São Paulo/SP – August 04, 2023 – Why is account segmentation, in addition to traditional network segmentation, essential for cloud environments?
*By Leandro Lima
Network segmentation, fundamental to raising the maturity of information security in corporate environments, gains an additional approach in cloud environments. Why, in addition to network segmentation, do cloud environments also have account segmentation? Is this superior concept? Does it represent the future? What are the associated advantages and disadvantages? Are there viable alternatives? And if segmentation is not adopted, is there cause for concern?
Before answering these questions, it is essential to clarify the underlying fundamentals. What exactly is network segmentation and why is it so relevant to information security? According to NIST special publication 800-215 of November 2022, network segmentation involves dividing and isolating communication traffic entering and leaving a network (inbound and outbound traffic). Its main purpose is to prevent a cyber-attack directed at a segmented network from affecting other networks.
Each cloud service provider assigns different naming to its resources. AWS refers to these as “Accounts”, meaning multiple AWS Consoles belonging to a single organization. Managing multiple accounts requires adopting AWS Organizations. Microsoft Azure calls these features “Subscriptions” or “Subscriptions”. Administration of the organization's multiple Subscriptions is performed through the “Azure landing zone”. Meanwhile, Google GCP calls them “Folders” or “Sub Organizations”. In this article, we use the term “Account” to refer to an organizational entity in the cloud.
It is important to emphasize that the use of multiple accounts does not simply involve the union of multiple VPCs, Organizations (AWS), Domains (Google) or Tenants (Microsoft), and managing them under a single structure. The concept we are exploring here is the segmentation of networks and dynamic groups within the same organizational context.
From this context, it becomes pertinent to question why cloud providers recommend account segmentation in addition to network segmentation, instead of just following the NIST guideline of dividing networks.
Let's take a look at what three cloud computing giants have to say on the subject:
– AWS: “While you can start your AWS journey with a single account, AWS recommends setting up multiple accounts as your workloads grow in size and complexity. Using a multi-account environment is an AWS best practice with numerous benefits.”
(Source: https://aws.amazon.com/pt/organizations/getting-started/best-practices/)
- Google: “In many organizations, different policies and access controls are defined for different application environments such as development, production and test. The existence of separate policies, however standardized for each environment, facilitates management and configuration.”
(Source: https://cloud.google.com/architecture/landing-zones/decide-resource-hierarchy?hl=pt-br)
– Microsoft Azure: “Organizations often utilize multiple Azure subscriptions to avoid per-subscription resource limitations and for more effective management and control of Azure resources.”
(Source: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/scale-subscriptions)
These three companies adhere to a similar approach, highlighting the need for account sharing as corporations grow or diversify their activities. According to them, the more segmented the environment, the more effective the administration. Such advantages go beyond the limits of cybersecurity, covering aspects such as visibility into the consumption of financial resources by each account, divisions according to different regulations, different policies, compliance and specific market sectors.
The main benefit for information security lies in reserving spaces with least privileges and high monitoring potential. To illustrate the gains mentioned above, consider two scenarios, both focused on the development of an application.
In the first scenario, using just traditional network segmentation in a corporate environment, a group of users gets a set of IP addresses and virtual machines. Teams involved in development, such as Infrastructure Analysts, Developers, Managers and information security professionals, as well as third parties, need detailed permissions to access only the specific environment, with restricted permissions.
Developers face restrictions on building machines, while managers struggle with tight deadlines and poor visibility into operations. Contractors move in and out of the project, making completing projects a challenging task.
If significant changes occur during the project, permissions and access may require a complete review. The scalability of management and monitoring becomes a challenge when we multiply this scenario by 10 applications. Granting excessive permissions beyond what is necessary is not uncommon in these contexts.
In the second scenario, considering the complete segmentation as suggested by the main cloud providers, distinct groups from different sectors continue to receive their permissions. However, in contrast to the previous approach, developers have the freedom to create and decommission machines as needed, providing dynamism and scalability. Managers monitor progress through online information separated by working groups. The information security team grants restricted permissions and audits activities through logs in the cloud console. Third-party access is best managed through group permissions and multi-factor authentication (MFA). All of this takes place in a segregated space with proper permissions.
In view of this, we can now answer the questions that were formulated at the beginning:
– Why, in addition to network segmentation, cloud environments adopt network segmentationaccount action?
The cloud offers dynamism, several control and monitoring tools that make account segmentation more efficient.
– Is account targeting a superior concept?
It should be considered as complementary, representing an evolution of the mere segmentation of networks.
– Is it the future?
It's a current approach where account segmentation streamlines administration.
– What are the advantages?
The advantages include scalability, dynamism, monitoring, resource management, permissions and even saving time and financial resources.
– Are there any downsides?
Segmentation by accounts implies the contracting of additional services, such as AWS Organizations and Azure landing zone.
– What are the alternatives?
The alternative is to keep segmentation by networks only. However, it is important to keep in mind that, when growing excessively, a single account can become insufficient.
– Should I be concerned if I don't implement account targeting?
No need to worry. As mentioned earlier, conventional targeting can still be effective. If properly implemented, it can ensure the sustainability of an environment.
In addition to bolstering cybersecurity, account targeting has broad advantages in other areas. Therefore, companies around the world are embracing this concept to raise information security maturity. Ignoring or neglecting to plan for this implementation will result in underutilizing the benefits offered by the flexibility afforded by cloud environments.
**SOURCES**:
– https://www.nist.gov/publications/guide-secure-enterprise-network-landscape
– https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-215.pdf
– https://aws.amazon.com/pt/organizations/getting-started/best-practices/
– https://cloud.google.com/architecture/landing-zones/decide-resource-hierarchy?hl=pt-br
– https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/scale-subscriptions
*Leandro Lima is Cyber Security Manager at Safeway
How can we help?
SAFEWAY is an Information Security consulting company recognized by its clients for offering high added value solutions through projects that fully meet the needs of the business. In 15 years of experience, we have accumulated several successful projects that have earned us credibility and prominence among our clients, which largely constitute the 100 largest companies in Brazil.
Today through 25 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered one one stop shopping with the best technology, process and people solutions. SAFEWAY can help your organization with the implementation of an AI solution in a secure way. If you want more information, contact our experts!
