What Is Egress Security For Public Cloud? (Ultimate Guide & Architecture)

Have Questions? Want to see Valtix in action?

Egress Security Ultimate Guide

In the Market Guide for Cloud Workload Protection Platforms (CWPP), Gartner1 states: “Protection requirements for cloud-native applications are evolving and span virtual machines, containers and serverless workloads in public and private clouds. Security and risk management leaders must address the unique and dynamic security requirements of hybrid cloud workloads.” In addition, Enterprises are challenged with business requirements surrounding compliance, risk management, and best practices while managing rising costs and the pressure to do more with less in today’s complex economy.

The Valtix Cloud Security Platform (AWS, Azure, GCP, and OCI) embraces this dynamic, unique, and evolving environment of public cloud, and is delivering an architectural approach to cloud security that matches and enhances its very nature – our philosophy is security should match the agility of the applications it protects and provide value through simplicity. The solution utilizes the native cloud constructs offered by Cloud Service Providers (CSP’s) without additional overlay and vendor lock-in, and is delivered through a Managed Service platform based on the following model:

Discover: Maintains an “evergreen” model of running cloud applications, auto-detecting changes, and providing the needed insights into security requirements. This allows for dynamic security policies that automatically protect dynamic and agile workloads.

Deploy: The deployment architecture is driven by the “discovery”. Auto-scaled, provisioned and network-plumbed security (agent-less) with single-click deployment objectives. Support for AWS, Azure, and GCP cloud deployments and network pathing with IaC automation – Terraform and API – without the need to build and manage a complex control plane.

Defend: Write custom security policies to protect your applications as you determine their need, and that may include some, or all, of the following defense functions: •

• URL + FQDN Filtering: Custom + Domain Categories
• TLS decryption/re-encryption with single pass Deep Packet Inspection (DPI)
• Advanced Web Application Firewall (WAF)
• Network Protection (IDS/IPS) + Malicious Sources

Egress Security in Public Cloud

Egress security in the public cloud comprises a significant portion of the total security posture toward protecting public cloud workloads handling or using:

• PII** data that can be used to identify a specific individual. Technology has expanded the scope of PII considerably to include IP addresses, login IDs, social media posts, or digital images, in addition to traditional SSN’s, credit card numbers, emails and phone numbers.
• Access to public internet resources for software updates, patches, public repositories, API calls, 3rd party interconnects, and sensitive data logging to external sources.

Questions arise as to what is adequate, good, better, and best when protecting the applications requiring egress to public internet and limiting the “blast radius” in the event of a security breach.

• Where am I vulnerable?
• Is FQDN, or URL filtering better?
• Should I care about Data Loss Prevention (DLP)?
• Should I deploy a proxy?
• Maybe I need Malware detection also?
• How can I determine if my data is compromised?
• What are my workloads really accessing and why?

The answer is you should care about all of the above and more. The Cloud Security Alliance (cloudsecurityalliance.org) and other bodies address “best practices” with specific types of sensitive data e.g. PCI, PCI, HIPPA. However, the Enterprise must determine their own security posture – what to deploy and where to acquire it. Valtix believes the decision should be made to understand both the Security Capabilities and the Automation/Management functions of a comprehensive Solution Architecture. Capabilities that we believe are required in any Public Cloud Egress Security solution are: