Architectures for Protecting Cloud Data Planes

Grant Dasher
Ines Envid
Brad Calder
Google (2022)

Abstract

This paper explores three approaches for protecting cloud application data planes to prevent unauthorized access to the application and its data and to prevent unwanted data exfiltration. Through an exploration of various concrete security architectures, we focus on (1) Cloud Security Perimeters to provide a boundary around data and infrastructure in the cloud that provides a line of defense both to improper access to sensitive information and the exfiltration of that information, (2) Cloud Landing Points to provide a safe integration point between parts of your cloud applications and on-premises applications to communicate through, and (3) Zero Trust security architectures that are built on the principles of defense in depth and least-privilege access. Using these approaches together provides critical protection for services and applications as they transition from traditional on-premises network security to the Cloud security architectures, and then to potentially Zero Trust security architectures.