Secure access service edge (SASE) has been one of the most important innovations for security over the last three years. By granting businesses deep insight into their users and devices, zero trust network access (ZTNA) can now be informed by multiple levels of context, which makes it much harder for traditional attacks to evade the access controls that safeguard private data.
Many SASE vendors emphasize the need for ZTNA at the network edge, or where the boundary of a private trusted network touches an untrusted one, such as the Internet. This is necessary because many bad actors originate from or use the internet as their primary vector of attack.
While ZTNA at the edge is critical, it cannot stop there. Effective zero trust architectures must assume that edge defense systems will eventually suffer a breach and that sophisticated breaches are almost impossible to detect. The inside of your private network, where all your business-critical applications are running, must also be protected by a ZTNA approach tailored for this environment. This “east/west” axis, between private applications, is where SASE platforms can hit their limits, and other approaches must be used.
Challenges with Adapting ZTNA Controls in the Cloud
Awareness of application context allows ZTNA policy to be based on attributes that align directly with business, governance, and compliance outcomes. In the cloud, however, gaining access to this context is more difficult than it initially seems.
First, IP addresses are a poor source for application context due to change, overlap, re-use, and opaqueness. They also yield no meta data about the application and are thus one-dimensional.
To compensate for this, application context is learned by special network devices called proxies that sit between a server and client and can read the application data without disturbing the natural flow of the conversation. For this reason, they are referred to as “man-in-the-middle” or MITM devices; they are configured to not be detected by the application or the end user. Because most application data is encrypted, they also use special cryptographic libraries to open the encrypted data stream, read the application data, then re-encrypt it.
However, most virtual machines in the cloud lack the specialized hardware needed to run these cryptographic libraries at peak performance, a key differentiator with traditional datacenters. To make matters worse, typical MITM functions like application-centric firewalling, load balancing, and threat detection must be split into separate tiers in the cloud, as converging these roles into a single set of VMs is simply untenable. The result here for east/west traffic is at best a zero-sum game – you can gain application awareness and context by inserting proxies into your design, but now critical internal traffic suffers from latency, cost, and complexity. Many cloud architects are not willing to make this tradeoff or choose only to use MITM designs for a precious subset of business-critical applications.
Finally, due to automation, cloud applications are being deployed and scaled at a rapid pace, which makes it difficult to apply net-new zero trust policy applications without slowing them down, or blocking (and breaking) them completely. Cloud security teams find themselves in an endless cat-and-mouse game when trying to discover new applications and apply the necessary access control policies to effectively enforce zero trust, which is made yet more complicated whenever cloud applications are working together with public PaaS and SaaS services. Hackers and malicious actors are aware of this challenge, and use it to leverage a special kind of attack called “privilege escalation” that preys upon east/west traffic that has missing or weakened access control policies.
While challenges abound for both businesses and cloud security teams regarding zero trust within cloud networks, all is not lost. There are several powerful new tools and platforms that are designed to directly address these challenges, and make it far more simple, effective, and cost efficient to build out robust zero trust architectures that can move at the speed of business.
The Aviatrix Zero Trust Advantage: SmartGroups
Unlike traditional firewalls, The Aviatrix Distributed Cloud Firewall (DCF) enforces policy based on SmartGroups, which track grouped cloud-native objects, such as VPCs/VNets, subnets, and VMs, by their tagged definitions. SmartGroups are highly customizable yet present a uniform, consistent way of building zero trust policy based on application context that is both cloud-aware and cloud-agnostic.
SmartGroups solve many of the challenges with building and maintaining a robust cloud security architecture based on core ZTNA principles. First, SmartGroups continuously adjust the scope of enforcement based on live awareness of your tagged data. This allows SmartGroups to dynamically adjust to meet the precise demands that cloud applications require, saving precious time and resources for both DevOps and cloud security teams alike. In fact, cloud asset tags are a powerful tool to help enable DevSecOps scenarios. On the security side, tags can be used to describe a blessed and tested access policy. On the DevOps side, tags can be incorporated into CI/CD pipelines such that applications are literally built with the required security policy straight out of the gate.
Second, SmartGroups provide an ingenious and powerful way to understand application context without having to insert MITM devices in between all your application traffic. Instead, SmartGroups cleverly use “out of band” application metadata for this purpose: cloud native asset tags. Cloud asset tags are ubiquitous, flexible, and can be used to assign multi-dimensional data to an application, such as its location, purpose, platform, user-type, and so forth. SmartGroups support nesting, such that one object can be a member of multiple contexts at once.
Third, SmartGroups forms the basis of a unified, simple policy model for zero trust across one or more clouds. Regardless of the underlying cloud platform, all tagged objects are treated equally, and enforcement is carried out in a consistent manner to all objects within a SmartGroup. For example, the end user simply needs to declare that SmartGroup “Web1” can talk to SmartGroup “App1” over “Port 443”, and every object that is part of those two SmartGroups, regardless of the underlying platform, will fall under that policy. Additionally, the Aviatrix DCF will only apply the access policies in the network where they need to be enforced. This makes for one very lean, mean machine that can hit massive scale, yet can be built on small or micro VM SKUs for big cost benefits.
Finally, to enable a wider set of use cases including hybrid, SmartGroups support policy enforcement based on conventional IP addresses, and the Aviatrix DCF supports traditional MITM security capabilities such as TLS encryption/decryption, threat detection, URL filtering, and log data export to a huge variety of SIEM systems – both traditional and cloud native.
Aviatrix and SASE: The Complete Picture
Aviatrix DCF and SmartGroups provide intelligent, distributed security across your entire cloud network, and also support integration all major SASE and edge security vendors for a complete ZTNA architecture both at the edge, and in between all of your cloud applications.
The integration of Aviatrix with SASE solutions offers businesses a compelling “better together” perspective. It’s a combination that blends the edge-centric approach of SASE with the cloud-native depth of Aviatrix, safeguarding not just the parameters of your network but extending deep into the cloud environment where your applications and data reside. Aviatrix makes it simple to integrate any SASE platform that supports IPsec without requiring any changes to the existing cloud architecture.
As your cloud footprint grows, so does the complexity of operating and managing thousands of trusted relationships among and between applications. Using traditional approaches to solving these challenges can lead to rising costs, decreased performance, and increased risk. By combining the advantages of SASE at your network edge with the power and agility of Aviatrix DCF and SmartGroups, you will gain a fully mature, built-for-cloud ZTNA architecture that will help you simplify and accelerate your business.
Ready to enhance your zero trust cloud architecture? Check out Aviatrix DCF, or get in touch to learn more.
