How Does Cloud Enclaving Differ from Traditional Cybersecurity?
Cloud enclaving is built to meet the needs of modern digital business in a way legacy security solutions aren’t. Let’s put this into historical context to understand why.
Years ago, when applications and data resided in an organization’s on-premises data center—and employees largely worked from those same premises—traditional perimeter-based network security offered a reasonable level of security. Today, globalization and hybrid work have pushed cloud computing to the fore, rendering older models ineffective.
In the cloud, a single organization’s different critical workloads can sit with multiple cloud service providers (e.g., Amazon Web Service [AWS], Microsoft Azure), and users access them over the internet. In practical terms, this means there’s no longer a “network perimeter,” which opens up many more avenues for possible attacks. Cloud enclaving counters this by making room for tailored security policies that limit traffic to and from specific workloads to only what’s explicitly permitted.
What Is an Enclave?
An enclave is a portion of a network that’s separated from the rest of the network and governed by granular security policies. The purpose of a secure enclave is to enforce least-privileged access to critical resources as part of a defense-in-depth security strategy.
Network Segmentation vs. Cloud Enclaving
Network segmentation is best used for north-south traffic (between your environment and locations outside it), while cloud enclaving adds a layer of protection for east-west traffic (server-to-server, app-to-server, web-to-server, and so on inside your environment). Let’s look at both in a little more detail.
Compared to a perimeter-based model that only secures a network from the outside, network segmentation is a more nuanced approach. Namely, it divides a network into “subnets” and applies security and compliance protocols to each. Traffic between segments is typically separated using a VLAN before passing through a firewall.
Unfortunately, because this approach is based on IP addresses, it can only identify how a request arrived (i.e., its originating IP address, port, or protocol), not the context or identity of the entity making the request. Communications deemed safe are allowed, even if IT doesn’t know exactly what they are. Then, the entity is trusted once it’s inside a segment—even if they’re a malicious actor looking to move laterally inside the environment.
Network segmentation creates a “flat” network, leaving unprotected pathways that allow attackers to move laterally and compromise workloads in cloud and data center environments. Beyond that, the cost, complexity, and time required to manage network segmentation using legacy firewalls or virtual machines (VMs) tend to outweigh the security benefits.
Cloud enclaving—that is, cloud-based microsegmentation—enables more granular traffic control while minimizing an organization’s attack surface, achieving segmentation in a way that’s operationally simpler and more secure than network segmentation. It does this by looking beyond IP addresses, ports, and protocols to authenticate requests by identity and context. Furthermore, it delivers granular protection at the level of individual workloads to more effectively control communications between them.
Cloud enclaving not only minimizes insider threats by providing protection much closer to the workloads themselves, but also prevents the spread of outside threats after the perimeter has been breached.