Network Security Challenges: Access to the Public Cloud

Network Security for the Public Cloud

Public cloud services such as Amazon’s AWS, Google Cloud Platform, and Microsoft’s Azure are incredibly powerful tools. They allow businesses to have always available elastic compute power for applications and data. But the public cloud is also a ripe target for threat actors.

It’s critical to secure your network connections to these resources. After all, if the front door isn’t secured, why wouldn’t hackers just walk right through and have a look?

Security Threats in the Public Cloud

The list of potential attacks to public cloud resources can be pretty long, and improperly securing access expands the attack surface for your company. That’s why avoiding overly permissive access is important. If anyone in your company can login or obtain access to your public cloud instances, you could be setting yourself up for a world of pain. It’s important for CISOs and IT Managers to ask themselves who really needs access to these resources. Then they should limit public cloud access to only those individuals or groups.

After overly permissive access, the most serious threat to the public cloud is credential theft. This when a threat actor obtains employee login credentials through phishing, or other means. Once the credentials are in the hands of malicious actors, getting into and exploring public cloud resources is much easier–at least if proper precautions aren’t taken.

There are a number of serious issues that hackers can inflict on a company after gaining access to a public cloud resource. Deploying ransomware to encrypt all company data, for example, or deliberately corrupting data. Other threats include implanting worms, data exfiltration, or defacing a web-based application portal running on your public cloud. 

Tools and Technologies

Companies need a holistic network security solution to confront the unique security challenges of public cloud resources. The tools and technologies suited to this task include:

ZTNA

ZTNA is one of the most practical applications of the Zero Trust approach to cybersecurity, which says “never trust, always verify.” Everyone who attempts to connect to company resource must be authenticated based on identity, context, and granular access rules. 

ZTNA enforces granular access permissions to public cloud resources. These can be based on pre-defined groups or single users. Only select people will be allowed to access the public cloud resource.

In addition, with ZTNA you set context-based rules such as device posture requirements. This strategy will only allow managed devices to access the resource if they meet the company’s security standards. 

Unmanaged devices, meanwhile, can be restricted through logins to an Agentless ZTNA portal with context checks for time of day and location.

Secure Tunnels

ZTNA employs a secure connection using protocols such as IPSec and Wireguard between the user endpoint and the public cloud resource. This can be accomplished in two ways:

  1. Create a secure connection to a ZTNA provider gateway, and then use standard TLS/SSL encryption to go from the gateway to the public cloud.
  2. Create that same secure tunnel to the gateway, and then continue from the gateway to the public cloud using the same encrypted tunnel. 

The latter option is clearly preferable, but it does take a little more configuration than option 1. 

Malware Protection

It never hurts to be extra careful. Just in case malware is already lurking in your public cloud instance use a network-focused malware protection solution. This allows you to monitor threats before they can end up on user devices, and then attack other parts of the company from there.

Securing Public Cloud Access

Identity management is key for proper network security, which is why it’s important to implement a single sign-on (SSO) provider–preferably one that supports multi-factor authentication (MFA). 

With an SSO provider managing identity, it makes it easier to define groups for ZTNA rules, users have an easier time signing in, and MFA support makes it harder (but far from impossible) for threat actors to steal credentials.

Next, you need to set-up your ZTNA rules. Here it pays to really sit down and think about the various workflows within the company. You don’t want employees to end up locked out of a resource they need, but at the same time allowing carte blanche access to anyone with a company ID is just asking for trouble. Should hackers ever obtain a company login they would have unfettered access to everything–not ideal.

With proper ZTNA rules in place, threat actors would be severely restricted in what they could do.

In addition to ZTNA rules, you should set device posture check (DPC) rules that require managed devices to meet security standards such as a minimum operating system version or that a specific antivirus solution must be installed. For unmanaged devices, use context rules based on time and location to ensure that unwanted people aren’t accessing your resources. 

Next, you’ll want your network security solution to provide logs so that you can monitor for odd behavior, and these logs should be integrated with your SIEM solution. You’ll want to pay special attention to high-privilege users to ensure there is no odd behavior coming from those accounts. 

Finally, include as part of your cloud network security solution web filtering and malware protection. These two tools prevent malware from infecting your network by detecting and stopping threats, and web filtering reduces the chances of encountering common web threats like drive-by downloads and known phishing sites.

Protecting Your Public Cloud

Network security requires a lot of moving parts, and some pre-planning, but once implemented a ZTNA-based solution ensures a much higher level of security for your company, your users, and resources.

To sum up: 

  1. Use an SSO with MFA for easier application of ZTNA rules
  2. Deploy well-designed ZTNA rules backed by DPC and other context-based rules that use continuous verification
  3. Closely monitor logs for unusual behavior

Finally, remember that a ZTNA-based network security approach is always evolving. Set time to regularly reassess permissions, context rules, and other settings. This helps to perfect that balance between security and not impeding users from doing what they need to do on a daily basis.

Are you interested in learning more about how to secure your public cloud? Book a demo today to see how Perimeter 81’s cloud-based, converged network security solution can lock down all your resources (both on-prem and in the cloud). At the same time, we make it easy to manage your network security. Plus, we provide users with a seamless experience whether they are in the office or remote.