The benefits of cloud are real and tangible, and enterprises and even governments are now accustomed to hosting mission-critical workloads in the cloud, often with multiple cloud providers. For digital transformation to be truly successful, cloud resources must be secure, scalable, and segmented so that critical data is made available only to trusted entities. In this blog, we will detail some best practices for multi-cloud security and how Alkira’s Cloud Network as-a-Service platform can help you in the journey.
The Cloud Security Conundrum
The demand to accelerate digital innovation is driving organizations to build applications in the cloud using agile practices and cloud-native architectures like containers and microservices. These containers get spun up and down dynamically within seconds, and applications that run on these microservices have dependencies that can span multiple clouds and geographies. The leading cloud providers provide a foundational baseline of security for the core cloud infrastructure (the underlying network, hypervisor hosting these workloads etc), but the responsibility of safeguarding data and securing connectivity from edge to core to cloud still falls on the customer’s lap and can be an enormously complex challenge.
To protect today’s cloud and multi-cloud network workloads, traditional on-premises security models simply won’t work. They cater well to static environments and lifting and shifting these controls to the cloud leads to additional operational and management complexities. Plus, backhauling cloud traffic back to the datacenter or to a different cloud for applying security policies is not a viable option, as such inefficiencies lead to increased latency and degraded application performance.
Applying cloud-native security constructs is not trivial either. Different cloud providers have different implementations, understanding every provider’s security knob and using them to enforce consistent security policies from different dashboards is a very time consuming and error prone process. Also the cloud-native solutions lack the feature sets of established security vendors, advanced detection and mitigation of cyber threats may not be possible always using these solutions alone.
The ideal solution is to have a single portal that manages the security of the multi-cloud environment using best of breed security vendors. Coupled with support for “Infrastructure as Code”, these security services can be deployed and validated using CI/CD pipelines within minutes for immediate results. The Alkira solution offers exactly this and much more.
Alkira Provides Security for the Cloud Era
The Alkira Cloud Network as-a-Service (CNaaS) solution consists of a unified cloud backbone with globally distributed Alkira Cloud Exchange Points (virtual points of presence) that provide optimized and secure global network connectivity between clouds, branches, and end users, all delivered as a service. With no customer gateway or agent installs, and with a horizontally scaled central management, the multi-cloud fabric can be established seamlessly and securely in minutes.
Figure: Network Security Meets Cloud
Alkira’s unique platform gives IT leaders complete control over a flexible set of robust RBAC tools. Onboarding is secure and prevents unauthorized access, with IP specific authentication, as well as options for SSO and two-factor authentication.
From there, several permission roles are available, ranging from full admin control to simple read-only access. Alkira even allows for the creation of customized roles, giving customers complete control over their environment with the ability to tailor accounts to specific needs. Alkira backs all this with detailed logs and access reports, giving customers instant access to auditable data to track any fraudulent activity or misuse.
Network Services Marketplace
Many enterprises have already done their due diligence and have an on-premises security partner of choice, ideally, they prefer to use the same vendor for their cloud security needs as well. At Alkira, we recognize this and have a wide choice of third-party security providers to choose from. The preferred service is intelligently inserted and integrated into the cloud environment without additional routing controls. Alkira also manages the entire lifecycle of this security instance, and to retain existing ROIs, the security instance can be spun up using existing licenses or spun up using a pay-as-you-go model. As customer business volume evolves, these instances scale up or down based on real time capacity demand. With intelligent traffic steering, Alkira maintains bidirectional flow symmetry to these stateful firewalls, this ensures that firewall elasticity does not introduce any packet loss in the network.
End-to-End Network Segmentation
Network segmentation is a mechanism in which a network is partitioned into multiple distinct subnetworks, route controls and security policies can each be applied to these compartments separately.
Segmentation offers the following key benefits:
- Limits cyber attack blast radius, hacks and breaches get limited to the affected segment.
- Improve operational performance, for example issues in the test segment will have no impact on the production environment.
- Reduce compliance burden, e.g. by confining payment processing systems to one segment limits complex and costly audit processes to that segment alone.
- Better analytics around network monitoring and network access.
Existing cloud-native constructs have very little or no support for segmentation, marrying these already complex constructs with on-premises and remote user segments causes end-to-end segmentation chaos.
But with the Alkira solution, network segments can be centrally defined and carved out for any diverse hybrid cloud or multi-cloud environments without complex routing configurations. Each segment is a unique routing domain, where controls and service policies can be applied independently thereby realizing the full benefits of segmentation mentioned above.
You can’t secure what you can’t see is now a foregone conclusion. To truly understand your cloud security posture, you need to get complete and intuitive visibility into your network. The Alkira portal provides exhaustive network and application-level stats for your hybrid cloud and multi-cloud environments, illuminating all hot and blind spots. For example, if a data source or an application is not known, appropriate security and compliance policies can be swiftly put in place to minimize risks and disruptions.
Context-Rich Policy Management
As seen before, Alkira extends segmentation seamlessly to hybrid cloud and multi-cloud environments, these segments can be further micro-segmented into policy domains. This is achieved by clubbing together remote users, on-premises sites or cloud workloads end points (connectors) into a compartment (group). Once a group is created, context-rich policies can be applied to them to easily enforce the business intent.
Here are couple of examples:
- VPC group can access Internet applications only over port 443 after traversing a firewall
- Web group G1 has access to Application group G2, but not to Data group G3.
Any number of groups can be created, traffic policies can be easily enforced (allow/permit/firewall inspect) based on 6-tuple or application-based identification.
Infrastructure as Code
Infrastructure as Code (IaC) is the management and deployment of infrastructure (VMs, networks, security components) using code. Typically done using HashiCorp’s Terraform, the infrastructure environment is defined using simple human readable files (either in json or cfg files). Terraform ensures the environment’s sanctity, and the state always remains the same without any drift. From a security perspective, this is very critical as security policies are now immutable and the system is not exposed to inadvertent vulnerabilities. Alkira is a Terraform verified provider, the entire security posture (segments, policies, services and more) can be deployed using Alkira’s Terraform plug-in with ease.
Simplicity and security didn’t coexist so far, but Alkira’s CNaaS solution is changing that now. By offering best-of-breed security with segmentation, micro-segmentation and IaC, all delivered as a service, your multi-cloud experience is in good hands with Alkira.
To learn more about Alkira’s solution https://www.alkira.com/
Take your own tour of the Alkira solution https://www.alkira.com/virtual-tour
To request your personalized demo https://www.alkira.com/demo