AWS Security LIVE! is a Twitch show focused on AWS and AWS Partners solving security challenges for customers. In a recent episode, Chris McHenry, VP of Product Management at Aviatrix, joined hosts Margo Cronin, Principal Solution Architect, Security & Compliance at AWS, and Rob Hale, Principal Security Segment Leader, EMEA at AWS. Together, they explored Aviatrix’s unique approach to cloud network security, zero trust, and the prioritization of different traffic patterns.  

 

Zero Trust and Network Segmentation 

 

Rob and Margo began the discussion by asking Chris what zero trust means to him. Although Chris expressed concern that the term implies perfection (and IT projects are not executed to perfection), he believes zero trust is still an important shift in the way that customers approach cloud security posture.  

 

He noted how Aviatrix approaches zero trust with a focus on network segmentation and restricting service-to-service traffic to help customers solve problems.  

 

Breaking Network Security Down to Enable Prioritization  

 

As the discussion transitioned to the common challenges customers face in cloud security, Chris shared that many customers are not breaking cloud network security down into different traffic patterns. He noted that customers should break network security down into ingress, egress, and east-west traffic because “breaking it down helps customers prioritize.”   

 

Although all three traffic patterns are important, Chris sees ingress as the biggest risk and highest priority, as you must ensure applications that are on the internet and interacting with users are secure from inbound attacks.  

 

Your next highest priority, according to Chris, should be egress, which is “oftentimes super underappreciated because it’s been challenging to implement, but it’s the second most important. It’s the other internet perimeter.”  

 

On east-west traffic, Chris shared how people make the mistake of focusing too much on internal policies before securing the internet perimeter: “I see a lot of people trying to solve it [east-west], but it feels like you’re almost jumping the priorities a little bit because you’re saying, ‘I’m going to reduce the blast radius internal to my network, but I have a giant gaping hole on my internet perimeter.’”  

 

Breaking network security down in this way simplifies network security for businesses, helping them understand what is most important to focus on to see improvements in their cloud security posture. 

 

Leveraging Identity Controls to Improve Security Posture 

 

Breaking network security down into these three different traffic patterns also helps with identity controls. Chris emphasized the need to move away from using IP addresses when defining network security policies and instead use dynamic identity attributes or tags, so policies can be more flexible, precise, and cloud-oriented.  

 

Chris explained, “As long as you’re thinking about the individual traffic patterns and how [you] can use things that are dynamic, then we can really reduce the friction associated with managing zero trust policy.”  

 

Rob added, “Everything in the cloud starts with an identity…Make sure you have a strong foundation with identity.” Margo also expanded on this by explaining that we need identity controls and policy languages that are “expressive, performant, and provable” to meet business needs.  

 

From a network security policy semantic perspective, Aviatrix intentionally built Distributed Cloud Firewall with policy language that is familiar so that the policy is easily auditable and easily provable. This approach ensures that the teams managing these policies also understand the policy, which is one way businesses can rapidly improve security posture.  

 

Adjusting Our Approach to Security as We Move to the Cloud 

 

As the cloud provides many new capabilities, businesses need to rethink their approach to security before lifting and shifting their on-prem security architectures into the cloud. Rob, Margo, and Chris discussed the issue with this lift and shift approach, presenting the need for businesses to adapt their traditional security controls to utilize native cloud services while still applying core security principles around visibility, identity, and control.  

 

We are working towards similar outcomes with perimeter security and microsegmentation, but it is important to approach cloud security in a way that is oriented around the cloud native principles. Then you can gain maximum value from your cloud investment.  

  

Industry Trends: Security in Retail, Financial Services, and B2B Connections 

 

As PCI compliance requirements expand in scope beyond just credit card data to other sensitive areas of the business, retail companies are prioritizing efforts to lock down internet egress.  

 

Additionally, Chris shared that the financial services industry has microsegmentation top of mind, looking into identity-based network segmentation in the cloud. There is also demand for securing B2B connections, as there are unique security requirements around interacting with another domain and businesses need to make that connection resilient with specified and auditable access to their environment.  

 

This engaging conversation on AWS Security LIVE! with Aviatrix showcased that a successful future in cloud network security hinges on prioritizing traffic patterns, shifting to identity-based security policy, and adapting to cloud-native principles. The journey in cloud security can be complex, but with leaders like Aviatrix and AWS illuminating the path, the future of cloud network security is bright with promise.

 

Watch the full discussion on-demand here.

 

Interested in enhancing native AWS network capabilities with security, visibility, and seamless integration? Learn about the combined power of Aviatrix on AWS here.  

 

Join us at our next Aviatrix and AWS Immersion Day for hands-on labs and insights into enterprise-class cloud networking, security, and operational visibility. Register here.