Chapter 3–14 From Chaos to Confidence: 5 Cloud Security Architecture Diagrams

Internet traffic control (inbound and outbound), identity management, application access, and defense against Distributed Denial of Service (DDoS) attacks

Whether your company operates on a local, national, or global, scale, it is crucial to manage and restrict inbound and outbound traffic. Implementing a hub-and-spoke architecture can greatly reduce the risk of cyberattacks and optimize security investments by enforcing a uniform global Internet policy.

The diagram below demonstrates how cloud services can be used to protect all inbound and outbound traffic, as well as provide DNS hosting and email protection.

With over 90% of attacks originating from phishing emails, insecure user browsing, and direct DMZ attacks, a robust perimeter defense layer located in the cloud, preferably closer to potential attack points or regions, can safeguard your company’s assets before they are breached.

Figure 24. Control Inbound/Outbound Traffic with a Global Cloud Protection Shield.

Defense Against Distributed Denial of Service (DDoS) Attacks

DDoS attacks have become a popular and cheap way to disrupt production and cause reputation damage, making them the top attacks to look out for.

With new technologies from companies like Cloudflare, Akamai and others, their software as a service (SaaS) can now block attacks at globally distributed entry points, allowing only trusted or cleaned traffic to reach company assets, such as homepages and DMZ services.

The future implementation of Web3 and IPFS (InterPlanetary File System) will eliminate the risk of centralized servers being attacked. These decentralized technologies will provide a more secure network environment, reducing the likelihood of attackers exploiting single points for their attacks.

Figure 25. Evolution of Internet-Facing Cybersecurity Protection.

Outbound Web Traffic Protection

As previously mentioned, the majority of attacks result from phishing emails and unsecured user Internet browsing.

Remote browser isolation (RBI) technology offers improved protection for both inbound traffic and outbound data protection.

This technology is capable of distinguishing manual input from copy and paste actions and can block uploads.

Traditional proxies cannot provide such precise outbound control.

For example, many companies have blocked the use of Internet Open AI sites like ChatGPT, mainly due to data protection concerns. However, with remote browser isolation technology, users can be allowed to manually input queries while copy-paste and upload actions are blocked.

Figure 26. Remote Browser Isolation.

Zero Trust Multi-Cloud Identity Management

Having an effective zero trust, phishing-resistant cloud identity management solution is crucial. Traditional two-factor authentication, with a user password and a second factor code leading to a cell phone or email, is not phishing-resistant. Phishing emails can bypass this control with a “man in the middle” attack.” Therefore, a phishing-resistant multifactor authentication that provides conditional access, mainly access device physical authentication, is necessary.

In addition, having one single cloud identity platform, such as Okta, Azure, or Google Platform, is essential for companies with many SaaS Cloud Applications.

The platform uses SAML or other standards to provide Single Sign-On (SSO) authentication. This approach simplifies data protection, as when employees leave the company, they can no longer access SaaS applications from home, eliminating the need to manage each SaaS account termination individually.

Figure 27. Four Steps of Single Sign-On (SSO) Authentication in Multi-Cloud Environments

Next-Generation Application Access

ZTNA stands for Zero Trust Network Access. It is a security model that provides secure access to applications and data by dynamically creating a secure connection between a user’s device and the application they need to access, regardless of their location.

The ZTNA architecture, which is similar to SD-WAN in terms of traffic flow, connects both user endpoints and applications hosted inside the firewall-controlled datacenter to the ZTNA Policy Cloud or a ZTNA Exchange Appliance. Once user authentication is achieved, a virtual dynamic path is opened, eliminating the need to open any firewall ports for inbound traffic to applications. What a lifesaver for our overworked firewall administrators!

With ZTNA, user access is policy-based, meaning that only authorized users can access specific applications, and only the necessary resources are made available to them. This approach reduces the attack surface, both inside and outside the company network, and provides more granular control over application access.

With ZTNA, it’s highly likely that employees sitting next to each other may not have the same view of available applications.

However, in most companies today, all employees within the corporate network can view all internal applications, including some for which they do not have access privileges.

Figure 28. Zero Trust Architecture for Datacenter Application Access.

It’s important to note that combining ZTNA with SD-WAN offers a significant advantage in improving access performance. With each office in possession of its own Internet connection, a user in a leaf office can use the nearest ZTNA entry point to access the ZTNA provider network, and then leverage the high-speed backbone to reach the closest SaaS applications.