Keeping Them Out of Your Vault: Network Segmentation in the Cloud

When does a breach become lethal?

Is it the initial compromise, possibly due to unpatched vulnerabilities? Or, is it the exfiltration of valuable data – when a compromise becomes a breach and potentially a headline in the news cycle?

Semantics aside, there’s another, often ignored aspect in the evolution from compromise to breach, one with the potential to determine the magnitude of a cyberattack; lateral movement. For the purposes of this article, lateral movement refers to unauthorized movement between connected systems within a cloud environment. If unchecked, it can spell the difference between annoyance and outright panic for an organization.

Preventing Lateral Movement in the Cloud

Active monitoring of your environment helps, especially if you can catch threat actors as close to the initial compromise as possible. There’s even a useful metric to determine the efficiency of compromise call dwell time. That’s all well and good, but doesn’t address the core facilitator of lateral movement, improperly configured – or non-existent – network segmentation of a cloud environment.

Think of it this way: A bank branch can set up robust security processes to monitor customer access and movement. However, if they leave the vault unlocked and easily accessible from the lobby, it only takes one slip up before someone strolls out of the branch with cartoonishly large bags of money.

I can only imagine that post-incident, the first question from the police would be along the lines of “why didn’t you close the vault?” It’s along the same line of questioning for business denizens in the cloud, which would be: “why isn’t your ‘vault,’ the area of your most valuable data, protected from unauthorized access?”

The Importance of Network Segmentation

Another, and more direct, way to frame this question is, “why isn’t your cloud environment segmented?”

Understandably, there is a multitude of reasons for why an organization might not adhere to network segmentation best practices – many of which are tied to the challenges and frustrations of cloud migration. It’s easy for network segmentation to slip on the priority list when you’re still wrapping your head around the shift from on-premises to cloud resources. However, as we’ve hopefully made painfully clear, it can’t be ignored when orienting the security and control of a cloud environment.

Considering the differences and similarities is the first step to knowing how to implement them– both of which we cover below.

How Network Segmentation is Different in the Cloud

When implementing network segmentation for traditional networks, firewalls are the essential technology. Most segmented networks utilize redundant external firewalls that strictly regulate traffic via firewall rules. Within the network, there are internal segmented firewalls (ISFWs) and ACLs (Access Control Lists) that control which users can gain access to particular network segments. Physical appliances such as external firewalls, internal routers, and switches are also critical.

Network segmentation in the cloud operates on similar principals but necessitates a different method of implementation. Many cloud infrastructures rely on software-defined networking (SDN). With the SDN approach, network access is controlled via software applications such as OpenFlow, which works in conjunction with virtualized firewalls.

In a traditional structure, physical routers and switches would carry out these same functions.

But despite the different infrastructure, the basics of network segmentation remain the same. Within the cloud—and all virtual appliances that are part of the network—users should implement ISFWs between different network segments. Experts recommend installing ISFWs between different trust zones within the network. So if a network segment (such as a particular application) requires a different trust level than another segment, an ISFW should be implemented between the two. This allows organizations to grant access to users as needed without the risks of a fully open network.

Best Practices for Network Segmentation

There are many best practices to keep in mind when implementing network segmentation in the cloud, these include:

  • Understand the SDN methods utilized by your cloud provider, as well as the method utilized by any outside cloud-based applications. Their methods will determine your segmentation requirements.
  • Familiarize yourself with the network segmentation tools offered by your cloud provider. AWS, Azure, and other reputable cloud providers offer users a range of segmentation features. AWS, for example, allows users to create subnets, which are sub-networks within the larger virtual cloud. Subnets may be set to public, private, or protected.
  • While we talk of the cloud, that term is somewhat misleading. In some cases, it may be beneficial to host particular data and applications on separate Virtual Private Clouds (VPC). AWS allows users to create multiple VPCs from the same account.
  • Make use of tools that allow you to control network traffic. Most virtualization platforms provide specialized tools that allow management and production traffic to be segmented.
  • You can also utilize switch-based network segmentation in the cloud. There are different ways to deploy VLAN tags in order to segment your network. Private VLANs (PVLANs) can also be deployed in certain circumstances.
  • Don’t overlook higher-level segmentation: segmentation that regulates which IP addresses can access network segments. There are many tools available to do this, including firewall rule sets and load balancers.

Taking Network Segmentation Seriously

These best practices, as well as a firm understanding of network segmentation in the cloud, is the best way to avoid an uncomfortable situation where a post-breach auditor asks why you didn’t prevent lateral movement by at least “locking the vault.”

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals