How Cloud-Native Companies Can Secure Network Infrastructure

Surveys say 99% of organizations use one or more software-as-a-service (SaaS) applications. The COVID-19 pandemic’s social distancing and lockdown mandates pushed more and more companies into adopting cloud services for all their business operations. However, this forced migration impacted network infrastructure and network security.

In this article, you’ll find out what network infrastructure is, what it includes, and how it has evolved with the widespread use of cloud services and SaaS applications.

What Is Network Infrastructure?

Network infrastructure refers to all the hardware, software, and services that enable an organization to connect different systems for internet connectivity, business operations, peer-to-peer communications, and user communications.

What Does Network Infrastructure Include?

All these hardware and software components constitute an organization’s network infrastructure:

Hardware

• Routers
• Network switches
• Wireless routers
• Network cards
• Ethernet cables

Software

• Operating systems
• Network management system
• Router firmware
• Firewall
• Intrusion detection system
• Cloud security systems

Network services

• Physical and virtual networks
• Routing and switching services
• Wireless networks and wireless access points
• DNS
• Email
• Voice over IP (VOIP)

Network Infrastructure vs. IT Infrastructure

Information technology (IT) infrastructure is a superset of network infrastructure. In addition to all the networking infrastructure listed above, IT infrastructure includes:

• All computers, servers, and other related hardware
• All software and applications deployed in the organization
• All the data stored anywhere in the organization
• All IT services to manage the infrastructure

How Network Infrastructure Security Has Changed in the Cloud and SaaS Age

Before cloud and SaaS became widespread, just about everything in a corporate network was on-premises — data centers, web servers, workstations, routers, other network devices, databases, laptops, and the like. 

Everything was like a big local area network. Network connectivity across geographically separated sites was through a well-defined set of wide-area network (WAN) gateways. Desktop applications ran on workstations and talked to each other easily over the local area network.

Security teams had full control over every level of the network stack, from the cables to the applications. All software and hardware purchases were centrally managed, enabling security teams to control the security posture at all times.

But the advent of cloud computing and SaaS changed many aspects:

• All cloud and SaaS services now resided on the public internet.
• Desktop applications were replaced by web applications running in browsers.
• Employees started using mobile devices to connect to their corporate networks.
• Purchasing of cloud services and SaaS applications became decentralized.
• The shared responsibility model shifted many security responsibilities to the providers.

Security teams no longer have full control over every level of the network. The typical attack surface now is far bigger and more dynamic.

In the coming sections, we explore some of these changes in network infrastructure and their impacts on cybersecurity.

Cloud Security Technologies

The most significant infrastructure security change is the use of systems specializing in cloud security, like:

• Cloud access security broker (CASB): CASB mediates all network access to any cloud or SaaS service from any user or application in your organization. Its position in the network allows it to enforce a common set of security policies consistently across all cloud and SaaS services.
• Cloud security posture management (CSPM): CSPM helps you maintain your organization’s overall cloud security posture through capabilities like multi-cloud asset discovery, continuous monitoring, CASB-like access control, misconfiguration detection, threat detection, incident response, compliance monitoring, and automation.
• Secure access service edge (SASE): While CASB and CSPM become part of your existing network, SASE goes far beyond them by providing an entire networking fabric — consisting of software-defined wide area networks, content delivery networks, multi-cloud spanning networks, and more — with network security functions like firewalls, CASB, secure web gateways, and zero-trust network access.

Virtual Networks for Security

We normally think of networks as interconnected physical objects like wires and routers. But using special software, they can create virtual networks that work the same way.

Virtual networks are software-defined networks that behave like independent networks in every way. They communicate over the existing physical networking infrastructure of an organization.

Virtual networks improve network security by behaving as if they are completely isolated from each other. This limits the “blast radius” of any cyberattack. Such network segmentation is recommended by popular security guidelines like the Cybersecurity Framework, the Center for Internet Security’s Critical Security Controls, and the Cloud Security Alliance’s Cloud Controls Matrix.

Next, we’ll explore some examples of virtual networks.

Virtual Private Networks (VPN)

VPNs are probably the most well-known virtual networks. They let employees and other end-users securely connect to a corporate network from anywhere by using VPN client apps.

VPNs are not new, but the networking environment has changed. In the past, a corporate network was completely private, hidden from the public internet. To run any application there, employees needed a VPN. But now, SaaS applications are available to everybody, including employees, over the public internet.

Although the SaaS may be available over the public internet, the question is: Should the data an organization stores there also be available over the internet? When possible, we recommend making the data available only when accessed via a VPN. This is achieved using multi-factor authentication where one factor is only available over the corporate VPN, or attribute-based access control (ABAC) to verify that the connection is a VPN.

Cloud Virtual Networks

All the popular cloud service providers support virtual networks:

• Amazon Web Services (AWS) provides virtual private clouds.
• Microsoft Azure calls them VNets.
• Google Cloud also calls them virtual private clouds.

They let you create logically isolated virtual networks and limit access only to specific users, roles, or applications.

Virtual networks are also secure by default — they close all network ports, allow incoming traffic only through configured open ports, and let incoming and outgoing traffic only over permitted virtual networks.

Virtual Local Area Networks (VLANs)

VLANs are virtual internal networks configured on your routers that share the physical network’s infrastructure. Because routers treat them as isolated networks, they improve network security.

Network Security for Mobile Devices

Most SaaS applications are available on mobile devices. While great for productivity and convenience, smartphones also introduce new security threats.

In the course of a day, an employee’s mobile device that can access their organization’s data may connect to multiple networks like:

• A residential wireless network
• The corporate wireless network
• Multiple public Wi-Fi networks while traveling
• One or more 4G or 5G mobile data networks

Each of these has different vulnerabilities and threats. Plus, the variety in device brands, operating systems, and software versions creates a dynamic attack surface that can’t be easily monitored or controlled.

Example Mobile Threats

Let’s see some examples of the threats involving mobile devices:

• A threat actor can take over an employee’s phone number by exploiting telecom network weaknesses. It poses a threat to any corporate resource associated with the number, like company bank accounts or SMS-based two-factor authentication.
• Careless family members who install every app or game may inadvertently introduce data-stealing malware on the employee’s device or a network the device connects to.

Mobile Threat Mitigation

To reduce mobile threats, security teams should follow these best practices:

• Use endpoint security tools that specialize in monitoring apps on endpoint devices like smartphones and tablets.
• Implement ABAC for dynamic fine-grained control over cloud resources based on the connected network, device location, time, and other factors. For example, ABAC can allow an app to access SaaS data from the corporate network during work hours but not from any other network outside work hours.

Domain Name System (DNS) Security

The DNS translates human-friendly URLs like “threatkey.com” to the IP addresses that machines need to communicate over the internet. It also plays a key role in resolving email addresses to deliver email correctly.

Since most SaaS and cloud requests go over the public internet, the DNS is far more critical nowadays compared to the on-premises era. Many SaaS functionalities like Google Workspace services, Okta access gateway, Salesforce apps, and OAuth redirect URLs ask for your domain.

DNS Vulnerabilities

The DNS involves configuring a DNS server to map domain names to IP addresses. By using stolen credentials or grabbing an expired domain, a malicious party can take control of the DNS configuration, redirect an organization’s URLs and email addresses to their malicious servers, and access associated SaaS data.

Aside from configuration, the DNS also allows applications to send queries for IP addresses over a network. By default, such queries are sent unencrypted. This means a malicious server can intercept them, reply with malicious IP addresses, and fool employees into sending sensitive information to the wrong server. This attack is called DNS poisoning.

DNS Mitigations

To improve DNS security, follow best practices like:

• Schedule and automate the renewal of all your domains. Even Google once forgot to renew their domain. Set up multiple verification checks. 
• Use strong multi-factor authentication for domain administrator logins.
• Set up DNSSEC to prevent malicious parties from changing your DNS configuration.
• Secure DNS queries using encrypted protocols like DNS-over-TLS or DNS-over-HTTPS.

Centralized Authentication, Authorization, and Monitoring

The National Security Agency’s Network Infrastructure Security Guidance (PDF) recommends centralizing the network authentication, authorization, and monitoring servers for the entire organization. Centralization’s benefits include:

• Consistent access control policies throughout the organization
• Efficient monitoring of the entire network
• Integration with HR systems to revoke permissions of employees on exiting a role or the organization

With centralization, you’ll still distribute responsibilities across the organization. However, you’ll have a central, common set of authentication, authorization, and monitoring policies. Without them, different centers may make conflicting decisions and allow threat actors to access restricted data.

Firewalls and Intrusion Detection Systems (IDS)

The good old firewalls and IDSs are still relevant in the age of SaaS. But due to the increasing sophistication of threat actors, simple rule-based policies no longer suffice.

Modern firewalls and IDSs combine sophisticated techniques like anomaly detection, machine learning, and deep packet inspection to sniff out malicious behavior in terabytes of network traffic.

They also support automated workflows to automate threat detection and resulting configuration changes.

ThreatKey’s Role in Network Infrastructure Security

In this article, you saw how network infrastructure services and network security have evolved with the advent of cloud and SaaS at the enterprise level.

ThreatKey is a SaaS security service that detects, corrects, and optimizes misconfigurations — including network-related ones — and other vulnerabilities in popular SaaS applications like Google Cloud, Amazon Web Services, Google Workspace, Microsoft 365, GitHub, Box, Slack, Okta, and others.

ThreatKey continuously monitors their configurations and logs, generates actionable findings for security teams, and can even automatically remediate issues. All security issues are reported in real-time over popular communication channels like Slack and Teams. Try ThreatKey for free today.