What Is Zero Trust for the Cloud?

4 min. read

Zero Trust is an IT security model that eliminates the notion of trust to protect networks, applications and data. This is in stark contrast to the traditional perimeter security model, which presumes that bad actors are always on the untrusted side of the network, and trustworthy users are always on the trusted side. With Zero Trust, these assumptions are nullified and all users are presumed to be untrustworthy.

According to Forrester Research, a leading research and advisory firm, a Zero Trust solution must:

  • Ensure only known, allowed traffic or legitimate application communication is allowed by segmenting and enabling Layer 7 policy.

  • Leverage a least-privileged access strategy and strictly enforce access control.

  • Inspect and log all traffic. Otherwise, it can be fairly simple for an attacker to gain access to a company’s network.

These principles may be straightforward to implement in an enterprise network, but how do they apply to the cloud? You can apply the same concepts to the cloud by driving access through a security gateway for secure least-privileged access. However, it has become clear that implementing a gateway is not enough for Zero Trust in the cloud. Your implementation must inspect all traffic for all applications, or it is not truly delivering Zero Trust.

Why Companies Need Zero Trust in a Cloud Environment

Implementing Zero Trust in an enterprise network is predicated on the organization itself controlling the network. It establishes where boundaries can be placed and enforces access controls to shield sensitive applications, such as those within on-premises data centers, from unauthorized access and lateral movement.

Today, it’s often more cost effective to host an application in the cloud instead of a data center. In fact, according to IDG, a leading technology media company, more than 73% of companies now have applications or infrastructure in the cloud.1 These cloud environments, operated by cloud service providers and SaaS vendors, are not a part of an organization’s network, so the same type of network controls do not apply.

As a result, most companies:

  • Have applications and data spread out across multiple locations. 

  • Are losing insight into:

    • Who is accessing their applications and data, or even what devices are being used to access them (e.g., smartphones, tablets, laptop, etc.), since most of their assets are on third-party infrastructure.

    • How data is being used and shared.

To address these issues, companies often use a variety of access technologies, depending on where their assets are. Most companies use a mix of:

 

Location 

Technology Used for Access

On-premises data centers

Remote access VPN

Private applications (data center, hybrid cloud) 

Software-defined perimeter

Public cloud

Inbound proxy or virtualized firewall

SaaS applications 

CASB proxy

This mix of technology creates a fragmented security architecture in which it’s difficult to be sure what policies are in place to protect any given data in the cloud. Cloud environments are fundamentally different from traditional networks and continually change, which means a company’s approach to security must be both comprehensive and adaptable.

This is why 9 out of 10 cybersecurity professionals are currently concerned about cloud security. They say their top three challenges are: protecting against data loss and leakage (67%), threats to data privacy (61%) and breaches of confidentiality (53%). They also struggle with security control issues, such as gaining visibility into infrastructure security (43%), compliance (38%) and establishing consistent security policies across cloud and on-premise environments (35%).2

Thus, to succeed, companies must put a single, unified security architecture in place that:

  • Gives users secure access to a company’s applications and data across the public cloud, SaaS applications, and private cloud/data centers.

  • Controls and limits who has access to those assets, and how they can be used.

  • Inspects traffic and enforces security policies on an ongoing basis.

As organizations move to the cloud, it’s important to incorporate Zero Trust into the design of the new cloud infrastructure. The following are a few ideas on how to get started.

How to Implement Zero Trust for the Cloud Using a 5-Step Methodology

Before getting started, it’s important to define your company’s goals for implementing Zero Trust in the cloud, as well as your desired business outcomes.

  • Step 1: Identify what type of applications (e.g., public, private, SaaS, etc.) and data (e.g., confidential, sensitive, unimportant) your company has, where they are, and who is accessing and using them. Then, define your protect surface: the data, applications, assets, and services most critical to your business.

  • Step 2: Map the transaction flows (i.e., how your applications actually work).

  • Step 3: Architect the new cloud infrastructure and create boundaries between users and applications.

  • Step 4: Develop your company’s Zero Trust policies based on who should have access to what and enforce contextual access controls based on least-privilege principles. Educate users on your company’s security policies and what’s expected of them when they are accessing and using your company’s applications and data in the cloud.

  • Step 5: Monitor and maintain your Zero Trust environment. This means continuously inspecting and logging all traffic to identify unusual activity and decide how to make policies more secure. With active monitoring, your protect surface can grow, allowing you to make changes to the architecture to further enhance your security.

Tips for Applying Zero Trust in a Cloud Environment

To make maintaining Zero Trust in the cloud easier:

  • Use cloud-delivered security measures to implement Zero Trust in the cloud.

  • Provide users with a secure, consistent, and seamless experience wherever they’re physically located, how they want to connect or which applications they want to use. Otherwise, if the user experience is too complicated or requires too much change whenever they work from a new location or use a different application, they will not accept it.

  • Reduce the attack surface area by limiting user access based on context.

Benefits

Some of the benefits of deploying Zero Trust for the cloud include:

  • Better visibility into data, assets and risks.

  • Consistent and comprehensive security.

  • Speed and agility to stay ahead of evolving technologies.

  • Reduced operational cost and complexity.

Learn more about Applying Zero Trust to Cloud Environments in our whitepaper.

Sources

  1. 2018 IDG Cloud Computing Survey

  2. Cybersecurity Insiders 2018 Cloud Security Report

More Zero Trust Articles: