While “zero-trust architecture” has become a buzz phrase, there’s plenty of confusion as to what it actually is. Is it a concept? A standard? A framework? An actual set of technology platforms? According to security experts, it’s best described as a fresh mindset for approaching cybersecurity defense, and companies of all sizes should start implementing it – especially for cloud security.
By way of definition, zero trust is essentially a security paradigm for making sure that people and entities attempting to connect to company resources are who they say they are, which requires explicit permission for every action and continuous monitoring to look for signs of trouble. This goes beyond basic authentication and access management in that the approach assumes that users are a threat, regardless of their identity, location or how they connect to a network (be it “inside” a company network perimeter or remotely).
As such, implementing a zero-trust architecture makes particular sense for the distributed nature of cloud security, according to Jim Fulton, senior director of SASE/zero-trust solutions at Forcepoint. After all, cloud can be accessed in many ways, and its infrastructure doesn’t inherently come with security. It’s only as secure as a company makes it, which is why misconfigurations are so common.
[Editor’s Note: This article was originally published in the free Threatpost eBook “Cloud Security: The Forecast for 2022.” In it we explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists. Please download the FREE eBook for the full story]
“Zero-trust principles are crucial for cloud security, especially for cloud applications that can be potentially accessed from anywhere on the internet,” he explained. “Zero trust begins with strong authentication to make sure people who are attempting to get to or use important resources are reliably identified. Next, a zero-trust approach checks to see if that person who has been identified has explicit permission every time they go to access or use a resource. This makes it far more difficult for hackers to break into cloud apps and move freely across the network.”
The approach is effective: Consider that Microsoft’s latest Zero Trust Adoption report revealed that 31 percent of organizations that were ahead with their zero-trust system implementation were affected by the SolarWinds hackers, as compared with the 75 percent who hadn’t yet fully implemented it.
What Zero-Trust in the Cloud Looks Like
Digging down further, a zero-trust defense for the cloud could have several different elements, Fulton noted. This could mean hiding resources from general access so that people can only get to them through specific controls, requiring strong authentication to establish that people are who they say they are, only allowing people to perform specific actions that they have explicit permission to perform, continuous validation of those permissions, and continuous monitoring to spot break-ins and attempts to mimic legitimate users.
To achieve this, “sensitive applications are increasingly requiring specific ways of accessing them, such as going through a Cloud Access Security Broker (CASB) rather than coming in directly from anywhere on the internet,” Fulton explained. “Then, only specific people who can log in with appropriate credentials (usernames, passwords and more) are allowed to even begin accessing the company’s cloud. To make this step stronger, many systems are now requiring multifactor authentication methods that use additional information beyond passwords, such as a code sent to a trusted, pre-registered phone or challenge questions that only a trusted user would likely know.”
In addition, if the organization’s cloud security is undertaking continuous monitoring of people’s actions, the odd behavior within the cloud would likely raise red flags and cause the person or entity to be dynamically cut off and blocked from doing anything damaging.
It’s important to note that zero-trust is an evolution, not a revolution. “The core ideas for zero trust have been around for a while – the Jericho Forum argued against relying on the perimeter over 20 years ago; network access control (NAC) required that devices attaching to a network had to pass scrutiny before getting access, privileged access management required individuals have positive identity validation before accessing sensitive processes or information,” explained William Malik, vice president of infrastructure strategies at Trend Micro. “Zero trust brings these concepts together in a comprehensive, architectural frame rather than a set of point products that each address one specific vulnerability.”
Beyond the Broad Strokes: Real-World Scenarios
In general, zero-trust initiatives have two goals in mind: reduce the attack surface and increase visibility. To demonstrate this, consider the (common) scenario of a ransomware gang buying initial access to a company’s cloud through an underground initial-access broker and then attempting to mount an attack.
In terms of visibility, “zero trust should stop that attack, or make it so difficult that it will be spotted much earlier,” said Greg Young, vice president of cybersecurity at Trend Micro. “If companies know the postures of their identities, applications, cloud workloads, data sources and containers involved in the cloud, it should make it exceedingly hard for attackers. Knowing what is unpatched, what is an untrusted lateral movement, and continuously monitoring the posture of identities really limits the attack surface available to them.”
And on the attack-surface front, Malik noted that if the gang used a zero-day or unpatched vulnerability to gain access, zero trust will box the attackers in.
“First, at some point the attackers will cause a trusted user or process to begin misbehaving,” he explained. “That anomalous behavior would trigger an alert and lead to blocking the individual or processes’ actions. Second, at some point the attack will require data to be either encrypted (altered) or exfiltrated (stolen). That requires elevated permissions.”
That attempt to punch above the expected permissions weight would either cause the attackers to be denied access, or it would force a request for heightened permissions through an approval process – which would flag and quarantine the anomalous behavior.
Another common real-world scenario for how zero-trust aims for visibility and reduction of attack surface involves remote workers using “shadow IT” tools, such as visiting unsanctioned cloud software-as-a-service applications from their home networks. This is an all too common circumstance that can introduce risk or vulnerability to corporate environments (via insecure video players, for instance, or exploitable file-sharing services).
“If I have an agent on the endpoint I can then know the posture of the laptop being used,” Young explained. “Via API access and/or a CASB I can see the cloud app and get information on whether the app is sanctioned or not – and whether the identity and the posture of the identity and laptop is allowed to access it.”
From there, “I can build a Zero Trust Network Access (ZTNA) connection that is as close to end-to-end as possible, and I can continuously assess the trust and postures so that if at any time the risk goes into a state beyond what I trust, the connection can be severed and access blocked. All the while, I’m assessing threat information and the posture of all of my company assets, including identities and things.”
The Do’s of Implementation
Beyond understanding the mindset and the goals, achieving a zero-trust architecture from a practical standpoint requires many different moving pieces and many different layers, which is why its implementation should be seen as a long-term project.
That can be daunting, especially for mid-sized organizations and smaller companies with fewer resources. In reality, experts stress, there are plentiful options for wading into the zero-trust fray no matter the company size. “The mid-sized market has the most to gain with zero trust, yet they can run off the ZT road to success quickly if they try and take an enterprise approach,” warned Young. Instead, companies should start with a small zero-trust component and build from there, he advised – such as implementing multifactor authentication, replacing VPNs with ZTNAs or putting in advanced identity management.
“Pick the one that either is easiest to implement, or is ripe for replacement and will get the most benefit,” he said. “Don’t try and buy your way to zero-trust – set small goals, make sure it is rooted to removing un-earned trust, and always ensure that you have visibility improvements.”
To the latter point, Forcepoint’s Fulton noted that the first step companies should make is understanding what resources are important to protect, which specific actions should be allowed on those resources, and which categories of people should be allowed to perform each action. This makes it easier to apply the right technology at each step.
Another good option for the non-enterprise set to get started is Secure Access Service Edge (SASE) technologies, which combine several zero-trust cornerstones into one platform, the researchers noted. SASE can provide the CASB, ZTNA and secure web gateway functions that small and mid-sized companies need into a single control panel with a single set of policies.
Regardless of how companies get started, it’s time to start down the zerotrust path if they haven’t already, according to Deepen Desai, CISO and vice president of security research and operations at Zscaler.
“The industry has been talking about zero trust for a decade now, but companies who have taken half-measures will need to get serious about what zero trust really means,” he said. “Likewise, U.S. federal agencies are being mandated to embrace and execute true zero trust from the highest levels. With attacks escalating and employees, applications and devices located in every corner of the world, [it’s] really no longer optional.”
Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.