InfoSec-Specific Executive Development for CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive labs to build you and your team's InfoSec skills
For organizations building a long-term zero trust network segmentation model in the cloud, smaller virtual private clouds (VPCs) are likely the best approach. This piece explains some of the issues to consider and suggests using infrastructure-as-code
(IaC) templates and third-party network security appliances to help centralize deployment and ongoing management and improve security capabilities overall.
Mature enterprise organizations should consider the following configuration recommendations when designing large cloud network environments:
Allocate a large (/16) IP address range to every VPC if possible. VPC ranges cannot be modified later (all resources must be recreated). As peered VPCs cannot have any overlap in IP address ranges, this can be challenging for very large enterprises. It’s
not uncommon for /18 and above ranges to be created as defaults to minimize overlap and create more.
If possible, isolate all assets per VPC, not solely by subnet. VPCs are a true hypervisor-based isolation container, whereas subnets use software-based access control and isolation measures to keep assets separated. For most enterprises, VPC categorization
should focus on distinct business units or groups, assets of identical sensitive data or some combination of both.
Use subnets to isolate assets when it’s not possible to isolate wholly within VPCs. Use virtual firewalls, security groups and network access control lists (ACLs) to control traffic. With this approach, however, many VPCs will need modification
of default route tables to limit intra-subnet access.
Define a network access control strategy that is sustainable for a longer-term deployment model across all business units, if possible. Examples include:
A set of small VPCs with like systems and assets that are peered together through peering tunnels or a transit gateway. Benefits include better isolation and more granular segmentation, but drawbacks may include operational flexibility challenges in communications
and latency, as well as a more “sprawled” environment with more VPCs and accounts.
Larger VPCs with breakdowns of subnets containing like systems and sensitive data categories, still peered together. This is a more flexible architecture for business units, but it will require more oversight and central management using tools like AWS
Firewall Manager or third-party tools like Panorama.
Any organization looking to build a cloud network segmentation and security strategy should focus on a least-privilege or zero-trust approach. For most cloud deployments, any quick wins will likely come from a sound strategy definition that is agreed
on by all senior stakeholders. For example:
Decide on a VPC and subnet model that is flexible and secure. Larger VPCs and subnets will be more flexible, but harder to simply build and maintain access controls for. Smaller VPCs (and possibly subnets) will be easier to lock down more effectively
but may prove less efficient for business use cases.
Leverage third-party network security platforms. For larger enterprises, cloud-native access controls and tools are not effective enough to be used in a standalone fashion. More advanced firewall and IPS functionality will only be available in third-party
solutions acting as gateways.
Use IaC for deployments. All network security access controls, both cloud-native and third-party, may be best implemented in IaC templates like CloudFormation and Terraform. This will aid with deployment efficiency and ongoing maintenance of security
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
October 19, 2021
By IANS Faculty
Continuous compliance requires continuous monitoring and validation of controls in the environment, as well as integration with governance, risk management and compliance tools and platforms. Understand the processes, tools, stakeholders and focus required for a best practice continuous compliance program.
October 14, 2021
Learn how the DDoS threat is evolving and get a step-by-step playbook to ensure your organization is protected against DDoS attacks and has a response plan in place.
October 12, 2021
Uncertain how to secure your M365 environment? Our Faculty identify and explain the five primary areas of M365 that will provide the best security return-on-investment with the least user experience impacts.