How to Build a Zero Trust Cloud Network Architecture with Aviatrix
What is Zero Trust network architecture?
Zero Trust architecture came from the realization that perimeter security solutions such as edge firewalls are not sufficient to prevent data breaches. Lateral movement inside a network to scan and obtain target data has been the approach in the recent serious attacks. The idea of Zero Trust is to build walls inside the datacenter by network segmentation to prevent lateral movement and always authenticate and authorize users for all data access.
How to build a Zero Trust cloud network
1. Classify data by network segmentation
- Separating production data from dev and test is the first step. Give them separate cloud accounts is the best practice to ensure isolation.
- Different business groups should have separate cloud accounts.
- The more the fine grained accounts the more micro segmentation goal is achieved.
- There should be zero connections among these networks by default.
In public cloud such as AWS, using the above principles to build your cloud network results in isolated islands of VPCs. If one VPC is breached, it is impossible to gain access to other VPCs, thus significantly reduce attack surface.
Aviatrix is a multi account platform that enables you to manage all cloud accounts from a single pane of glass.
2. Policy driven connectivity with stateful firewall rules
- The connectivity between VPCs and on-prem network should be policy driven. A network solution such as the AWS Global Transit Network with CSR is a opposite to Zero Trust architecture point of view as all VPCs and on-prem is built into a full mesh network. In contrast,
- AWS Global Transit Network with Aviatrix meets Zero Trust architecture requirements where secure connection is established by organization policy.
- In addition to policy driven network connections, there must be firewall rules that govern data flow and reduce the connection scope. For example, you should consider place application and database in separate VPCs and setup a stateful firewall rule to only allow traffic initiated from application to access database, no the other way around. Aviatrix gateway stateful firewall enforces and logs all network events.
- Within a VPC, you can use AWS native security groups associated with instances to enforce policies for communications.
3. User access with authentication and authorization
- Users access cloud resources must be first authenticated. Certificate only based authentication is a weak solution as certificate can be stolen. Another insecure access method is Jump Host or Bastion stations. Multi factor authentication such as integrating with LDAP/DUO/OKTA and client SAML "Single Sign On" significantly improves authentication strengths. However authentication alone is not sufficient,
- Users access cloud resources must be authorized. The finer grained control you apply, the less literal movement a user can make even if accessing to the network is attained. With Zero Trust, you should only grant access to the required resources.
- User access activities must be fully audited. Every user initiated TCP session in the cloud network must be logged for audit and inspection.
Aviatrix Enterprise OpenVPN® Solution is the strongest secure client solution in the marketplace built for the public cloud.
Zero Trust architecture is "Never trust, always verify", a critical component to enterprise cloud adoption success. Aviatrix provides a rich set of capabilities that enables you to build a Zero Trust network for the public cloud.
OpenVPN is a registered trademark of OpenVPN Inc.