{"id":111835,"date":"2020-05-27T06:00:24","date_gmt":"2020-05-27T13:00:24","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=111835"},"modified":"2020-08-07T15:19:56","modified_gmt":"2020-08-07T22:19:56","slug":"network-cloud-native-applications","status":"publish","type":"post","link":"https:\/\/www2.paloaltonetworks.com\/blog\/2020\/05\/network-cloud-native-applications\/","title":{"rendered":"Need to Secure Cloud Native Applications? Take a Look at Airport Security"},"content":{"rendered":"

Securing an airport and securing your cloud-native applications have more in common than you may realize \u2013 and two essentials of airport threat prevention nicely illustrate why virtual and container NGFWs are vital for security in the cloud. As digital transformation drives you to move crown jewel applications to public clouds and containers, you need to use the same layered security approach airports typically provide.\u00a0<\/span><\/p>\n

 <\/p>\n

Cloud Native Apps Need to Travel to More Than One Environment<\/b><\/h2>\n

Before we head off to our airport analogy, it\u2019s important to understand that most enterprises today use data centers and multiple public clouds. On top of that, they run workloads, some of which now may be <\/span>containerized<\/span><\/a> or <\/span>serverless<\/span><\/a>, but most organizations still have plenty of bare-metal servers, virtual machines and even mainframes.\u00a0<\/span><\/p>\n

But regardless of where workloads run, what companies really care about are the enterprise applications running on top of their hybrid infrastructures. These enterprise applications tend to be highly interconnected. Most apps connect to core services \u2013 services such as Active Directory, administration, monitoring and logging infrastructure. Many of these apps also connect to critical databases running on legacy systems such as Solaris or mainframes. Because it's <\/span>the network<\/span><\/i> that connects these apps, network security needs to span the entire infrastructure. That\u2019s why network protection for cloud native applications needs to be approached holistically. Cloud native applications don\u2019t live on isolated islands or an annex tucked away from the rest of an airport.<\/span><\/p>\n

Complete network protection requires next-generation firewalls (NFGWs) and identity-based microsegmentation. And because our cloud journey is an ongoing journey, it\u2019s important to gain complete visibility into all the connections made over the network. This includes internet to the workloads, workloads to the internet, and workloads to workloads.\u00a0<\/span><\/p>\n

 <\/p>\n

Scanning and Detection are Vital for Airports \u2013 And Your Public Cloud Journey<\/b><\/h2>\n

Visibility into the overall environment is a first step, but only a first step to ward off threats \u2013 we\u2019d all worry if airport security was limited to CCTV cameras. Fortunately, airports have two additional and deeper layers of security, which are instructive when it comes to securing cloud native applications:\u00a0<\/span><\/p>\n

1. Full body and luggage scanners:<\/b> The goal of this layer is to ensure that people heading toward departing airplanes are not carrying anything dangerous. Security agents (such as the TSA in the United States) perform this task with scanning equipment that examines people, luggage and myriad small items. Airport authorities deploy this process at strategic locations. Some airports have only one security and scanning station at the entrance, while bigger airports tend to have one or more at the boundary of each terminal.<\/span><\/p>\n

And this is where NGFWs come in, because they map to these<\/span> security scans. Just as security is deployed at strategically chosen perimeters at the airport, NGFWs need to be deployed at carefully chosen perimeters or trust boundaries.\u00a0\u00a0<\/span><\/p>\n

2. Boarding pass scanners: <\/b>The goal of this layer of inspection is to reduce the attack surface by minimizing the movement of people into places where they are not supposed to go. Boarding pass scanners are deployed at every gate \u2013 typically as close as possible to the boarding entrance of the appropriate airplane.\u00a0<\/span><\/p>\n

Similarly, <\/span>microsegmentation<\/span><\/a> is another form of access control that reduces the attack surface by minimizing allowed connections between workloads. If you only allow connections absolutely required for applications to function and then block everything else, damage can be significantly minimized because a breach can be effectively contained to the location where it occurs. In cloud-native environments \u2013 where workloads are very dynamic and IP addresses are meaningless \u2013 microsegmentation policies need to be enforced by using the identity of the workloads. The Palo Alto Networks Prisma Cloud platform delivers <\/span>scalable<\/span><\/a>, identity-based microsegmentation that complements the capabilities of the NGFW.<\/span><\/p>\n

Just as boarding pass scanners are deployed at every airport gate, microsegmentation needs to be enforced at every workload, and agent-based solutions are best suited for enforcing microsegmentation policies right at the workload level.\u00a0<\/span><\/p>\n

\"\"<\/span><\/div>
Microsegmentation on workloads with NGFWs at trust boundaries.<\/figcaption><\/figure>\n

Understand What Goes into Cloud Native Scanning and Detection<\/b><\/h2>\n

Now, let\u2019s discuss what kinds of protection the NGFWs provide in these cloud-native environments:\u00a0<\/span><\/p>\n