Zero trust initially focused on segmenting and securing the network across location and hosting models. Today, however, to be successful, zero trust must also integrate with end-user and cloud brokering systems.
Zero trust is important to help combat threats today for a variety of reasons, among them:
Security and operations teams focus on two key concepts when implementing a zero-trust model. First, security controls are usually integrated into the endpoints themselves. Organizations create a layer of policy enforcement that travels with these systems wherever they go, thus giving them a much stronger chance to protect data, regardless of where the system runs. Second, a central brokering model must exist to help control where and how access is granted.
To this end, as it relates to cloud security, two distinct zero-trust cloud security models have emerged: zero trust in the cloud and zero trust via the cloud.
Zero trust in the cloud is often implemented within a cloud service provider environment through the use of micro-segmentation techniques and tooling. If you have a strong presence in AWS, Microsoft Azure or Google Cloud Platform (GCP), for example, you likely already use basic micro-segmentation technologies. In AWS, this is implemented via IAM, RBAC modelling, security groups and network access control lists.
Within the cloud, micro-segmentation must extend into individual workloads to inspect application components, binaries and the behaviour of systems communicating in application architecture. The zero-trust approach does not involve eliminating the perimeter. Instead, it relies on network micro-segmentation, identity policy and monitoring to move the perimeter as close as possible to privileged apps and protected surface areas for workloads, governed by a central policy engine that assigns and monitors policy application.
For example, should an Amazon Elastic Compute Cloud instance be communicating with a specific storage node or AWS service? This depends on the context of the application, and today’s zero-trust tooling can help discover and identify normal versus abnormal patterns of behaviour and thus prevent or detect unusual or malicious activities.
The second model of zero trust today is zero trust via the cloud, usually through brokering services offering zero-trust network access and cloud access security brokering capabilities. This type of zero-trust cloud security model is centred around end-user access to cloud applications and services. It usually involves the following types of capabilities:
Some cloud brokers also support SaaS-specific monitoring capabilities, as well as controlled access to on-premises applications and services.
The concept of zero trust will continue to mature, but it will always represent more than one modality. For data centre assets, especially in a software-based environment like the cloud, zero trust will be predicated on micro-segmentation and identity policy. Zero trust for end users will focus on authentication, authorization and behavioural monitoring for access to cloud services and assets.
