Since organizations began moving their networks to the cloud, security risks have multiplied – and network security is slow to catch up. In a recent webinar, Aviatrix CEO Doug Merritt and ESG Principal Analyst John Grady discussed where cloud security is falling behind cyberthreats and how it can recover ground.
What You’ll Learn:
Why the transition to the cloud requires a new security framework
The necessity and difficulty of a true zero trust approach
The greatest challenges for CISOs, CTOs, COOs, and other tech leaders
How Cloud Native Security Fabric (CNSF) as a category closes security gaps with pervasive, multicloud protection and policy enforcement
The Philosophical Shift Needed for Cloud Network Security
According to Doug Merritt, the rise of cloud, agentic AI, serverless, and ephemeral functions makes a more aggressive, philosophical shift necessary.
“Going back through millennia of human thought around security, physical security for homes and businesses has been protection-oriented,” he said. “It uses a castle-moat framework and a series of layered defenses that prevent bad people from accessing things you care about.”
The cloud has shifted a number of things. The old world of physical data centers with thick and well-built walls, biometric scanning, and background checks that kept the interior safe worked well until we connected the internet to the data center.
North-south traffic, or traffic entering and leaving the network, became an area of concern. East-west traffic within the network became a blind spot. The old model could reasonably assume that east-west traffic within the castle was safe; in the cloud, a lack of visibility for that internal traffic allows attackers to move laterally without detection.
The “castle” is no longer safe – it's not even a castle anymore:
The perimeter has multiplied – The firm perimeter that once existed has vaporized into tens of thousands of perimeters around every workload you put into the cloud: VPCs, serverless functions, Kubernetes containers, each of which needs to be watched and protected.
Threats come from within – Most data breaches come from inside the system, generated by employee mistakes and capitalized on by malicious actors.
The cloud is ephemeral – Static workloads have become ephemeral with technology like Kubernetes clusters – and basing security and identity off static IP address does not work anymore.
“Cloud networking demands a shift in philosophical orientation,” Doug said.
Why Zero Trust is Still Gaining Ground
John Grady explained how the zero trust framework was designed to help organizations redesign their network security for the cloud with an “assume breach” mindset. When you shift to a distributed infrastructure and cloud, you can no longer assume that an entity should be trusted just because of where it is.
Zero trust involved enforcing least privilege authorization and authentication. The problem is that it’s focused on the user and remote access. Considering the COVID pandemic five years ago that forced everyone to be remote, that’s understandable, but now, networks need to adapt to consider applications and workloads as well.
He explained another reason why there hasn’t been as much adoption of zero trust: a lack of proper tools. Zero trust requires a toolset that can keep pace with cloud environments that are constantly changing and scaling. As those tools come to market, enterprises are more likely to come to market.
What is a Cloud Native Security Fabric (CNSF)? The Third Leg of the Zero Trust Stool
Doug explained that Aviatrix’s new category of cloud network security, a Cloud Native Security Fabric, answers the challenges of modern networking with pervasive security embedded in the fabric of your network.
He used an analogy: think of zero trust as a three-legged stool. The legs are identity, endpoint, and network. While many organizations have security that covers the first two legs, many are missing the network component.
Every PaaS service, endpoint, and VPC needs to observe communication in and between workloads. Beyond that, organizations need security that can take action and enforce security policies. With the many critical vulnerabilities in cloud environments, it’s not very difficult for bad actors to get in and find a foothold – what you can do is be prepared to stop them in real time.
“CNSF is about a zero trust cloud workload stance to complement the endpoint and identity elements and close that loop and create the third leg of the stool,” Doug explained.
Rising Cyberattacks Require a New Approach
Every week, almost every day, heralds a new cyberattack – many of them huge breaches. “The volume of attacks is getting almost deafening,” Doug said.
The attackers are getting more organized; AI is helping them become much more persistent; many tech leaders are forced to step back and ask why all the expensive technology they’ve deployed isn’t protecting them.
The consistency of data breaches points back to the need for CNSF: a pervasive network security fabric that thoroughly blankets all workload within any cloud and across clouds.
The “lift and shift” approach of building a cloud environment that still looks like your old on-premises one doesn’t work, even if you take the “defend the perimeter at all costs” approach using cloud service provider (CSP) tools and next-generation firewalls. These workloads are difficult to protect with traditional means because the cloud no longer uses static IPs. Many workloads are ephemeral and can’t be labeled with one static attribute. CNSF natively deploys in the cloud fabric and takes a different approach to observing and enforcing.
Greatest Challenges in Cloud Network Security
John Grady addressed the greatest challenges of cloud network security today: lateral movement and visibility.
For organizations that lack visibility into east-west traffic and still use the perimeter model, once an attacker gains a foothold inside the network, security teams don’t have the control to act quickly. The microsegmentation aspects of CNSF will allow organizations to perform on that metric.
John also highlighted visibility as a challenge. Between security and networking teams and application owners, there is a lot of complexity in understanding who’s doing what and keeping pace. Attackers move much faster than they did in the past.
Greatest Challenges for CISOs
Doug addressed the greatest challenges for CISOs today. “I have such a deep empathy for the CISO job,” he said. “It’s one of the hardest jobs of any function in any industry. The speed that CEOs are demanding for their teams, especially with AI raising its head, puts so much pressure on the CEO.”
Every CEO pushes their tech teams to go faster, deploy more products, determine a GenAI strategy, and go as thoroughly and quickly as possible. CISOs struggle to keep up with the pace of change in their organizations and worry about compliance, regulatory structures, and maintaining a thorough view of rapidly evolving environments. They can’t just tell the board room that they need to “slow down.”
The number one question for CISOs now is, “How do I keep pace with Dev teams and still do my job? If I don’t, I’ll still get blamed.”
Tool fatigue is a related issue. There are many specialty tools for different areas of network security, creating an overwhelming environment for CISOs who are simultaneously trying to keep up with compliance and regulatory changes.
CISOs need a strategy for security and presenting security to the boardroom as an accelerant for the business, something that enhances enterprise value instead of slowing down innovation.
John added that ransomware, more sophisticated nation-state attacks, and supply chain attacks are also a rising issue for CISOs. Many believe that AI will give the attackers an advantage more than the defenders.
What is at Stake with Cloud Network Security?
Doug described the grim reality of cybersecurity: attackers are much more organized. They are very well-funded collectives of nefarious attackers who use the latest agentic capabilities, are tech-first, and often have nation-state backing. Many people fixate on how a data breach happened specifically, but the real reason is that initial access is to get and attackers are patient.
“Attackers think in graphs, and we organize in silos,” he said. “They're looking for connections and patterns, understanding the entire landscape of an organization, and taking their time. If you just do 'egress security’ without a pervasive fabric that monitors and can enforce communication, with those two you can really stop the movement and have bad folks execute their attack.”
So what is at a stake if we can’t defend our organizations from patient, persistent attacks? “There isn't a major service I can think of in our economy today that wouldn't be dramatically impacted if the entity that provides that service goes down,” Doug said. He listed a few: prescription services, drug scripts, airlines, Uber deliveries.
“There is no corner of our society where the thing I'm trying to get done is not dependent on an online capability,” he said. “That online capability is going to the cloud now. If we can't take a more pervasive ZT approach, our way of life is deeply threatened.”
Considering the seriousness of cyberthreats, there are two reasons why Aviatrix chose the term “fabric” for Cloud Native Security Fabric:
To do network security effectively inside a cloud or between clouds, it has to be pervasive (think of a cuddly blanket that completely covers you).
Fabric is a weave that incorporates different elements that make up that end result. CNSF can “weave” or integrate with preexisting structures and tools instead of requiring an expensive rip-and-replace.
“Like Riding a Motorcycle”: Preparing for the Worst in Cloud Network Security
Doug compared running a business in today’s cyberworld to riding a motorcycle. Road accidents are a matter of when, not if. Are you prepared to detect a bad entity in your estate and contain that movement? Board members and CEOs need to gravitate toward that way of thinking and find ways to empower their CISO without slowing down the speed of the business.
Aviatrix Cloud Native Security Fabric, as the third leg of the zero trust stool, allows CISOs to operate at the speed of development, keeping up with both innovation and potential threats.
Watch the full webinar here.
Download our whitepaper to learn more about CNSF.
Register for a webinar on August 5 to gain insights from Aviatrix’s State of Cloud Network Security: 2025 report.