Security professionals must rethink their approaches to network security and access control for applications and other workloads, especially when it comes to the cloud. Many have begun to adopt zero-trust principles into their security programs since zero trust's inception in 2010 by an analyst at Forrester Research. A zero-trust approach aims to change network security methods by introducing the following:
- Looking at the entire environment as potentially untrusted or compromised, as opposed to thinking in terms of outside-in attack vectors. Increasingly, the most damaging attack scenarios are almost entirely internal, due to advanced malware and phishing exercises that compromise end users.
- Better understanding application behavior at the endpoint. This requires an understanding of what types of network communications approved applications should be transmitting.
- Focusing on trust relationships and system-to-system relationships in general within all parts of the environment. Most of the communications security teams see in enterprise networks today are either wholly unnecessary or not relevant to the systems or applications needed for business.
New obstacles to maintaining cloud security
The above are all worthwhile goals. However, many traditional controls are not capable of accomplishing them. Compounding this is the advent of highly virtualized and converged workloads, as well as public cloud workloads that are dynamic in nature. Cloud workloads will often move between on-premises and external cloud service environments or between various segments within a cloud service provider environment.
The nature of workloads is changing, too. For instance, it is rare that a workload will be uploaded to AWS or Azure and sit there without being touched or updated. Some have advocated the new zero-trust philosophy of access control to better adapt to dynamic cloud deployment models.
How a zero-trust security model can help
What is zero trust, exactly? Zero trust is a model where all assets in an IT operating environment are considered untrusted by default -- until network traffic and application or service behavior is validated and approved. The concept began in its early iteration with segmenting and securing the network across locations and hosting models. It has evolved to include more integration into individual servers and workloads to inspect application components, binaries and the behavior of systems communicating in application architecture. The zero-trust approach does not involve eliminating the perimeter. Instead, for cloud scenarios and deployments, this model uses network and application layer microsegmentation to move the perimeter in as close as possible to privileged apps and protected surface areas.
How policy and microsegmentation enable zero-trust adoption
In order to implement zero-trust cloud security, infosec and operations teams need to focus on two key concepts. First, security will likely need to be integrated into the workloads themselves, both to be present upon instantiation and to maintain access control as fluid cloud environments are updated. By creating a layer of policy enforcement that travels with workloads wherever they go, organizations are in a better position to protect data regardless of where the instance runs. In some ways, this shifts security policy and access control back to the individual instances, as opposed to within the network itself. However, public and hybrid cloud architecture designs do not easily accommodate traditional networking models of segmentation.
Second, the actual behavior of the applications and services running on each system need to be much better understood. The relationships between systems and applications require more intense scrutiny than ever to facilitate a highly restricted, zero-trust operations model that will not adversely impact network connectivity. Dynamic assets, like virtual instances and containers, are difficult to position behind fixed network enforcement points. Organizations can adopt a zero-trust microsegmentation strategy that allows traffic to flow between approved systems and connections, regardless of the environment they are in. This will almost invariably require a combined approach of both network and identity policy to define allowed communications and behaviors.
Zero-trust microsegmentation prevents attackers from using unapproved connections to move laterally from a compromised application or system, regardless of environment. Essentially, zero trust facilitates the creation of affinity policies, where systems have relationships, permitted applications and traffic. Any attempted communications are evaluated and compared against these policies to determine whether the actions should be permitted. This happens continuously. Effective zero-trust control technology will also include some machine learning capabilities to perform analytics processing of attempted behaviors. The technology adapts dynamically over time to changes in the workloads and application environments.
Best practices for implementing zero trust cloud security
Organizations should keep in mind the following best practices for implanting zero-trust tools and controls:
- Start with passive application discovery, usually implemented with network traffic monitoring. Allow for several weeks of discovery to find the relationships in place, and coordinate with stakeholders who understand what normal traffic patterns and intersystem communications look like. Enforcement policies should be enacted later after confirming the appropriate relationships that should be in place -- along with application behavior.
- Design zero-trust architecture based on how data moves across the network and how users and apps access sensitive information. This will assist in determining how the network should be segmented. It can also help security teams identify where protection and access controls should be positioned using virtual mechanisms or physical devices between the borders of different network segments.
- More advanced zero-trust tools integrate with asset identities -- which may be part of an application architecture -- aligned with a business unit, group or representative of a specific system type. Take the time to categorize systems and applications, which will help build application traffic baselines and behaviors.
Infosec professionals have a number of cloud-native tools at their disposal, including Microsoft Azure Active Directory Conditional Access, Microsoft Intune and Microsoft Cloud App Security. In addition, several third-party vendors now offer products and services that can isolate workloads and cloud applications -- including Okta, Cisco, Symantec and Illumio -- through network, agent-based or identity controls.