Segmenting Hybrid Clouds: What to Look for in a Solution
As organizations continue to migrate operations to the cloud, the need for comprehensive cloud security is more critical than ever. In particular, Zero Trust is gaining traction across industries as organizations prioritize "never trust, always verify" security models to protect their on-premises and cloud environments.
A primary goal of Zero Trust is to minimize the attack surface — and microsegmentation is key to achieving this. By segmenting networks into individual applications or processes, organizations limit what an attacker can reach even if they infiltrate a single network segment.
But what happens if you’re using multiple clouds? Or a single cloud alongside on-premises hardware? Seamless security across diverse environments is essential.
In this blog post, I’ll briefly outline some of the key considerations to keep in mind when you’re evaluating microsegmentation solutions to protect your assets across multiple public clouds.
Comprehensive visibility
The visibility provided by the hyperscalers is based on logs that detail the flows among workloads, and you usually end up needing a third-party solution to collate this information in order to understand dependencies and how the components are communicating.
Without unified visibility, it is very difficult to build and apply policy that protects those components without breaking something critical. This problem compounds when you’re using multiple public clouds, as you need to maintain a similar level of visibility into both environments.
A single unified interface
Our customers use Akamai Guardicore Segmentation, the core component of the Akamai Guardicore Platform, to support Zero Trust security across their cloud environments — and comprehensive visibility is key to both microsegmentation and Zero Trust.
Akamai provides complete, context-rich visibility into your traffic across all hybrid cloud environments using one single unified interface. Customers typically engage with us during their cloud migration journey to map and protect their digital crown jewels (i.e., their most critical assets and applications), allowing them to accelerate their move to their preferred cloud without sacrificing security.
Consistent policy
Creating consistent policies across hybrid cloud environments using native cloud security tools is extremely complex, as each cloud’s native controls do not extend beyond the boundaries of that environment.
Policies created using Network Security Groups in Microsoft Azure will not automatically extend to assets residing in AWS. Conversely, policies created using Security Groups in AWS will not automatically extend to assets residing in Azure. And both of these are disconnected from the policies created to secure on-premises assets.
Agentless policy enforcement
What happens if your application functionality relies on assets located across all these different environments? Policy creation and management becomes extremely difficult, and increases the chances of a misconfiguration that could lead to a breach. Also, as organizations are increasingly leveraging platform as a service (PaaS) resources in public cloud environments, you need a solution that can enforce policy for those resources, as well, without requiring an agent.
Akamai Guardicore Segmentation provides a single solution to manage your cloud security policy across hybrid cloud environments. Leveraging the comprehensive visibility provided by our solution, our enforcement engine can enact a policy that covers assets residing in both on-premises and cloud environments.
Our solution is primarily agent-based, and our customers have used this to secure virtual machines and other assets residing in cloud environments. In February 2024, we announced our support for agentless policy enforcement for PaaS resources in Azure cloud.
Enforcing policy with or without agents
As of November 2024, we can support agentless policy enforcement for PaaS resources in both Azure and AWS.
To accomplish this, we’re using a hybrid enforcement engine that leverages multiple enforcement points. This allows an organization to simply define the intent of a network policy and have the Akamai Guardicore Segmentation policy engine take care of the rest by dynamically deciding which agent-based and agentless enforcement points should be used.
Providing a cloud microsegmentation solution that can enforce policy with or without agents and across multiple cloud environments makes policy management much easier and reduces the chances of a misconfiguration that can lead to a breach. Look for solutions that have this capability to better reduce your attack surface and more efficiently manage policy in dynamic, hybrid cloud environments.
Additional security value
The best microsegmentation solutions provide security value above and beyond their core functionality. As organizations move toward using single vendors to provide several cybersecurity solutions (as opposed to combining multiple best-in-breed products from different vendors), it’s important to invest in solutions that come from a trusted provider known for offering premier security solutions, allowing you to take advantage of their long-standing expertise and additional security benefits.
Look for microsegmentation solutions that:
Do not require external connectivity to access security groups and flows
Have policy templates and suggestions crafted specifically for the cloud
Can leverage built-in reputation analysis and threat intelligence to rapidly identify suspicious communications and known threats
Are part of a larger, holistic platform that supports Zero Trust security in hybrid cloud environments — and beyond
Microsegmentation: A core functionality of Zero Trust
The future of cloud security lies in adaptive solutions that can meet the demands of dynamic hybrid cloud and multicloud environments. By embracing microsegmentation as a core functionality of Zero Trust, and by selecting a microsegmentation solution that has all the capabilities described above, organizations can fortify their cloud security strategies, stay compliant, and protect their valuable data against evolving threats.
Learn more
To learn more about Akamai Guardicore Segmentation’s unique cloud capabilities, talk to an expert.