The present invention relates to the field of information technology, including, more particularly, to systems and techniques for securing communications in a cloud computing environment.
Many enterprises have turned to cloud computing for their information technology (IT) needs. Cloud-based applications can be much easier to deploy than traditional on-premises software installations. Not having to maintain a physical infrastructure can save an enterprise hundreds of thousands or even many millions of dollars per year.
As more and more companies and organizations shift production workloads outside of their corporate firewall to the cloud, the corporate risk has gone significantly higher, given the fact that cyberattacks have grown in frequency. These attacks range from lone individuals to organized groups and even to state-sponsored attacks. Such attacks can have disastrous consequences.
An organization faces both external and internal threats. Traditional solutions for protecting local area networks have generally focused at the lower layers of the network stack. This is problematic for enterprises wishing to deploy into a cloud environment because typically an enterprise does not have control of the underlying network infrastructure of a cloud datacenter provider. For example, while the cloud provider may offer flexibility with regard to the upper level application layer and configuration, reconfiguring the lower layer hardware infrastructure is generally not permitted since it is owned by the cloud datacenter provider and not the enterprise customer. Further, even if the enterprise did have the option, the method for configuration and integration can be different, extremely costly and labor-intensive.
Most solutions have focused on securing the edge of a network using a firewall. As a result, communications among endpoints in a local area network (LAN) are often not secure. This lack of security is especially concerning in a multi-tenancy and remote cloud environment where not all endpoints in the environment are controlled by the specific enterprise. A man-in-the-middle attack can be staged in such an environment, and it is not clear who owns the responsibility to prevent such an attack. A man-in-the-middle attack is a type of cyberattack where a malicious actor is inserted into a conversation between two parties, impersonates one or both parties and gains access to information that the two parties were trying to send to each other. A man-in-the-middle attack can allow a malicious actor to intercept, send and receive data meant for someone else, or not meant to be sent at all, without either party knowing until it is too late. There are security gaps with respect to protecting enterprise production workloads in the cloud. Cloud providers cannot necessarily guarantee that only the customer-owned endpoints will communicate among themselves and will be isolated from others.
Another security issue is the cross-contamination even among enterprise applications of the specific enterprise. When an enterprise deploys applications in the cloud, they tend to mix many applications together in the cloud environment. Different applications have different attack surfaces and there can be different vulnerabilities with different security risks. When an application is compromised, it is extremely desirable to be able to isolate the polluted workloads away from other applications. For example, it is extremely desirable to be able to implement a service isolation strategy to segregate a human resources (HR) system from enterprise resource planning (ERP) and from engineering development and quality assurance (QA). When a LAN communication is established among endpoints, it is highly desirable to be able to authenticate the endpoints and ensure that they are isolated and do not communicate across applications. An enterprise wishing to implement tighter security for endpoints for service isolation within a cloud deployment are often thwarted because of the inability to gain access to the underlying network infrastructure.
Another challenge is the process of moving a datacenter into a cloud environment. Many companies do not have the option of starting a cloud deployment from scratch because they may have many hundreds of existing applications to support and to migrate to a cloud datacenter. These applications may have been configured and locked into the network layer of the particular machines of the enterprise's datacenter. It can be extremely difficult, time-consuming, and expensive to reconfigure the applications along with their IP networks for a cloud migration. Reconfiguring networks can be extremely time consuming and may open up new security risks and vulnerabilities, increase the exposure of existing security risks and vulnerabilities, or both.
There is a continuing need for better cloud computing security, including improved systems and techniques to secure communications among endpoints and facilitate cloud migrations.