Automated Moving Target Defense

Proxies in the Cloud: Managing Traffic and Securing A Digital World

Tom McNamara

February 26, 2025

Workload Security Proxies are like guards that manage, control, and protect the flow of message traffic in the cloud.

Imagine a city's traffic control system. It directs cars, manages congestion, and ensures smooth flow. In the cloud, "proxies" act similarly, managing and optimizing the flow of digital information, while also providing crucial security. According to recent reports, a significant majority of internet traffic, estimated at around 71% to 83%, is attributed to API calls, meaning that the vast majority of internet traffic is currently driven by Application Programming Interfaces (APIs).

What is a Proxy?

At its core, a proxy is an intermediary. It sits between your computer or application and another network, like the internet or a cloud environment. Instead of your application directly communicating with a website or cloud service, it communicates with the proxy, which then forwards the request. The advantage of this is that developers can focus on their application and not have to repeatedly deal with the complexities of communication networking. Proxies can streamline development, like on- and off-ramps for highway traffic.

Why are Proxies Used in the Cloud?

One type of proxy often used in the cloud is a networking proxy that manages the messaging traffic between cloud machines. Networking proxies can act as traffic directors, receiving and routing requests efficiently. And when the traffic gets too heavy at one point, they provide load balancing and distribute traffic across multiple servers, preventing any single server from being overwhelmed. In some cases, they can act as gateways for API traffic, controlling access and enforcing policies.

For service mesh architectures that use microservices, networking proxies are particularly popular as managers of communication between microservices, performing routing, load balancing, and observability among microservices that operate in a common cluster environment.

Another type of proxy is caching. These proxies can store frequently accessed data, speeding up access for everyone, and are used in Content Delivery Networks (CDNs) to cache content closer to users, reducing latency and improving performance.

Yet another type of proxy is a security proxy that can act as security guards, filtering out harmful traffic and protecting sensitive information. Security proxies are interesting because they can take several forms. Web Proxies  protect you while browsing the internet; Reverse Proxies  protect websites and cloud services from attacks; Secure Web Gateways (SWGs) operate like comprehensive security checkpoints; and some, like Cloud Access Security Broker (CASB) Proxies focus on securing the use of cloud based applications.

But there’s a new kind of proxy that combines the attributes of a networking proxy with the attributes of a security proxy. What makes this new proxy special is the novel security innovations that level-up the protections for cloud applications and data and the simplicity with which it can be configured and deployed.

Hopr.co's WoSP: A Next-Generation Traffic and Security Proxy

Hopr.co's Workload Security Proxy (WoSP) is a highly capable traffic management proxy with advanced security capabilities. It's designed to protect the "workloads" (both the applications and the data) running in the cloud, while also optimizing and securing their communication. The WoSP is deployed with an application workload (a host workload) and operates as a ‘sidecar’ managing all of the host workload’s communications with the outside environments.

Here's what makes it special:

Traffic Management with Security:

The WoSP acts as a proxy for workload-to-workload communication, enabling granular control over traffic flow, and simplifying communication across cloud boundaries. It is a traffic management proxy that adds a strong security layer.

Constantly Hopping Credentials:

Imagine a security guard opening, closing, and moving the doorways and locks to buildings in the city every few minutes. But legitimate residents or office workers happen to know the correct open door and key at the time they need to enter without any confusion or delay. This makes it incredibly difficult for an intruder to get into the building. Hopr.co's WoSP does this with digital credentials that are needed to access and communicate with workloads, changing credentials  frequently and automatically.

Verifying Identity Every Time:

Every time a workload tries to communicate with another workload, the WoSP reveals the hopping identity credential to an outside third party (a trust verifier) and its identity credential is verified (or it fails verification and is blocked). This prevents unauthorized access, even if an attacker is presenting a stolen API key!

Automated Moving Target Defense (AMTD):

This is the core capability produce by the hopping credentials. By constantly changing the two access credentials, a WoSP creates a moving target that's extremely hard for attackers to find and disrupts their plans to abuse credentials.

Decentralized Credential Management:

Unlike conventional security proxies that rely on centralized cloud services, the WoSP manages credentials in a decentralized manner. Each WoSP manages the access credentials for its host workload. This enhances security by eliminating single points of failure. And it also removes the reliance on multiple centralized services such as certificate authorities, key management systems, and secrets vaults, which can be complex and vulnerable.

Reduced Architectural Overhead:

The WoSP simplifies cloud networking by providing a seamless and secure way for applications to communicate across any cloud environment. This reduces the complexity and overhead associated with traditional networking configurations, making it easier to deploy and manage applications.

Important Use Cases for WoSPs and AMTD

1. High-Value Data Protection (Financial Services, Healthcare, Government):

Nation-states competing for geopolitical superiority are actively growing their cyber capabilities  to challenge other nations. Sophisticated and advanced persistent threats (APTs) are prevalent in financial services, healthcare, and government sectors. Data breaches in these sectors lead to massive financial losses, regulatory fines, reputational damage, and potential harm to individuals (e.g., medical identity theft). Threats seek to disrupt and deny data such as patient health records (PHR) in healthcare, financial transactions and customer data in banking, and classified information in government agencies.

Cloud Native AMTD achieved through the WoSP's dynamic credential rotation and identity verification make it exceptionally difficult for attackers to maintain access, even if they breach initial defenses. The constant flux of the security landscape frustrates these types of attackers.

2. Critical Infrastructure Protection (Energy, Utilities, Transportation):

Sophisticated attacks on critical infrastructure can have cascading effects, disrupting essential services and causing widespread damage, and eroding public confidence in civil governments. Attacks on critical infrastructure can lead to power outages, water shortages, transportation disruptions, and even environmental disasters. For example, industrial control systems (ICS) in manufacturing and power plants can be disrupted, as well as water treatment facilities and air traffic control systems.

The proactive nature of Cloud Native AMTD helps prevent attackers from establishing a foothold in critical systems, reducing the risk of sabotage or disruption.

3. Medical IoT and Edge Computing: A Critical Use Case for WoSP

The proliferation of medical IoT devices (e.g., wearable monitors, connected infusion pumps, remote patient monitoring systems) and edge computing in healthcare presents unique security challenges. Many medical IoT devices have limited processing power and security capabilities, making them vulnerable to attacks. And the devices often collect and transmit highly sensitive patient data, which should have robust privacy protection, but often is unable to be patched to keep up with security vulnerabilities. The devices operate at the cloud edge, are distributed and dynamic, making them difficult to secure with traditional methods. And medical devices often require real-time data processing and communication, making latency a critical factor.

Cloud Native AMTD achieved by WoSPs protects medical devices from cyberattacks, and helps ensure the safety and reliability of patient care by ensuring the confidentiality of sensitive patient data from unauthorized access, and maintaining patient privacy and trust. It also makes it much more difficult for attackers to tamper with medical devices or manipulate data.   

4. Software Supply Chain Security:

Software supply chain attacks are increasingly common, with attackers targeting vulnerabilities in software components to gain access to downstream systems. Supply chain attacks can lead to widespread data breaches, malware distribution, and disruption of critical services. Specific risks include communications between service mesh clusters in cloud-native applications, unauthorized access to CI/CD pipelines, and API communications between software components.

The capabilities of AMTD can help mitigate supply chain risks by securing communication between microservices, third party applications, and other software components from outside vendors, limiting the potential impact of a compromised component.

5. Cloud-Native and Service Meshes:

Multi-cloud environments and service meshes (multi-cluster environments) are complex and dynamic, making them challenging to secure. Malicious containers and lateral movement by bad actors is a large threat. They are vulnerable to data breaches and service disruptions because ‘threats target the ‘seams between environments, such as communication between Kubernetes clusters, unauthorized access to serverless functions, and API communications that are heavily used in modern cloud native applications.

Cloud Native AMTD uses WoSPs for highly granular control over workload communication. And its dynamic security posture is well-suited to the complexities of cloud-native environments.

Why Hopr WoSPs Excel in These Use Cases:

  • Proactive Defense: AMTD disrupts attacker tactics before they can cause significant damage.
  • Lateral Movement Prevention: The constant verification of workload identities stops the spread of attacks within the network.
  • Reduced Attack Surface: Dynamic credential rotation and identity verification minimize the window of opportunity for attackers.
  • Increased Resilience: Even if an attacker gains initial access, the dynamic nature of AMTD makes it difficult for them to maintain persistence.

Advantages for Financial Services and Healthcare Industries

The advantages for financial services and healthcare industries are compelling because the innovations allow those industries to gain a strategic defensive cyber advantage over Zero Days and emerging threat sophistication without a wholesale rebuild of their security posture. The Cloud Native AMTD achieved by WoSPs is a simple layer of security that is easily added to the conventional security architecture. Yet it achieves significant advantages such as:

  • Enhanced Data Protection: All data in transit between trusted workloads is secured by quantum-proof encryption.
  • Regulatory Compliance: WoSPs improve regulatory compliance by adding an additional layer of data protection at API endpoints and for data in transit.
  • Reduced Risk of Breaches: Credential theft, and stolen API keys are immediately discovered when threats attempt to access a trusted workload or API endpoint.
  • Increased Trust: Frequent verification of a hopping identity credential builds a chain of trust in a workload.
  • Mitigation of Insider Threats: Insider threats cannot find and abuse credentials needed to move laterally within a network. They are isolated from accessing trusted workloads.
  • Simplified Cloud Networking: The WoSP makes it easier to connect applications across different cloud environments, which is crucial for organizations with hybrid or multi-cloud strategies.
  • Improved Performance: By optimizing traffic flow and caching data, WoSP can improve the performance of cloud applications.
  • Increased Scalability: The decentralized architecture of WoSP allows organizations to scale their applications more easily.

In essence, Hopr.co's WoSP is a unique blend of traffic management and advanced security, providing a more proactive and dynamic approach to cloud security and networking.

Keep Reading

AMTD and Zero Trust in a Single Solution: The WoSP

Enterprise CISOs are challenged to find cost savings without compromising security. As cyber threat sophistication increases and overcomes conventional defenses, Zero Trust becomes an important cosideration for security architectures and compliance. A new option has arrived that combines AMTD with Zero Trust principles to deliver stronger security and cost savings for CISOs.

Author Avatar
Tom McNamara

January 12, 2025

A Short History of Moving Target Defense

Automated Moving Target Defense (AMTD) is emerging in the cybersecurity market as a new form of moving target defense (MTD). Not many people know that MTD is not new. It has been used effectively in communications security and information security for over 50 years before it appeared as a cybersecurity strategy. Today’s AMTD is a generational improvement over MTD, even the MTD from just a few years ago. The latest forms of AMTD are built for the cloud and are far more sophisticated than their predecessors. One new form even combines AMTD with Zero Trust to produce a strategic combination that amplifies the cybersecurity benefits at a relatively low cost.

Author Avatar
Tom McNamara

August 31, 2024

Subscribe to our newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Use CasesHow It WorksUnique FeaturesHopr ConnectHopr Connect GatewayPricingContact usSecurityWeb Retriever OSSAboutPrivacy policiesTerms of service
Hopr enables on-demand, verified-trust, ultra-secure application networking across clouds, organizations, and ecosystems.

Our Zero Trust and quantum-proof solutions form a future ready Cloud Native Automated Moving Target Defense (AMTD) around workloads, APIs, and data in transit.

Hopr easily and securely networks applications located in any environment, proactively disrupts cyber attacks, and strengthens cyber resilience.
copyright 2021-2024 | Hopr Corporation
CHIPS™, MAID™, and SEE™ are trademarks of Hopr Corporation
CHIPS™ technology, and the MAID™ and SEE™ protocols
are protected by US Patents and patents pending.