skip to Main Content

Why Zero Trust for Public Cloud Apps Is Different Than Zero Trust for Users

Securing Apps Requires a Different Approach

In the cloud era, much of the security attention has focused on securing user access. Which made sense early on – securing user access is important, and all of the critical users were regularly beyond the 4 walls of a traditional office location prior to covid – and only more so since. For many organizations, security focus on apps lagged behind users. But as more and more critical apps move into the public cloud, organizations are shifting their focus to securing those apps, and the other workloads that support them.

Apps Are Different
From a security perspective, how are apps different from users? Briefly, access patterns, the nature of attacks, and what’s at stake.

For a typical user, the access pattern is relatively well understood – the user accesses a variety of apps, with typically the user initiating the connection to the app in question. Apps, or more broadly, workloads have a variety of communication patterns: 

  • User initiates connection to app. Trusted or untrusted user, mostly accessing the app over the Internet.
  • Workload-to-workload (e.g., app accessing a database, broadly east-west communication, sometimes crossing trust boundaries within that cloud or across clouds).
  • Workload to external 3rd party service (app pulling info, updating itself).

The variety of app architectures in use within a given organization (containers, VMs, PaaS, serverless, etc.) further complicates the variety of app/workload access patterns.

The nature of attacks is also typically different. Highly targeted attacks against users (e.g., spear phishing) are the exception. Most attacks against end users or end user devices are broad-based, seeking theft of resources or information by casting a wide net. With apps, these are often central repositories of resources or information, which merits much narrower, targeted, and potentially customized attack methods. This highlights what’s at stake as well – user attacks are typically all about escalation – a stepping stone to greater access to resources, while attacks against apps ARE targeting those more desirable resources that are housed in apps/workloads.

From a Security Perspective, So What?
Protecting users is pretty well understood. Protecting apps, in the public cloud, is less well understood. For starters, access patterns, coupled with public cloud’s universal connectivity, require defenses in more places – and given the nature of attacks and what’s at stake, multiple security functions are typically required. And speaking of what’s at stake, defenses need to be close to the workload – most enterprises don’t want to ship production data somewhere else for security (so security needs to be enforced in the customer cloud). 

But the details matter – encryption is de rigueur for apps, and most security functions beyond basic port/protocol need to scan in the clear. With lots of apps connecting to lots of workloads and users, this can get complicated. And encryption management is just the tip of the iceberg (albeit a very pointy one) from an ops perspective. Managing distributed defenses in a highly integrated and automated environment uniquely requires:

  • Encryption management (as mentioned above)
  • Cloud scale (across accounts/subscriptions/clouds)
  • Cloud operations and automation – which provides agility

And, of course, all of the security functions required to defend workloads. So, a solution built for the cloud environment – in other words, strong, layered security for apps can’t slow down the business. As it turns out, this is exactly what Valtix offers!

Valtix is 100% Focused on Securing Apps
From the architecture to integration, to ops – Valtix is cloud-native. Starting with a SaaS-based control plane – which automatically deploys defenses close to apps and workloads – in whichever cloud they reside in, and protects communication in whichever direction they communicate (inbound, outbound, east-west). Incorporating cloud-integrated encryption management and operations, and a single policy that includes the multiple security functions organizations require to protect applications from inbound threats, data exfiltration, and lateral movement of attacks. Interested in learning more? Check out our product tour.

Latest Posts

Back To Top