Skip to main content

Cloud Native Security Controls

⚠️ WARNING: THIS FEATURE WILL BE AVAILABLE FROM 25.3.2 RELEASE

The Cloud Connector implements micro-segmentation by leveraging existing cloud native security constructs rather than introducing additional infrastructure or bypassing cloud provider controls. This approach ensures seamless integration with cloud environments while maintaining the security posture and operational practices that organizations have already established.

Core Concept

Instead of deploying proprietary security mechanisms that operate independently of cloud provider services, the Cloud Connector works through and enhances the native security controls provided by cloud platforms. This philosophy ensures:

  • Native Integration: Policies are enforced using the same security constructs that cloud administrators are familiar with
  • Operational Consistency: Existing cloud management workflows and tools continue to function normally
  • Provider Alignment: Security implementations align with cloud provider best practices and recommendations
  • Transparency: All security changes are visible through standard cloud management interfaces

Implementation in Azure

In Azure environments, this concept is realized through intelligent Network Security Group (NSG) management:

Scope of NSG Management

The Cloud Connector focuses on resource-level NSGs and does not typically manage subnet-level NSGs, with specific exceptions for certain resource types:

  • Standard Approach: For most Azure resources, the Cloud Connector works with NSGs attached directly to network interfaces and virtual machines
  • VM Scale Sets: Subnet-level NSGs are managed when working with Virtual Machine Scale Sets due to their architectural requirements
  • Azure Managed Databases: Subnet-level NSGs are handled for Azure Managed Database services (such as Azure Database for MySQL and Azure SQL Managed Instance) as these services rely on subnet-level security controls

This selective approach ensures that the Cloud Connector operates at the most appropriate security boundary for each resource type while maintaining the principle of leveraging native cloud constructs.

Template-Based Approach

When assets are discovered, their existing NSGs are imported and converted into "templates" within the XShield platform. This allows the system to understand and preserve the original security intent while enabling policy-driven enhancements.

Policy-Driven NSG Creation

Rather than modifying existing NSGs directly, the Cloud Connector creates new NSGs that implement the desired micro-segmentation policies. These new NSGs are:

  • Clearly Tagged: Marked with identifiers that distinguish them as ColorTokens-managed
  • Policy-Derived: Built specifically to reflect the security policies defined in XShield
  • Replacement-Based: Designed to replace original NSGs during enforcement without destructive modifications

Non-Destructive Operations

The original NSGs remain completely intact and available for recovery. This approach ensures that:

  • Original Configurations Persist: No loss of existing security configurations
  • Rollback Capability: Complete ability to return to pre-ColorTokens state
  • Audit Trail: Clear visibility into what changes were made and when
  • Administrative Control: Cloud administrators retain full control over security group management

Benefits of Cloud Native Approach

This methodology provides several key advantages:

  • Familiar Operations: Cloud administrators work with the same tools and interfaces they already know
  • Compliance Alignment: Maintains alignment with cloud provider compliance frameworks
  • Vendor Independence: Reduces lock-in by working through standard cloud interfaces
  • Operational Simplicity: No additional infrastructure or agents to manage at the network level
  • Risk Reduction: Minimizes the risk of security misconfigurations by working within established cloud patterns

By leveraging cloud native security controls, organizations can implement sophisticated micro-segmentation policies while preserving their existing operational models and maintaining full control over their cloud security infrastructure.