The following article originally appeared in Dark Reading.
Applying Zero Trust in Cloud
Zero trust came about as an evolution of a concept called de-perimeterization, or security beyond the firewall, which the Jericho Forum pioneered.
John Kindervag, an analyst at Forrester Research, developed the concept further. Kindervag understood that security extended beyond the edge of an enterprise’s defenses made sense given where security trends were leaning.
He devised a term to describe the primary issue: removing trusted relationships within computer systems. When you remove inherent, default, installed trust, you gain a better security paradigm. Zero trust was born.
Today, zero trust is a dominant security strategy; it’s being adopted globally. In most cases, zero trust moves the control pane closer to the defended asset and attempts to tightly direct access and privileges, which are the objective arbiters of trust within most systems.
To put it another way, zero trust is nearly always an inversion of the old security paradigm that relied on high-security walls and granted overly permissive access. Instead, zero trust views, validates, and enables every request and move within the system on an as-needed basis.
Why Is Access So Critically Important?
Think for a moment like an adversary or a hacker. Successful hackers know that the biggest bang for the buck comes when they gain access as a user on a compromised system. The golden ticket here is acquiring credentials, access, passwords, user accounts, and privileges. In fact, one of the most used hacking tools is called the “Golden Ticket.” Ever heard of Mimikatz? Look it up if you haven’t.
Non-validated or compromised access is what an adversary wants – it gives them the keys to the kingdom. A good username and password give you precisely what you need. From a strategic standpoint, it makes sense to eliminate what the bad guys most want to use.
Managing Access Control Using Zero-Trust Strategic Principles
A long-held tenet of zero trust is that everything is compromised until proven otherwise. At some point, for some reason, an asset or entity will get popped – period.
Therefore, we must limit their ability to move laterally in a compromised system. If we can keep hackers “stuck” on the hacker machine or tied to a user account with limited privileges, we can mitigate the attack by isolating the hacked machine or user from the rest of the network.
Applying Zero-Trust Access in Cloud Systems
Data and trends tell us that cloud is the future of the enterprise and business. The cloud infrastructure approach has massive benefits; it has enormous potential avenues of compromise as well. As cloud data storage and repositories grow, more data becomes available for an attacker to target and compromise.
Vendors and third parties often access corporate cloud systems with little (if any) visibility and control, and bring their own security vulnerabilities with them. It’s the equivalent of someone walking into your house with dirty shoes on – they might not have meant to track mud all over your nice clean floors, but by the time they have taken their shoes off, it’s far too late, and you’re left cleaning up the mess.
Using Access Management to Evolve Zero-Trust Infrastructure
Think big. Start small. And move fast. This should be the mantra for enabling zero trust for your systems.
Think big. Think about the problem you face and the totality of what is required to solve it from the grand strategic level. If you’re solving access management and cloud security, keep those issues top of mind as you strategically enable zero trust.
Start small. Be hyper-focused on what to do first. Don’t start an access management project with 500 users; start with 25. Or just five. Do the small stuff right and as close to perfect as possible, and then progress.
And scale fast. Here is where the beauty of technology shines. Numerous vendors can provide the technology you need to operate at speed and scale in cloud. Use their solutions to scale your efforts, optimize your budget, and operationalize resources as you scale. Remember: Do the small stuff right. Then you can scale fast and leverage vendor solutions to push your zero trust strategy forward at the pace your business demands.
Enterprises typically solve isolation and segmentation at a micro-level once they handle access management. Small and midsize businesses usually try to address device posture management and software-defined perimeter problems first because they directly affect users and are simpler to resolve.
The final stage in most zero-trust evolution involves data security. Data is the most transitory and ethereal asset that businesses create. Trying to lock such a dynamic asset before solving access management problems that define how data is accessed and by whom is akin to putting the cart in front of the horse.
Last, be sure to remember the adversary, hackers. Hackers want you to be oblivious to what is occurring in your systems. They are chasing the golden ticket. If you don’t control your access and privileges, you are essentially handing it to them.