Zero Trust is a security model for IT; it can eliminate the notion of trust for the protection of applications, data, and networks. It is quite different from the traditional security model’s parameters, which assume that bad actors are always on the untrusted side of the network, and trustworthy users are on the trusted side. While Zero Trust nullified all the assumptions, and it presumes that all the users are untrustworthy.
As per the Forrester Research, leading research and consultancy firm, a Zero Trust solution must:
- Ensure only known traffic or legitimate application communication is allowed by segmenting and enabling Layer 7 policy.
- Implement a least-privileged access strategy and strictly enforce access control.
- Inspect all the traffic before login. Otherwise, gaining access to a company’s network can be fairly easy for an attacker.
In an enterprise network, these principles may be straightforward to implement, but how do they apply to the cloud? By driving access through a security gateway, you can apply the same concepts to the cloud for secure, least-privileged access. However, it has become clear that deploying a gateway in the cloud is not enough for Zero Trust. Your implementation has to inspect all traffic for all applications, or it is not truly delivering Zero Trust.
Why Zero Trust in Cloud is a must for organizations
Implementing Zero Trust in an enterprise network is predicated on the firm itself controlling the network. It establishes where boundaries can be set and enforce access control to protect sensitive applications, such as those within on-premises data centers, from unauthorized access and lateral movement.
Today hosting an application in the cloud in place of a data center is also more cost-effective. More than 73 percent of companies now have applications or infrastructure in the cloud, as per IDG, a leading technology media company. These cloud environments, operated by cloud service providers and SaaS vendors, are not part of an organization ‘s network, so the same kind of network controls do not apply.
As a result, most companies:
- have applications and data that are spread across multiple locations.
- Are losing insight into:
- Who has access to their applications and data or even what devices are in use to access them (For example laptops, smartphones, tablets, etc.), since much of their assets are present on third-party infrastructure.
- How their data is used and shared.
Organizations often use various access technologies to resolve these problems, depending o where their assets are located. Most companies use a mix of:
|Location||Technology Used for Access|
|On-premises data centers||Remote access VPN|
|Private applications (data center, hybrid cloud)||Software-defined perimeter|
|Public cloud||Inbound proxy or virtualized firewall|
|SaaS applications||CASB proxy|
This technology mix creates a fragmented security architecture in which it is hard to be sure what policies are in place to protect any particular data in the cloud. Cloud environments are radically different and continuously evolving from traditional networks, meaning a company’s approach to security needs to be both comprehensive and adaptable.
That is why 9 out of 10 IT professionals are concerned about cloud security. As per them, their top 3 challenges are: protection against data loss and leakage (67%), threats to data privacy (61%), and breaches of data confidentiality (53%). They are also struggling with security control issues such as gaining visibility in the security of infrastructure (43%), compliance (38%) and establishing consistent security policies across cloud and on-premise environments (35%).
So, to succeed, businesses need to put a single, unified security architecture in place that:
- Provide users secure access to the company’s applications and data across the public cloud, SaaS applications, and private cloud/data centers.
- Can control and limit the access of those assets, and the way they can be used.
- Inspects traffic and consistently enforces security policies.
Recommendation for Applying Zero Trust in Cloud Infrastructure
To make Zero Trust easier to maintain in the cloud:
- To implement Zero Trust in the cloud, use cloud-delivered security measures.
- Provide users with a secure, consistent, and seamless experience wherever they are physically located, how they wish to connect, or what applications they want to use. Otherwise, they will not accept this if the user experience is too complicated or requires too much change whenever they work from a new location or use another application.
- Reduce the surface area of the attack by limiting context-based user access.
Some of the advantages of deploying Zero Trust for the cloud:
- Provide better visibility into data, assets, risks, and threats.
- Consistent and comprehensive security.
- Adds speed and agility to stay ahead of evolving technologies.
- Reduced operational cost and complexity.