Zero trust is everywhere, and it will change the way we undertake security. Just as zero trust concepts are shaping the data center and our networks, they will shape cloud environments, as well. Many of the challenges of cloud security arose because we moved workloads to the cloud with no clear idea of how to secure them. Zero trust provides exactly those ideas.
Let’s give a closer examination to zero trust, and explore how it can turn cloud environments from fragile, porous landscapes rife with threat surfaces, into a set of well-defined, isolated micro-perimeters.
What Is Zero Trust Security?
Zero trust security is a conceptual framework that demands rigid identification and authentication for each device and individual attempting to access the resources of a private network. This model applies irrespective of whether an individual is located outside or within the network perimeter. ZTNA is the primary concept associated with the zero trust model.
Zero trust is a comprehensive network security approach that uses various distinct technologies and principles. In essence, conventional IT network security puts trust in everyone and everything within the network. A zero trust approach doesn’t trust anything or anyone.
Zero Trust security demands that no one is trusted by default from outside or inside the network and that authentication is needed from any individual attempting to access network resources. This additional security layer has been proven to stop information breaches. A recent report indicated that, on average, the cost of a single data breach is more than $3 million. With this in mind, it is not surprising that a lot of organizations today are adopting zero trust architecture.
The US federal government is also waking up to the need for zero trust. In Tripwire’s recent survey, over 25% of security professionals working at federal agencies said their agency has implemented a zero trust architecture, while 57% said their organization is working towards a full zero trust implementation.
Why Companies Need Zero Trust in a Cloud Environment
Establishing a zero trust policy in an enterprise network requires that the organization itself manages the network. The organization decides where to place the boundaries, and it establishes access measures to safeguard sensitive applications including those with on-site information centers from lateral movement and unwarranted access.
Nowadays, it tends to be more cost-efficient to host an application via the cloud rather than in a data center. Such cloud environments, managed by SaaS vendors and cloud service providers, are not a component of an organization’s network, so there is not the same level of control over the network.
Given this, many organizations have data and stores housed in various locations, which means they have lost insight into:
- How information is being shared and used.
- Who is using their data and applications and/or even which devices people are using to access them (such as tablets, laptops, smartphones). This is because many assets are retained on third-party infrastructure.
- Detailed forensic data that can assist in incident investigations and that is often needed for compliance purposes.
To address these concerns, organizations tend to employ a few access technologies according to where their assets are retained. Many organizations combine several of the following:
- On-premises data center – Rremote access enabled by VPN.
- Proprietary applications – These include hybrid cloud and data center apps with a software-defined security perimeter.
- Software-as-a-service (SaaS) applications – Access via cloud access security broker (CASB) proxy.
- Public cloud – Access managed by inbound proxy or virtualized firewall.
This amalgamation of technology leads to a fragmented security approach, which makes it hard to be certain which policies exist to safeguard any given information in the cloud. Cloud environments are, at their core, distinct from conventional networks, and they continually develop. Given this, an organization’s security approach has to be both adaptable and holistic.
To be successful, organizations must implement a unified security architecture that:
- Provides users with safe access to an organization's data and applications across SaaS applications, the public cloud, and private clouds or data centers.
- Limits and controls who can access certain assets and how those assets are to be utilized.
- Examines traffic and ensures security policies are in place on a continuous basis.
As organizations move to the cloud, it’s imperative to incorporate zero trust into the format of today’s cloud infrastructure.
Technologies Behind a Zero Trust Architecture
A zero trust security approach addresses the process of controlling user access in two parts:
- User authentication – A zero trust architecture is based on the idea of stricter user identity authentication. Role-based access measures are connected to user identity, so strictly checking the identity of a user is of great value.
- Access management – Once a user’s identity has been authenticated, the permissions to use the requested resource must be verified. This involves ensuring that access controls cannot be side-stepped, which would enable unapproved access to a resource.
Executing a zero trust system demands several technologies:
- Zero Trust Network Access (ZTNA) – Freelancing is common today, so it is a must to put in place zero trust as a component of safe remote access. ZTNA technologies allow for ongoing monitoring and implementing of the principles of zero trust processes for remote access.
- Identity and Access Management (IAM) – IAM solutions manage and define the permissions connected with user accounts within an organization’s network. IAM solutions decide whether to deny or permit an access request in a zero trust approach.
- Multi-Factor Authentication (MFA) – Authentication based on passwords alone is insecure because of the prevalence of reused or weak passwords and the high likelihood of credential compromise. Secure user authentication in a zero trust process demands the inclusion of MFA to significantly raise user identity assurance.
- Endpoint protection – A compromised endpoint could let a cybercriminal use a permitted user’s session to access safeguarded resources. Effective endpoint security is a must for safeguarding against compromised accounts.
- Microsegmentation – Perimeter-based firewalls are not sufficient for implementing zero trust measures. Internal network segmentation is essential for securing an organization’s network.
- Visibility and analytics – A zero trust architecture features elements that monitor user behavior on an ongoing basis, analyzes login activity, and correlates logs for signs of compromise such as compromised credentials and phishing exploits.
Zero Trust in the Cloud: 3 Keys to Success
The following three points are crucial for organizations to succeed in their zero trust implementation for cloud environments:
- Begin with passive application observation, typically applied via network traffic monitoring. Allow a few weeks of monitoring to discover the current relationships between applications and to coordinate with stakeholders who know how typical inter-system communications and traffic patterns should look. Enforcement rules should be put in place afterwards once you confirm the suitable relationships that should exist as well as the application activity.
- Create the zero trust architecture according to the way data travels over the network and how applications and users access sensitive data. This will help in deciding how the network should be divided up. It can also assist security teams, helping them to decide where access controls and protections must be placed using physical devices or VMs between the borders of distinct parts of the network.
- More sophisticated zero-trust systems integrate with asset identities. By aligning with a group, business unit, or individual from a specific system, these identities could act as a component of an application framework. Set aside time to categorize applications and systems. This will assist with the building of application traffic activity and baselines.
The cloud has always been dynamic and somewhat unpredictable, with new resources popping up everywhere and no central control over configurations and access.
Most organizations are implementing tools such as Cloud Security Posture Management (CSPM), Cloud Workload Protection Platforms (CWPP), and similar technologies. These are good at scanning everything in the cloud and issuing alerts when something is wrong, but it’s much better to have control over those resources and prevent violations in the first place.
Implementing zero trust technologies with careful planning will make the cloud a more manageable place for any organization. The use of ZTNA, IAM, and MFA can prevent unwanted events from occurring. New compute instances or storage buckets cannot just “pop up” like weeds in unpredictable locations. Zero trust will cultivate them into domesticated plants confined to well-defined flowerpots.
These flowerpots are your micro-perimeters, which you can isolate using microsegmentation. They will enable easier monitoring and tighter access control. Sounds like everything needed for an over-stretched, sleep-deprived security team to defend the new frontier that is the cloud.
LinkedIn: Gilad David Maayan
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.