Build a Zero Trust Cloud Network Architecture with Aviatrix
What is Zero Trust network architecture?
The concept of Zero Trust architecture came from the realization that perimeter security solutions such as edge firewalls are not sufficient to prevent data breaches. Lately, lateral movement inside a network to scan and obtain target data has been the most common approach. The idea of Zero Trust is to build walls inside the datacenter via network segmentation to prevent lateral movement and always authenticate and authorize users for all data access.
How to build a Zero Trust cloud network
Classify data by network segmentation
-
Separating data by placing them in different Cloud accounts is the first step (such as separating production data from dev and test data) in ensuring isolation.
-
Different business groups should have separate cloud accounts.
-
The more fine-grained the accounts, the more the micro- segmentation goal is achieved.
-
There should be zero connections among these networks by default.
In public clouds such as AWS, using the above principles to build your cloud network results in isolated islands of VPCs. If one VPC is breached, it is impossible to gain access to other VPCs, thus significantly reducing attack surface.
Aviatrix is a multi account platform that enables you to manage all cloud accounts from a single pane of glass.
Policy driven connectivity with stateful firewall rules
The connectivity between VPCs and on-prem networks should be policy driven. A network solution such as the AWS Global Transit Network with CSR is a polar opposite to Zero Trust architecture point of view as all VPCs and on-prem are built into a full mesh network.
In contrast, AWS Global Transit Network with Aviatrix meets Zero Trust architecture requirements where secure connection is established by organization policy.
In addition to policy driven network connections, there must be firewall rules that govern data flow and reduce the connection scope. For example, you should consider placing applications and databases in separate VPCs and setting up a stateful firewall rule to only allow traffic initiated from application to access the database, not the other way around.
Within a VPC, you can use AWS native security groups associated with instances to enforce policies for communications.
User access with authentication and authorization
-
User access to cloud resources must be authenticated. Certificate-only based authentication is a weak solution as a certificate can be stolen. Another insecure access method is Jump Host or Bastion stations. Multi-factor authentication such as integrating with LDAP/DUO/OKTA and client SAML "Single Sign On" significantly improves authentication strengths. However, authentication alone is not sufficient.
-
A User’s access cloud resources must be authorized. The finer grained control you apply, the less lateral movement a user can make even if access to the network is attained. With Zero Trust, you should only grant access to the required resources.
-
User access activities must be fully audited. Every user initiated TCP session in the cloud network must be logged for audit and inspection.
The Aviatrix Enterprise OpenVPN® Solution is the strongest secure client solution in the marketplace built for the public cloud.