BACKGROUND IMAGE: jijomathai/stock.adobe.com
The term zero trust is used in a number of contexts today. The first is network-oriented and focuses on ports, network traffic and application behavior. In order to implement a network-focused zero-trust model that emphasizes behaviors and policy, security and operations teams need to focus on two key concepts:
- First, security will need to be integrated into the workloads themselves, and it needs to move with the instances and data as they migrate between internal and public cloud environments.
- Second, the actual behavior of the applications and services running on each system will need to be much better understood, and the relationships between systems and applications will need more intense scrutiny than ever to facilitate a highly restricted, zero-trust operations model.
A critical element of any cloud security strategy -- and one that needs to be implemented prior to others in many ways -- is inventory discovery and management. As cloud workloads move, they need to be automatically catalogued and tracked within the particular cloud environment they are running in. A bigger challenge is defining what applications and services are running in a hybrid cloud, determining what communications should be allowed, and then maintaining continuous vigilance within all environments as workloads and applications shift and change over time. Most security teams don't have the visibility into their application environments to facilitate this, and many lack the time needed to learn what good behaviors are, as well.
Policies for zero trust in the cloud
For a zero-trust model to work effectively in the cloud, security and operations teams will need to integrate security policies directly into workload instances both in their data centers and cloud environments. By creating a layer of policy enforcement that travels with workloads wherever they go, organizations have a much stronger chance of protecting data regardless of where the instance runs.
In some ways, this shifts security policy and access control back to the individual instances rather than within the network itself, but hybrid cloud architecture designs don't easily accommodate traditional networking models of segmentation. Dynamic assets like virtual instances -- running on technology like VMware internally or in AWS or Azure -- and containers are difficult to position behind fixed network enforcement points. So, organizations can adopt a zero-trust microsegmentation strategy that only allows traffic to flow between approved systems and connections, regardless of the environment they are in.
An entirely new aspect of strategy for zero trust in the cloud complements the network focus: identity management and permissions. As all assets in a cloud environment are essentially software-defined objects communicating across a uniform provider backplane, a control plane enforcing identity attributes like privilege allocation and policy works in conjunction with network behaviors and definitions to isolate and control workload interactions. Using tools like instance images and container grouping, along with orchestration tools like Kubernetes or those available from major IaaS and PaaS providers, teams can create affinity policies of trust based on identity and privilege definitions evaluated and enforced by the provider hypervisor and software-defined infrastructure.
How this layer of identity control gets created and enforced is unfortunately specific to the individual provider environment and rarely translates from one environment to another. Where network-based controls can be enforced through a unified approach to access control rules that allow or restrict ports, protocols and services -- and may be enabled with a central firewall appliance or other platform -- identity definitions and policies are usually tailored to the provider since its permissions are specifically tailored to the cloud environment itself.
To achieve a true zero-trust in the cloud model, a combination of network and identity permission policies should be in place, preferably with application behavior profiling enabled. No cloud provider options enable this completely, which may lead some organizations to third-party tools that are usually agent-based and include a separate policy controller that evaluates network, identity and application behaviors and settings when making access control decisions. In the future, this capability will likely get more integrated into individual cloud provider environments, but enabling this for multi-cloud deployments will probably take some time.