skip to Main Content

Article

What Is Egress Security & Filtering For Public Cloud? (Ultimate Guide & Architecture)

Have Questions? Want to see Valtix in action?

In the Market Guide for Cloud Workload Protection Platforms (CWPP), Gartner1 states: “Protection requirements for cloud-native applications are evolving and span virtual machines, containers and serverless workloads in public and private clouds. Security and risk management leaders must address the unique and dynamic security requirements of hybrid cloud workloads.” In addition, Enterprises are challenged with business requirements surrounding compliance, risk management and best practices while managing rising costs and the pressure to do more with less in today’s complex economy.

The Valtix Multi-Cloud Security Platform (AWS, Azure, GCP, and OCI) embraces this dynamic, unique and evolving environment of public cloud, and is delivering an architectural approach to cloud security that matches and enhances its very nature – our philosophy is security should match the agility of the applications it protects and provide value through simplicity. The solution utilizes the native cloud constructs offered by Cloud Service Providers (CSP’s) without additional overlay and vendor lock-in, and is delivered through a Managed Service platform based on the following model:

Discover: Maintains an “evergreen” model of running cloud applications, auto-detecting changes, and providing the needed insights into security requirements. This allows for dynamic security policies that automatically protect dynamic and agile workloads.

Deploy: The deployment architecture is driven by the “discovery”. Auto-scaled, provisioned and network-plumbed security (agent-less) with single-click deployment objectives. Support for AWS, Azure and GCP cloud deployments and network pathing with IaC automation – Terraform and API – without the need to build and manage a complex control plane.

Defend: Write custom security policies to protect your applications as you determine their need, and that may include some, or all, of the following defense functions: •

  • URL + FQDN Filtering: Custom + Domain Categories
  • TLS decryption/re-encryption with single pass Deep Packet Inspection (DPI)
  • Advanced Web Application Firewall (WAF)
  • Network Protection (IDS/IPS) + Malicious Sources

Egress Security in Public Cloud

Egress security in the public cloud comprises a significant portion of the total security posture toward protecting public cloud workloads handling or using:

  • PII** data that can be used to identify a specific individual. Technology has expanded the scope of PII considerably to include IP addresses, login IDs, social media posts, or digital images, in addition to traditional SSN’s, credit card numbers, emails and phone numbers.
  • Access to public internet resources for software updates, patches, public repositories, API calls, 3rd party interconnects and sensitive data logging to external sources.

Questions arise as to what is adequate, good, better, and best when protecting the applications requiring egress to public internet and limiting the “blast radius” in the event of a security breach.

  • Where am I vulnerable?
  • Is FQDN, or URL, filtering better?
  • Should I care about Data Loss Prevention (DLP)?
  • Should I deploy a proxy?
  • Maybe I need Malware detection also?
  • How can I determine if my data is compromised?
  • What are my workloads really accessing and why?

The answer is you should care about all of the above and more. The Cloud Security Alliance (cloudsecurityalliance.org) and other bodies address “best practices” with specific types of sensitive data e.g. PCI, PCI, HIPPA, however, the Enterprise must determine their own security posture – what to deploy and where to acquire it. Valtix believes the decision should be made to understand both the Security Capabilities and the Automation/Management functions of a comprehensive Solution Architecture. Capabilities that we believe are required in any Public Cloud Egress Security solution are:

Functions NAT Gateway Squid Proxy1 Aviatrix FQDN Valtix Egress
Security Capabilities        
URL Filtering* No No No Yes
FQDN Filtering** No Yes Yes Yes
Forward/Reverse Proxy (as needed) No No No Yes
Custom Lists for Domain Category No No No Yes
Auto-Scaling Yes No No Yes
Auto Discovery (App-Tag-based) No No No Yes
Auto Malware Detection No No No Yes
Data Loss Prevention (DLP) No No No Yes
Application Tagging No No No Yes
Flow Log Visibility No No No Yes
Multi AZ High Availability Yes No Yes Yes
Allowed/Denied Session Logs No No Yes Yes
         
Automation and Management        
Terraform Support Yes No Yes Yes
API Support Yes No Yes Yes
Managed Service (SaaS) No No No Yes
Enterprise Support Yes No Yes Yes

 

Valtix can assist you, and your cloud teams, understand the complexities of each capability. For example – what is the real difference between URL vs FQDN filtering when limiting access to a specific GitHub repository? e.g. “stevevaltix/app” should be permitted.

* URL filtering is more prescriptive in filtering entire URL and path permitted for access: https://github.com/stevevaltix/app Allow **

FQDN filtering operates on tLD and sub-domains only and would handle this with an FQDN rule: *.github.com Allow FQDN filtering alone is inadequate since it allows access to all public GitHub repositories, some of which are known to contain malware and data loss mechanisms.

In addition, URL filtering combined with tags, Valtix’s attribute-based access control, and the use of custom lists for Domain categories (80+), make this highly manageable at scale.

Egress Security Architecture

Valtix is architected using software defined principles of a decoupled Control and Data Plane, offering a SaaS-delivered Control Plane and a PaaS-delivered Data Plane residing in the Enterprise’s cloud accounts. This includes all Certificate, Key, and Data stores – your data and security constructs never leave your boundaries. Deployment models include both Centralized, Distributed or both, and based on your specific architecture security posture.

egress filtering cloud network security

Automation and Integrations Valtix provides native support in the three (3) major Cloud Service Providers (CSP’s) – AWS4, Azure5, and GCP6, while abstracting the complexities and nuances involved with deploying and configuring network and security constructs for each individual CSP. The solution is fully supported via Terraform7, RESTful API, and the Valtix Portal GUI.

Additionally, Valtix is integrated into popular SIEM’s and Alerting solutions, while PCAP’s can be optionally pushed to your CSP data store.

valtix cloud network security architect solution aws azure gcp

See how Valtix can enable egress security in the cloud (AWS, Azure, GCP) in minutes. Request a Quick Demo

Back To Top