Aviatrix Blog

Cloud-Native Network Security (CNNS): The New Battleground for Modern Threats

Modern threats exploit cloud networks. Learn how to implement cloud-native network security with CISA practices like segmentation and traffic encryption.

Cloud-Native Network Security (CNNS): The New Battleground for Modern Threats

The cloud has revolutionized how businesses operate, offering unprecedented agility, scalability, and cost-effectiveness. However, this transition has also created new security challenges, particularly concerning cloud network security. Recent attacks, such as the Salt Typhoon cyber espionage and the Medusa ransomware campaign, highlight the critical need for a robust and adaptive approach to securing cloud networks.

This blog will explore the current trends in cloud network security, emphasizing the inadequacy of traditional methods and the necessity of embracing a cloud-native strategy.

 

The Emerging Threat: Exploiting Cloud Network Weaknesses

Modern adversaries are increasingly targeting cloud environments, exploiting vulnerabilities in network configurations to gain initial access and move laterally. A common attack vector involves leveraging exposed, vulnerable endpoints, or services such as:

  • Unpatched network management interfaces
  • Weak authentication mechanisms
  • Misconfigured API gateways

 

Attackers often capitalize on known Common Vulnerabilities and Exposures (CVEs) in publicly accessible services. This initial infiltration serves as a springboard for further exploitation.

Once inside, attackers employ sophisticated lateral movement techniques to compromise additional resources and achieve their objectives. Ransomware groups in particular are adept at traversing networks, encrypting data, and demanding exorbitant ransoms.

The Medusa ransomware group, for example, has demonstrated how attackers could exploit misconfigured resources to deploy ransomware across an organization’s infrastructure, often with devastating consequences.

 

Endpoint Detection and Prevention (EDR) Solutions are Not Enough

The reality is that traditional host-based, endpoint detection and prevention (EDR) solutions are often insufficient in stopping sophisticated attacks in the cloud.

  • EDR solutions can be disabled – Attackers are constantly developing new techniques or tools such as Stonestop, Poortry, and ABYSSWORKER to bypass or disable EDR agents.
  • EDR solutions can be fooled – For high-value targets, attackers can even adopt interactive intrusions that leverage the creativity and problem-solving skills of human adversaries. These individuals can mimic expected user and administrator behavior, making it difficult for defenders to differentiate between legitimate user activity and a cyberattack.
  • EDR solutions have limited visibility – EDR solutions primarily focus on individual endpoints, lacking the comprehensive network visibility needed to detect and prevent lateral movement.
  • EDR solutions may not be network-wide – In dynamic cloud environments, particularly those impacted by Shadow IT, there often isn’t the opportunity to install a host-based agent in the first place, leaving those resources completely unprotected by EDR.

 

CISA’s Call to Action: Prioritizing Network-Level Security

Recognizing the critical importance of cloud network security, the Cybersecurity and Infrastructure Security Agency (CISA) has issued recommendations for organizations to strengthen their defenses. Key recommendations include:

  • Full Traffic Encryption: Encrypt all network traffic at the network level, rather than relying solely on service provider encryption. This provides an additional layer of protection and ensures data confidentiality even if the underlying infrastructure is compromised.
  • Network Segmentation: Implement network segmentation and micro-segmentation to restrict lateral movement and limit the impact of a successful breach. Divide the network into isolated segments based on function or security level, and control traffic flow between segments using firewalls or other security controls.
  • Restricting External Communication: Prevent communication with unknown external hosts, especially for sensitive internal services. Implement egress filtering to block outbound connections to suspicious or malicious destinations such as command and Control (C2) servers used by malware.
  • Reducing the Attack Surface: Minimize the attack surface by avoiding exposing internal services publicly. Do not route traffic over the public internet for internal services.

 

Adopting these fundamental network-level controls is no longer optional; it’s essential for building a resilient cloud security posture. These CISA recommendations form a crucial baseline defense, directly addressing the network pathways commonly exploited by sophisticated adversaries aiming to compromise cloud environments.

 

The Shortcomings of Traditional Network Security in the Cloud

The agility and scalability offered by cloud computing require a fundamentally different approach to network security than traditional data centers. In the cloud, developers and DevOps teams can quickly spin up new resources as needed. Attempting to funnel all traffic through a traditional next-generation firewall (NGFW), even if deployed in the cloud, creates a centralized bottleneck, limits scalability, and incurs high data transfer costs due to inspection of all traffic regardless of destination or risk profile.

Consider the scenario where all traffic is routed to a centralized cloud firewall, only to be dropped due to policy violations. This incurs unnecessary complexity and data transfer costs. Some organizations even transfer data back to on-premises firewalls for policy enforcement, adding further latency and complexity.

This centralized, choke-point approach also clashes with the horizontal scaling capabilities of cloud resources. As cloud workloads grow, the centralized firewall becomes a bottleneck, hindering performance and limiting scalability. Consequently, facing these performance limitations and operational friction, application or DevOps teams may be incentivized to bypass centralized security controls altogether, prioritizing workload accessibility and performance at the cost of network security visibility and enforcement.

Such bypassing actions not only weaken the security posture but also introduce significant compliance risks, as regulatory frameworks like ISO 27001, SOC 2, PCI DSS, and HIPAA mandate strict controls for protecting sensitive data, particularly in transit and at rest.

Ultimately, misrepresentation of the actual network security posture may result in scrutiny from regulatory entities, potentially leading to audits, consent orders, or significant financial penalties.

 

The Rise of Cloud-Native Network Security

The solution lies in adopting a cloud-native, distributed firewall architecture. A cloud-native firewall is built specifically for the cloud environment, embracing its elastic and horizontal scaling characteristics. The key requirements include:

  • Distributed Policy Enforcement: The ability to enforce network security policies, such as egress security, network segmentation, or micro-segmentation, as close to the workload as possible. This could be at the level of resources within a Virtual Private Cloud (VPC) or within a Kubernetes cluster. The distributed enforcement points must also horizontally scale as the workload grows, automatically adapting to changing resource needs.
  • Centralized Policy Management: Centralized policy management is crucial for scalability. Configuring individual firewalls is simply not feasible in dynamic cloud environments. A centralized management plane allows security teams to define and enforce policies consistently across the entire cloud infrastructure.
  • Cloud-Native Attribute Recognition: The ability to recognize cloud-native attributes, such as cloud service provider (CSP) tags or Kubernetes labels, as part of policy definition and enforcement allows for dynamic and context-aware security policies that automatically adapt to changes in the cloud environment.
  • Multicloud Consistency: The ability to enforce centralized, consistent policies across multiple clouds. For example, a resource in a staging environment on Azure should only be able to communicate with resources in the staging environments of AWS and GCP. This ensures consistent security posture across the entire multicloud infrastructure.
  • Infrastructure as Code (IaC) Support: Deep integration with IaC tools like Terraform is crucial. Cloud-native firewalls must be manageable and configurable through IaC, enabling App or DevOps teams to define and deploy network security policies as code, alongside their application infrastructure. This allows for consistent, automated, and repeatable deployments, aligning security with the speed and agility of modern cloud development practices.
  • Granular Network Insights and Visibility: Cloud-native firewalls should provide comprehensive, granular insights into network traffic, enabling data-driven security decisions. This includes visibility into traffic patterns, anomaly detection, and cost analysis, allowing security teams to quickly identify and respond to potential threats or inefficiencies. While network traffic generates a wealth of valuable data, resource constraints often prevent teams from collecting and processing all events. Cloud-native firewalls should offer intelligent filtering and prioritization to ensure that critical information is always available, facilitating effective response and resolution during outages or security incidents.

 

By implementing cloud-native network security with these six key requirements, organizations can achieve the protection they need without sacrificing the agility and scalability that drove their cloud adoption in the first place.

 

CNNS and CNAPP: A Complementary Approach

Cloud-Native Network Security (CNNS) is complementary to Cloud-Native Application Protection Platforms (CNAPP) technologies. CNAPP solutions aim to secure cloud-native applications across their entire lifecycle, encompassing capabilities such as Cloud Security Posture Management (CSPM), Cloud Workload Protection (CWP), vulnerability management, and runtime threat detection.

While CNAPP solutions incorporate some network security controls, their primary focus is on the application layer. Conversely, cloud network security controls also offer application-layer capabilities (such as IPS or application-specific policies), but their core function remains at Layers 3 and 4 (network and transport layers).

These two approaches are complementary, not mutually exclusive. A robust cloud security strategy requires both. In short, CNAPP protects what resides in the cloud, while CNNS protects how data moves within and between clouds.

Furthermore, CNNS can enable CNAPP solutions to take action at the network level to mitigate identified threats, such as quarantining an infected cloud workload or blocking communication with a known malicious domain or IP address.

 

The Time to Act is Now

Procrastination is your cloud security’s worst enemy. The longer you postpone implementing robust cloud network security, the steeper the climb becomes.

With each new workload and expanding cloud footprint, securing your environment grows exponentially more intricate, increasing the risk of breaches and significant compliance violations. Therefore, early and deliberate planning, coupled with the execution of cloud network security measures, are essential.

As cloud environments mature and workloads proliferate, several critical challenges emerge:

  • Reducing the attack surface becomes increasingly difficult, as discerning necessary public services from inadvertently exposed ones grows complex, especially with Shadow IT.
  • Establishing proper egress controls turns into a laborious undertaking without proactive planning, leading to reactive analysis and inefficient allowlisting of external services.
  • Segmentation complexities escalate as diverse workloads intermingle, requiring significant effort to retrofit existing environments.

 

Compounding these issues, multicloud deployments, edge-to-cloud integrations, and VPN gateways necessitate robust, unified network security policies to prevent vulnerabilities and inconsistencies across the entire infrastructure.

 

Secure Your Cloud: Essential Steps for Network Protection

The shift to cloud computing has fundamentally changed the security landscape. Traditional network security approaches are no longer adequate to protect against modern threats. Cloud-native network security is essential for organizations to effectively secure their cloud environments.

By embracing a distributed, cloud-aware architecture, organizations can improve their security posture, reduce their attack surface, and enable secure innovation in the cloud. Investing in cloud-native network security is no longer an option; it is a necessity for organizations that want to thrive in the cloud era.

Don’t wait for a breach to prove the point—your cloud security is only as strong as its network foundation.

 

Explore how the Aviatrix Cloud Firewall can protect your network.