Have Questions? Want to see Valtix in action?
Egress Security Ultimate Guide
In the Market Guide for Cloud Workload Protection Platforms (CWPP), Gartner1 states: “Protection requirements for cloud-native applications are evolving and span virtual machines, containers and serverless workloads in public and private clouds. Security and risk management leaders must address the unique and dynamic security requirements of hybrid cloud workloads.” In addition, Enterprises are challenged with business requirements surrounding compliance, risk management, and best practices while managing rising costs and the pressure to do more with less in today’s complex economy.
The Valtix Cloud Security Platform (AWS, Azure, GCP, and OCI) embraces this dynamic, unique, and evolving environment of public cloud, and is delivering an architectural approach to cloud security that matches and enhances its very nature – our philosophy is security should match the agility of the applications it protects and provide value through simplicity. The solution utilizes the native cloud constructs offered by Cloud Service Providers (CSP’s) without additional overlay and vendor lock-in, and is delivered through a Managed Service platform based on the following model:
Discover: Maintains an “evergreen” model of running cloud applications, auto-detecting changes, and providing the needed insights into security requirements. This allows for dynamic security policies that automatically protect dynamic and agile workloads.
Deploy: The deployment architecture is driven by the “discovery”. Auto-scaled, provisioned and network-plumbed security (agent-less) with single-click deployment objectives. Support for AWS, Azure, and GCP cloud deployments and network pathing with IaC automation – Terraform and API – without the need to build and manage a complex control plane.
Defend: Write custom security policies to protect your applications as you determine their need, and that may include some, or all, of the following defense functions: •
- URL + FQDN Filtering: Custom + Domain Categories
- TLS decryption/re-encryption with single pass Deep Packet Inspection (DPI)
- Advanced Web Application Firewall (WAF)
- Network Protection (IDS/IPS) + Malicious Sources
Egress Security in Public Cloud
Egress security in the public cloud comprises a significant portion of the total security posture toward protecting public cloud workloads handling or using:
- PII** data that can be used to identify a specific individual. Technology has expanded the scope of PII considerably to include IP addresses, login IDs, social media posts, or digital images, in addition to traditional SSN’s, credit card numbers, emails and phone numbers.
- Access to public internet resources for software updates, patches, public repositories, API calls, 3rd party interconnects, and sensitive data logging to external sources.
Questions arise as to what is adequate, good, better, and best when protecting the applications requiring egress to public internet and limiting the “blast radius” in the event of a security breach.
- Where am I vulnerable?
- Is FQDN, or URL filtering better?
- Should I care about Data Loss Prevention (DLP)?
- Should I deploy a proxy?
- Maybe I need Malware detection also?
- How can I determine if my data is compromised?
- What are my workloads really accessing and why?
The answer is you should care about all of the above and more. The Cloud Security Alliance (cloudsecurityalliance.org) and other bodies address “best practices” with specific types of sensitive data e.g. PCI, PCI, HIPPA. However, the Enterprise must determine their own security posture – what to deploy and where to acquire it. Valtix believes the decision should be made to understand both the Security Capabilities and the Automation/Management functions of a comprehensive Solution Architecture. Capabilities that we believe are required in any Public Cloud Egress Security solution are:
|Functions||NAT Gateway||Squid Proxy1||Aviatrix FQDN||Valtix Egress|
|Forward/Reverse Proxy (as needed)|
|Custom Lists for Domain Category|
|Auto Discovery (App-Tag-based)|
|Auto Malware Detection|
|Data Loss Prevention (DLP)|
|Flow Log Visibility|
|Multi AZ High Availability|
|Allowed/Denied Session Logs|
|Automation and Management|
|Managed Service (SaaS)|
Valtix can assist you, and your cloud teams, in understanding the complexities of each capability. For example – what is the real difference between URL vs FQDN filtering when limiting access to a specific GitHub repository? e.g. “stevevaltix/app” should be permitted.
* URL filtering is more prescriptive in filtering entire URL and path permitted for access: https://github.com/stevevaltix/app Allow **
FQDN filtering operates on tLD and sub-domains only and would handle this with an FQDN rule: *.github.com Allow FQDN filtering alone is inadequate since it allows access to all public GitHub repositories, some of which are known to contain malware and data loss mechanisms.
In addition, URL filtering combined with tags, Valtix’s attribute-based access control, and the use of custom lists for Domain categories (80+), make this highly manageable at scale.
Egress Security Architecture
Valtix is architected using software-defined principles of a decoupled Control and Data Plane, offering a SaaS-delivered Control Plane and a PaaS-delivered Data Plane residing in the Enterprise’s cloud accounts. This includes all Certificate, Key, and Data stores – your data and security constructs never leave your boundaries. Deployment models include both Centralized, Distributed, or both, and based on your specific architecture security posture.
Automation and Integrations Valtix provides native support in the three (3) major Cloud Service Providers (CSP’s) – AWS, Azure, and GCP, while abstracting the complexities and nuances involved with deploying and configuring network and security constructs for each individual CSP. The solution is fully supported via Terraform, RESTful API, and the Valtix Portal GUI.
Additionally, Valtix is integrated into popular SIEM’s and Alerting solutions, while PCAP’s can be optionally pushed to your CSP data store.