Today’s business environments require that security and networking teams adapt to the realities of cloud computing and Infrastructure- or Platform-as-a-Service (IaaS/PaaS). Organizations whose data resides in a third-party cloud can’t necessarily trust or secure those environments, but the security team is still tasked with securing workloads and applications wherever they are running. Long gone are the days of gaining assurance by implementing firewalls and endpoint protection around the company-specific network perimeter.
While legacy tools might be effective in traditional, networked data centers, most organizations today operate in large part with elastic, cloud-based systems. These new approaches make the perimeter ephemeral and render yesterday’s tools ineffective against current-day threats.
Unfortunately, many security teams have not shifted tactics from the approaches of the traditional data center, leaving both apps and workloads unprotected. They continue to add new tools and controls, tightening the perimeter and reducing network attack surface by increments but still allowing uninspected software to communicate. Technologies like role-based access controls and microsegmentation can help, but don’t solve the problem of workload-centric security.
The second layer
When it comes to securing workloads in the cloud, an organization’s capacity to affect all layers of the OSI model are limited. The lack of layer 2 controls in IaaS environments prevents companies from using traditional tactics, such as locking down ports and controlling or scrutinizing IP addresses that enter the environment with the same control enabled by traditional tools in on-premises environments. Without layer 2 access, traditional tools have to, by design, introduce additional complexity in order to provide any functionality. They weren’t intended for workloads in the first place: they were meant for a discrete network.
Further, even if these tools are successfully implemented, most group policy controls are too coarse for cloud environments. For example, policies written for cloud environments often rely on subnets to define the boundaries of communication. Subnets in the cloud tend to be larger than those in on-premises environments in an attempt to accommodate elastic workloads which then leave the workloads more exposed than necessary. These issues pose a challenge when companies are trying to securely migrate a workload off premises. Migrating applications is a complex task for any team, so alleviating the complexity of changing network policies is a great efficiency gain. The best way to ensure that the workloads are securely portable is to ensure that whatever policies are applied to workloads on-premises can migrate to the insecure and untrusted environment of the public cloud.
Portable policies also benefit software developers. They can develop software and applications in any environment that is favorable to their workflow, while at the same time defining policies to protect their work. Once ready, they can securely port the finished product to the production environment—even if it is hosted by a third party—and have the workload immediately secured.
An alternative approach
Edgewise wanted to create something that allows the business to migrate quickly and efficiently and to pivot when appropriate. We developed an application-centric technology that uses attributes of the application itself to create a cryptographically unique identity, allowing the same policies to be applied regardless of where the application resides. The cryptographic identities (application fingerprints, really) are then passed to the Edgewise machine learning platform, where application flows are analyzed in real time to produce a policy set.
By adding machine learning, Edgewise can define the smallest number of policies possible to cover the entire environment–irrespective of the application’s location. Wrapping protection at the application layer so that it follows the application wherever it goes means companies no longer have to rely on retrofitting traditional network-based perimeter controls, which already struggle to detect malicious activity initiated within the network, to their cloud workloads. This reduces the available attack surface that can be exploited by adversaries and mitigates the operational risk of migrating critical applications to the cloud.