Security professionals are beginning to rethink how they can strengthen access control and user activity monitoring. One approach: zero trust in the cloud.
Many of today’s traditional static network segmentation and access controls can’t keep up with the many ways that remote workers access cloud services. Zero trust, a popular security tactic, relies on data and application behavior to determine whether a user should be isolated or segmented. All assets in an IT operating environment are considered potentially untrusted by default until network traffic and behavior are validated and approved.
Zero Trust initially focused on segmenting and protecting the network across all hosting and location models. Today, however, to be successful, zero trust must also integrate with cloud brokering and end-user systems.
How Zero Trust Helps Cloud Security
Zero trust is important to help combat threats today for a variety of reasons, including:
- Various endpoints and users. The addition of more contractors and third parties, as well as BYOD endpoints, has made systems and users more diverse. As a result, access control and monitoring have become more challenging.
- Cloud and new layers of services. The vast majority of organizations use multiple cloud services, ranging from business collaboration tools and applications to storage. There has also been an explosion in software-defined data centers in PaaS and IaaS clouds. In these cases, unlike traditional data centers, employees primarily use cloud services and cloud-based assets and applications. Control access to cloud services, especially in a decentralized work scenariohas proven to be a major challenge for many organizations.
- Remote access. Many organizations began to question the traditional hub-and-spoke VPN model as employees accessed an increasing number of external services. However, most security checks have been performed predominantly on premises, requiring a change in monitoring and access control strategies.
Zero trust in the cloud vs. through the cloud
The security and operations teams focus on two key concepts when implementing a zero trust model. First, security controls are often built into the terminals themselves. Organizations create a policy enforcement layer that travels with these systems wherever they go, giving them a much greater opportunity to protect data, regardless of where the system runs. Second, a central brokerage model must be in place to help control where and how access is granted.
To this end, when it comes to cloud security, two distinct zero-trust cloud security models have emerged: zero-trust in the cloud and zero-trust through the cloud.
Zero trust in the cloud
zero trust in The cloud is often implemented within a cloud service provider environment through the use of micro-segmentation techniques and tools. If you have a strong presence in AWS, Microsoft Azure, or Google Cloud Platform (GCP), for example, you probably already use basic micro-segmentation technologies:
- In AWS, this is implemented through security groups and network access control lists.
- In Azure, this is implemented with network security groups.
- On GCP, this is implemented with Compute Engine firewall rules.
Within the cloud, micro-segmentation must be extended to individual workloads to inspect application components, binaries, and the behavior of communicating systems in the application architecture. The zero trust approach does not involve removing the perimeter. Instead, it relies on network micro-segmentation, identity policy, and monitoring to move the perimeter as close as possible to privileged applications and protected surface areas for workloads, governed by a central policy engine. that assigns and supervises the application of policies. For example, should an Amazon Elastic Compute Cloud instance communicate with a specific storage node or AWS service? This depends on the context of the application, and today’s zero-trust tools can help discover and identify normal versus abnormal behavior patterns and thus prevent or detect unusual or malicious activity.
Zero trust through the cloud
The second zero trust model today is zero trust via the cloud, usually through intermediary services that offer zero-trust network access and cloud access security brokerage capabilities. This type of zero-trust cloud security model focuses on end-user access for cloud applications and services. It typically involves the following types of capabilities:
- strong authentication and authorization from both endpoint systems and user accounts;
- adapted access policies that assess group membership and privileges, access behaviors, and known malicious or suspicious indicators;
- browser isolation Y sandboxing to prevent malware infections and other browser-based threats; Y
- content filtering Y data loss prevention controls to monitor exposure of sensitive data or access to suspected or known malicious sites.
Some cloud brokers also support SaaS-specific monitoring capabilities, as well as controlled access to on-premises applications and services.
The concept of zero trust will continue to evolve, but it will always represent more than one modality. For data center assets, especially in a software-based environment like the cloud, zero trust will be based on micro-segmentation and identity policy. Zero trust for end users will focus on authentication, authorization and behavioral control to access cloud services and assets.