I often end up getting into long conversations with customers on how best to secure their resources running in the cloud. As you can imagine, there are multiple ways to achieve this, and everyone has a preferred way of doing it.
The most common one usually breaks key cloud principles, when trying to do this using traditional controls, such as network segmentation. Don't get me wrong, this pattern (I have a post enroute) is needed for traditional applications. However, building for the future should be done right.
How do you do this then? Move up the stack! Rather than building in rules at the network layer which allow server a to talk to server b on TCP port 443, use a users identity.
Using a users identity gives immense flexibility and security improvements. Here we can validate:
- Who is the user, and are they actually who they say they are?
- What is their security posture at time of login?
- Validate their access from wherever they are... users aren't in the office that much!
So my tip for the day? Look at how you can use tools such as AzureAD and Okta to validate a users identity and their security posture. Applications using SAML and OIDC are a perfect choice for this.