I recently finished migrating our production workloads to AWS and was initially relieved thinking the toughest part was over. However, I've realized that our on-premises security measures didn't carry over with the migration. Back when we were on-prem, we had robust network-layer controls in place such as traffic inspection, data loss prevention (DLP), and strict access policies. Now that we're in the cloud, many of those protections seem to be absent. Internal traffic within the VPC doesn't get inspected, and remote employees can access cloud-hosted applications directly without any of our controls in place. I'm currently using some cloud-native security tools, but they don't align well with our existing on-prem policies and I lack a comprehensive view across both environments. Is this a common challenge in hybrid cloud security, and are there strategies or architectures that can help bridge this gap instead of just managing it?
6 Answers
What you’re experiencing is a pretty common realization after a lift-and-shift migration. A more effective long-term strategy could involve re-platforming your workloads to leverage cloud-native security features that better align with your requirements and risks.
It sounds like you've shifted from a network-based security model to one that relies more on identity. The new paradigm often requires rethinking how to enforce policies, especially for service-to-service communication within the VPC. You might need to look into tools or strategies that provide visibility and enforcement for that traffic.
That's true, but once you're in a cloud environment, what are the options for enforcing policies on that internal traffic? You still need a solid approach for service communication.
You've hit the nail on the head. The fundamental issue is that traditional security relies heavily on physical perimeters, which simply don't apply in the cloud. Instead, you need to consider a software-defined security model that operates without these boundaries.
Exactly! So, what’s the architectural solution to replace this reliance on physical perimeters? It can’t just be superficial fixes.
This is a classic scenario of leaving behind the '90s security mindset. Just because your on-prem systems felt secure doesn’t mean they were actually effective at safeguarding your assets in the cloud. Keep this in mind as you adjust your security approach in the new environment.
The core issue is that your security setup was based on location rather than identity and policy consistency. Solutions like Cato's unified policy engine can help enforce the same rules regardless of where the traffic originates, which helps address this inconsistency across different environments.
It’s interesting to think about. But how do we ensure it integrates well with existing systems instead of becoming another layer of complexity?
A solution to consider is using AWS Network Firewall along with VPC Traffic Mirroring. This approach can help inspect the internal traffic without needing to reroute everything externally. It won’t solve all your issues but will help improve visibility for service-to-service communication within your VPC.
Good suggestion! But does that ensure that the same policies apply across both AWS and on-prem, or are we still dealing with separate enforcement?
Great point! But the issue is that many of us can't afford to completely redesign our production systems overnight. Any quicker strategies for current setups?