How to Build a Zero Trust Cloud Network Architecture with Aviatrix¶
What is Zero Trust network architecture?¶
Zero Trust architecture came from the realization that perimeter security solutions such as edge firewalls are not sufficient to prevent data breaches. Lateral movement inside a network to scan and obtain target data has been the approach in the recent serious attacks. The idea of Zero Trust is to build walls inside the datacenter by network segmentation to prevent lateral movement and always authenticate and authorize users for all data access.
How to build a Zero Trust cloud network¶
1. Classify data by network segmentation¶
- Separating production data from dev and test is the first step. Give them separate cloud accounts is the best practice to ensure isolation.
- Different business groups should have separate cloud accounts.
- The more the fine grained accounts the more micro segmentation goal is achieved.
- There should be zero connections among these networks by default.
In public cloud such as AWS, using the above principles to build your cloud network results in isolated islands of VPCs. If one VPC is breached, it is impossible to gain access to other VPCs, thus significantly reduce attack surface.
Aviatrix is a multi account platform that enables you to manage all cloud accounts from a single pane of glass.
2. Policy driven connectivity with stateful firewall rules¶
- The connectivity between VPCs and on-prem network should be policy driven. A network solution such as the AWS Global Transit Network with CSR is a opposite to Zero Trust architecture point of view as all VPCs and on-prem is built into a full mesh network. In contrast,
- AWS Global Transit Network with Aviatrix meets Zero Trust architecture requirements where secure connection is established by organization policy.
- In addition to policy driven network connections, there must be firewall rules that govern data flow and reduce the connection scope. For example, you should consider place application and database in separate VPCs and setup a stateful firewall rule to only allow traffic initiated from application to access database, no the other way around. Aviatrix gateway stateful firewall enforces and logs all network events.
- Within a VPC, you can use AWS native security groups assoicated with instances to enforce policies for communications.
Zero Trust architecture is “Never trust, always verify”, a critical component to enterprise cloud adoption success. Aviatrix provides a rich set of capabilities that enables you to build a Zero Trust network for the public cloud.