment gateways, API-based services, SaaS services, software updates, and external URLs. The direction is outbound and initiated on the application side. Securing egress protects applications from threats such as malware (by preventing command-and-control or C2 action) and data exfiltration.

East-west covers inter-VPC traffic within the cloud environment or on-premises (hybrid). Examples include communications such as inter-region, endpoint services, private links, or PaaS (Platform as a Service) constructs. These can be client or server-initiated. Securing east-west traffic prevents lateral movements of threats within your cloud infrastructure.

Typical network security controls
NETWORK SECURITY FUNCTION	INGRESS	EGRESS	EAST-WEST
Web Application Firewall (WAF)	●	–	N/A
Intrusion Detection/ Prevention (IDS/IPS)	●	●	●
Segmentation (Firewall)	–	–	●
Antivirus Detection/Blocking	●	●	N/A
URL/FQDN Filtering (includes Explicit and Category based profiles)	–	●	●
Data Loss Prevention (DLP)	–	●	●
Layer7 DoS	●	–	●
Malicious IP Blocking	●	●	–
GeoIP Blocking	●	–	N/A
Threat Packet Captures	●	●	●

Figure 1. Network security functions