What is egress security for public cloud?

What is egress security for public cloud?

Cisco Multicloud Defense can enable egress security in the cloud for AWS, Azure, Google Cloud Platform (GCP), and Oracle Cloud Infrastructure (OCI) in minutes.

Cloud egress security and firewall

Deploying egress security with Multicloud Defense can be achieved in these three steps:

Initiate discovery: The discovery capability empowers an evergreen model of running cloud applications, auto-detecting changes, and providing the needed insights into security requirements. Coupling discovery with tag-based policy capabilities inside Multicloud Defense simplifies policy management, providing near real-time policy updates in constantly changing environments.

Deploy security: The deployment architecture is driven by the discovery. Auto-scaled, provisioned, and network-plumbed security (agent-less) with single-click deployment objectives. Support for AWS, Azure, and GCP cloud deployments and network pathing with infrastructure as code (IaC) automation (Terraform and API) without the need to build and manage a complex control plane.

Defend your networks: Write custom security policies to protect your applications as you determine their need, and that may include some, or all, of the following defense functions:

  • URL plus fully qualified domain name (FQDN) filtering: Custom plus domain categories
  • TLS decryption/re-encryption with single pass deep packet inspection (DPI)
  • Advanced web application firewall (WAF)
  • Network protection (IDS/IPS) plus malicious sources
  • Egress security in public cloud

 

Solution

Cisco Multicloud Defense

Simplify security and gain multidirectional protection across public or private clouds to block inbound attacks, lateral movement, and data exfiltration.

Egress security in the public cloud

Egress security in the public cloud comprises a significant portion of the total security posture toward protecting public cloud workloads handling or using:

Personally identifiable information (PII) data that can be used to identify a specific individual. Technology has expanded the scope of PII considerably to include IP addresses, login IDs, social media posts, or digital images, in addition to traditional social security numbers (SSNs), credit card numbers, email addresses, and phone numbers.

Access to public Internet resources for software updates, patches, public repositories, API calls, third-party interconnects, and sensitive data logging to external sources.

Questions arise as to what is adequate, good, better, and best when protecting the applications requiring egress traffic flow to the public Internet and limiting the blast radius in the event of a security breach. These questions include:

  • Where am I vulnerable?
  • Which is better, FQDN or URL filtering?
  • Should I care about data-loss prevention (DLP)?
  • Should I deploy a proxy?
  • Do I also need malware detection?
  • How can I determine if my data is compromised?
  • What are my workloads really accessing and why? 

The answer is you should care about all the above and more. The Cloud Security Alliance (cloudsecurityalliance.org) and other bodies address best practices with specific types of sensitive data, such as the Payment Card Industry Security Standards Council (PCI SSC) and Health Insurance Portability and Accountability Act of 1996 (HIPAA). However, the organization must determine its own security posture: what to deploy and where to acquire it. Additionally, it should understand both the security capabilities and the automation/management functions of a comprehensive solution architecture and the benefits it provides. Capabilities that we believe are required in any public cloud egress security solution are:

Multicloud Defense egress security coverage comparison table

Figure 1: Multicloud Defense egress security coverage comparison table

Cisco can assist you, and your cloud teams, in understanding the complexities of each capability. For example, what is the real difference between URL versus FQDN filtering when limiting access to a specific GitHub repository?

For example, stevemulticlouddefense/app should be permitted.

* URL filtering is more prescriptive in filtering entire URL and path permitted for access:

https://github.com/stevemulticlouddefense/app Allow **

FQDN filtering operates on top-level domains (TLDs) and subdomains only and would handle this with an FQDN rule:

*.github.com Allow FQDN filtering alone is inadequate since it allows access to all public GitHub repositories, some of which are known to contain malware and data loss mechanisms.

In addition, URL filtering combined with tags, Multicloud Defense's attribute-based access control, and the use of custom lists for domain categories (80), make this highly manageable at scale.

Egress security architecture

Cisco Multicloud Defense is architected using software-defined principles of a decoupled control plane and data plane, offering a software-as-a-service (SaaS)-delivered control plane (the Multicloud Defense Controller) and a platform-as-a-service (PaaS)-delivered data plane (Multicloud Defense Gateway) residing in the organization's cloud accounts. This means your data and security constructs such as certificates, keys, and data stores never leave your cloud account boundaries. Deployment models can include centralized, distributed, or a mix of both based on your specific security architecture requirements.

Overview of Multicloud Defense use cases

Figure 2: Overview of Multicloud Defense use cases

Egress filtering cloud security and firewall

Automation and integrations Cisco Multicloud Defense offers a multitude of support for automation and integrations. It provides native support in the four (4) major cloud service providers (CSPs)—AWS, Azure, GCP, and OCI—while abstracting the complexities and nuances involved with deploying and configuring network and security constructs for each individual CSP. The solution is fully supported through Terraform, RESTful API, and the Multicloud Defense portal GUI.

Additionally, Multicloud Defense is integrated into popular security information and event management (SIEMs) and alerting solutions, while packet captures (PCAPs) can be optionally pushed to your CSP data store.

Multicloud Defense cloud network and firewall security architecture

Figure 3. Multicloud Defense cloud network and firewall security architecture

Cisco Multicloud Defense can enable egress security in the cloud for AWS, Azure, GCP, and OCI in minutes. To learn more about how Cisco Multicloud Defense can simplify your multicloud network security, visit our website at www.cisco.com/go/multicloud-defense, request a demo, or view our product tour.

See Multicloud Defense in action with a free trial.

References

1 Market Guide for Cloud Workload Protection Platforms (CWPP), Gartner 2021