Zero trust initially focused on segmenting and securing the network across location and hosting models. Today, however, to be successful, zero trust must also integrate with end-user and cloud brokering systems.
How zero trust helps cloud security
Zero trust is important to help combat threats today for a variety of reasons, among them:
- Diverse endpoints and users. The addition of more contractors and third parties, as well as BYOD endpoints, has made systems and users more diverse. As a result, access control and monitoring have become more challenging.
- Cloud and new service layers. The vast majority of organizations use multiple cloud services, ranging from business collaboration tools and applications to storage. There has also been an explosion in software-defined data centres in PaaS and IaaS clouds. In these cases — as opposed to traditional data centres — employees primarily use cloud services and cloud-based assets and applications. Controlling access to cloud services, especially in a decentralized working scenario, has proven highly challenging for many organizations.
- Remote access. Many organizations began to question the traditional hub-and-spoke VPN model as employees accessed a growing number of external services. Most security controls have been predominantly on premises, however, necessitating a change in access control and monitoring strategies.
Zero trust in the cloud vs. via the cloud
Security and operations teams focus on two key concepts when implementing a zero-trust model. First, security controls are usually integrated into the endpoints themselves. Organizations create a layer of policy enforcement that travels with these systems wherever they go, thus giving them a much stronger chance to protect data, regardless of where the system runs. Second, a central brokering model must exist to help control where and how access is granted.
To this end, as it relates to cloud security, two distinct zero-trust cloud security models have emerged: zero trust in the cloud and zero trust via the cloud.
Zero trust in the cloud
Zero trust in the cloud is often implemented within a cloud service provider environment through the use of micro-segmentation techniques and tooling. If you have a strong presence in AWS, Microsoft Azure or Google Cloud Platform (GCP), for example, you likely already use basic micro-segmentation technologies. In AWS, this is implemented via IAM, RBAC modelling, security groups and network access control lists.
Within the cloud, micro-segmentation must extend into individual workloads to inspect application components, binaries and the behaviour of systems communicating in application architecture. The zero-trust approach does not involve eliminating the perimeter. Instead, it relies on network micro-segmentation, identity policy and monitoring to move the perimeter as close as possible to privileged apps and protected surface areas for workloads, governed by a central policy engine that assigns and monitors policy application.
For example, should an Amazon Elastic Compute Cloud instance be communicating with a specific storage node or AWS service? This depends on the context of the application, and today’s zero-trust tooling can help discover and identify normal versus abnormal patterns of behaviour and thus prevent or detect unusual or malicious activities.
Zero trust via the cloud
The second model of zero trust today is zero trust via the cloud, usually through brokering services offering zero-trust network access and cloud access security brokering capabilities. This type of zero-trust cloud security model is centred around end-user access to cloud applications and services. It usually involves the following types of capabilities:
- Strong authentication and authorization of both endpoint systems and user accounts;
- Adaptive access policies that evaluate group membership and privileges, access behaviours and known malicious or suspicious indicators;
- browser isolation and sandboxing to prevent malware infection and other browser-based threats; and
- content filtering and data loss prevention controls to monitor for sensitive data exposure or access to suspicious or known malicious sites.
Some cloud brokers also support SaaS-specific monitoring capabilities, as well as controlled access to on-premises applications and services.
The concept of zero trust will continue to mature, but it will always represent more than one modality. For data centre assets, especially in a software-based environment like the cloud, zero trust will be predicated on micro-segmentation and identity policy. Zero trust for end users will focus on authentication, authorization and behavioural monitoring for access to cloud services and assets.