Security professionals are starting to rethink how they can fortify access control and monitoring for user activity. One approach: zero trust in the cloud.
Many traditional static network segmentation and access controls today can't keep pace with the various ways remote workers access cloud services. Zero trust, a popular security tactic, relies on data and application behavior to determine if a user should be isolated or segmented. All assets in an IT operating environment are considered potentially untrusted by default until network traffic and behavior is validated and approved.
Zero trust initially focused on segmenting and securing the network across location and hosting models. Today, however, in order to be successful, zero trust must also integrate with end-user and cloud brokering systems.
How zero trust helps cloud security
Zero trust is important to help combat threats today for a variety of reasons, among them:
- Diverse endpoints and users. The addition of more contractors and third parties, as well as BYOD endpoints, has made systems and users more diverse. As a result, access control and monitoring have become more challenging.
- Cloud and new service layers. The vast majority of organizations use multiple cloud services, ranging from business collaboration tools and applications to storage. There has also been an explosion in software-defined data centers in PaaS and IaaS clouds. In these cases -- as opposed to traditional data centers -- employees primarily use cloud services and cloud-based assets and applications. Controlling access to cloud services, especially in a decentralized working scenario, has proven highly challenging for many organizations.
- Remote access. Many organizations began to question the traditional hub-and-spoke VPN model as employees accessed a growing number of external services. Most security controls have been predominantly on premises, however, necessitating a change in access control and monitoring strategies.
Zero trust in the cloud vs. via the cloud
Security and operations teams focus on two key concepts when implementing a zero-trust model. First, security controls are usually integrated into the endpoints themselves. Organizations create a layer of policy enforcement that travels with these systems wherever they go, thus giving them a much stronger chance to protect data, regardless of where the system runs. Second, a central brokering model must exist to help control where and how access is granted.
To this end, as it relates to cloud security, two distinct zero-trust cloud security models have emerged: zero trust in the cloud and zero trust via the cloud.
Zero trust in the cloud
Zero trust in the cloud is often implemented within a cloud service provider environment through the use of microsegmentation techniques and tooling. If you have a strong presence in AWS, Microsoft Azure or Google Cloud Platform (GCP), for example, you likely already use basic microsegmentation technologies:
- In AWS, this is implemented via security groups and network access control lists.
- In Azure, this is implemented with network security groups.
- In GCP, this is implemented with Compute Engine firewall rules.
Within the cloud, microsegmentation must extend into individual workloads to inspect application components, binaries and the behavior of systems communicating in application architecture. The zero-trust approach does not involve eliminating the perimeter. Instead, it relies on network microsegmentation, identity policy and monitoring to move the perimeter as close as possible to privileged apps and protected surface areas for workloads, governed by a central policy engine that assigns and monitors policy application. For example, should an Amazon Elastic Compute Cloud instance be communicating with a specific storage node or AWS service? This depends on the context of the application, and today's zero-trust tooling can help discover and identify normal versus abnormal patterns of behavior and thus prevent or detect unusual or malicious activities.
Zero trust via the cloud
The second model of zero trust today is zero trust via the cloud, usually through brokering services offering zero-trust network access and cloud access security brokering capabilities. This type of zero-trust cloud security model is centered around end-user access to cloud applications and services. It usually involves the following types of capabilities:
- strong authentication and authorization of both endpoint systems and user accounts;
- adaptive access policies that evaluate group membership and privileges, access behaviors and known malicious or suspicious indicators;
- browser isolation and sandboxing to prevent malware infection and other browser-based threats; and
- content filtering and data loss prevention controls to monitor for sensitive data exposure or access to suspicious or known malicious sites.
Some cloud brokers also support SaaS-specific monitoring capabilities, as well as controlled access to on-premises applications and services.
The concept of zero trust will continue to evolve, but it will always represent more than one modality. For data center assets, especially in a software-based environment like the cloud, zero trust will be predicated on microsegmentation and identity policy. Zero trust for end users will focus on authentication, authorization and behavioral monitoring for access to cloud services and assets.