How Zero Trust Architecture Helps Secure the Cloud

Cloud technology has revolutionized the way businesses operate all across the world. Cloud servers enable any company to leverage others’ computing capabilities to mobilize their own workforces, enabling greater flexibility in all business operations. Whether it’s enabling the storage of sensitive data or work from home, the cloud is key to all businesses’ future.

But with all that mobility comes additional vulnerability.

Cybercriminals are always looking for new ways to infiltrate your systems. And you open up many different points of entry by stretching your systems outside of your office’s perimeter-based cybersecurity system.

Your cloud is everywhere. Why shouldn’t your cybersecurity follow suit?

 

How Zero Trust Architecture Helps Secure the Cloud

Enter Zero Trust Architecture (ZTA). ZTA protects the cloud by taking it seriously, shifting the focus away from the perimeter of your enterprise and onto cloud infrastructure instead.

Unlike increasingly outdated modes of cybersecurity that depend upon the geographical location of your business, ZTA prioritizes protection irrespective of location. The outside disappears, but its threats don’t go anywhere. As boundaries fade away your security should stay put.

The only safe approach in our new landscape? Trust no one, no matter where they are.

A ZTA protects your cloud by embedding that principle in every facet of your cybersecurity system. The following sections break down what zero trust is, how ZTA works to secure your cloud infrastructure, and why you should consider implementing it as soon as possible.

Let’s discuss.

 

Assess your cybersecurity

 

The What: Zero Trust Philosophy

The main philosophy of zero trust is explicit in its name: trust no one.

In practice, that means not granting trust to anyone, even if they’re an “insider” who’s on your company network. Perimeter-based security systems have been the standard in cyberdefense for a long time, and their basic premise is that those inside the perimeter can be trusted.

But in a cloud environment, what counts as inside?

Zero trust is a philosophy that’s been developing under different names over the last 25 years. The Jericho Forum’s Commandments have advocated for a focus on “deperimeterization” since 1994, and the US Department of Defense has integrated zero trust principles into its global security planning since 2006.

It’s now ubiquitous in the public and private sectors.

The current form of ZTA is detailed in the Draft Special Publication (SP) 800-207, published by the National Institute for Standards and Technology (NIST).

The key to understanding how ZTA protects the cloud is in the philosophy of zero trust.

Core Assumptions of Zero Trust

As with any cybersecurity ideology, ZTA is guided by a set of basic principles. These principles outline and govern the implementation and functions of a ZTA. In practice they are the fundamental, underlying reasons that ZTA protects your cloud.

Zero trust philosophy is powered by the following assumptions:

• Assumptions for owned network infrastructure – These assumptions apply to networks owned and operated by your enterprise:
  • Your business’s own networks do not imply trust for owned devices; an attacker may be present at any and all times, and resources should be guarded as such.
  • Devices on your network may not be owned, controllable, or even trackable by your enterprise; cyberdefenses must be configured accordingly.
  • No resource is automatically or inherently trusted. Regardless of the ownership or other characteristics of an entity, none receive implicit trust.
• Assumptions for network infrastructure not owned – These assumptions apply to networks that your enterprise uses or is connected to, but does not own:
  • Not all of your business’s resources operate on networks owned, operated, or monitored by your business; build that awareness into cybersecurity design.
  • Connections to networks not owned and operated by your business cannot be trusted; all non owned networks must be considered hostile, regardless of perceived threats or lack thereof.

ZTA ultimately protects your cloud and entire business by fleshing out these assumptions across its logical infrastructure.

 

The How: Zero Trust Architecture’s Functionality

Turning these assumptions into practical rules that govern its implementation, a ZTA protects your cloud infrastructure by collapsing the perimeter inward. That way, it maximizes the security of each individual asset hosted on the cloud. The tenets are actualized in components.

Any ZTA is made up of two kinds of components that form the architecture:

• Core components
• Input components

The ways in which these components are configured and deployed govern the specific ways in which a ZTA protects its cloud.

 

Logical Components of ZTA

The main function of a ZTA is to grant or refuse access to given resources within your cloud infrastructure. Thus, the main part of a ZTA, its engine, comprises the core components of its algorithm for making and executing decisions regarding access requests:

• Policy engine (PE) – This component is the ultimate decision-making authority; it processes information from the input components (see below) to ultimately decide whether to grant or refuse access. It also logs the decision. It doesn’t execute the decision, though.
• Policy administrator (PA) – This is the component that executes the PE’s decision. The PA ultimately manifests what the PE decides. While they are separate functions, the PE and PA are often paired together and work in concert.
• Policy enforcement point (PEP) – This is the exact point of enforcement, where the PA enacts the decision made by the PE. The location and logistics of the PEP depend upon deployment and overall approach to an overarching ZTA (see below).

These core components make and deliver the decisions that grant or refuse access to resources across your cloud. These decisions are powered, in part, by data from the following input components:

• Identification management system – Responsible for creating and monitoring all information relevant to identification, profiles, credentials, etc.
• Enterprise public key infrastructure (PKI) – Responsible for generating and monitoring certificates issued, often in relation to Federal KPI.
• Data access policies – Responsible for monitoring all regulations governing access to a resource, according to manually entered data or generated intelligence.
• Industry compliance system – Responsible for processing requirements of regulatory codes your organization must comply with (HIPAA, PCI DSS, etc.).
• Threat intelligence feed(s) – Responsible for providing up-to-date insights into all threats, existing and potential, internal and external.
• Network and system activity logs – Responsible for logging all data generated by all access requests, whether granted and declined, and activity pre- and post-request.
• Security information and event management (SIEM) system – Responsible for storing security-related information for later analysis and corrective measures.
• Continuous diagnostics and mitigation system (CDM) – Responsible for ongoing aggregation of relevant information across all other components listed above.

All of this information is processed by the PE and culminates in a decision that is executed by the PA at the PEP. In a nutshell: by processing the inputs from all of these systems, your core components make the access decisions that keep your cloud safe.

The way that the components are deployed can impact what those decisions look like.

 

Varied Deployment Strategies

It’s important to note that the logical components detailed above are abstractions. The components are distinct from each other as concepts; in reality they may not be separate at all.

Your particular cloud systems might be best served by combining two or more components in one particular resource. Or the best or most efficient solution might be to deploy one component across numerous resources.

Here are some examples of deployment strategies outlined in NIST SP 800-207:

• Device agent or gateway deployment – In this strategy, you deploy the PEP across two separate components, each of which resides either directly on or in front of the resource protected. The agent gateway provides access to each individual resource.
• Enclave Based Deployment – This variation works similarly to the agent/gateway model. There is still a gateway, but it grants access to an “enclave” of resources instead of just one. This deployment creates a perimeter-like environment beyond the gateway.
• Deployment via Resource Portal – This deployment works similarly to the previous two models. Combining the PE and PA into a unified PEP component, the resource portal functions as a temporary perimeter contingent upon ZTA-level authentication.
• Device Application Sandbox Deployment – This is a slightly different take from the prior deployments. In this strategy an application becomes the site of the PEP. After vetting an application it becomes the gateway to another resource or group thereof.

The method in which you deploy your components impacts the specific ways that your ZTA protects your cloud—and your entire company.

No matter what deployment configuration you choose, you know that a ZTA is providing optimized protection against all internal and external threats.

In addition to these various methods for deploying the abstract architecture, there are also other ways to conceptualize and actualize the entire ZTA scheme.

Alternative Implementation Methods

Varied deployment isn’t the only way to configure ZTA to best meet your needs.

There are also several different implementation methods that determine which components and resources are prioritized.

Depending on the specifics of your cloud infrastructure and its integration throughout your physical and remote networks, you may consider focusing your ZTA on one particular area.

Alternative approaches outlined by the NIST include:

• Identity governance ZTA – This approach focuses primarily on user and asset identity, running all cybersecurity through profile management and login logistics. It’s widely applicable across any kind of cloud infrastructure.
• Micro segmentation ZTA – In this approach, you implement ZTA on a smaller subset of resources segmented away from the rest of your system. If you operate on numerous cloud servers, this is a good way to start phasing in one at a time.
• Network infrastructure ZTA – This approach utilizes existing network infrastructure, or “software defined parameters,” to determine access to select resources. In this approach the cloud is secured through a channel created via the PEP. It’s common in agent deployment variations like those detailed above.

Across all these strategies one constant remains: the specific area focused on becomes the engine for cybersecurity across your whole cloud infrastructure.

 

The Why: Zero Trust Cybersecurity Benefits

What’s the payoff of going through the work of implementing a ZTA? Unbeatable cybersecurity.

As noted above, ZTA is uniquely apt for securing your cloud infrastructure and all business functions that depend upon it. That’s because, no matter what the implementation of your ZTA looks like, you can count on the following cybersecurity maxims:

• All owned and associated devices must maintain maximum possible security
• All services and data sources are resources worth protecting
• All relevant data is collected to continually improve security
• All communication is secured, regardless of location
• All access is contingent upon prior authentication
• All access is granted on a per-session basis
• All access determination is dynamic

These core tenets of zero trust are what make it the best possible cybersecurity scheme to protect your cloud. But while these maxims optimize the security you can expect from your cloud environment, they can’t guarantee immunity to attack.

Even the best system is open to vulnerabilities.

 

Sustainable Security in a Shifting Landscape

Zero trust principles offer you tools to safeguard against almost all threats that arise in your cloud infrastructure. That means increased sustainability in the face of an unstable environment.

But a ZTA isn’t perfect; it isn’t a miracle solution that makes all threats vanish.

Even the best-configured ZTA is prone to weaknesses, including:

• Subverted access request algorithm
• Data visibility and storage issues
• Network connectivity problems
• Stolen authentication factors
• Complications with NPEs

Although implementing a ZTA is one of the best ways to optimize your cyberdefenses, no single measure is completely, 100% secure. Every cybersecurity system contains a number of vulnerabilities, and zero trust is no different. Understanding them is key to addressing them.

And professional help is the best way to maximize the efficacy of your ZTA.

 

Professionalize Your Cyberdefense

At RSI Security, our mission is helping companies like yours safeguard themselves against every threat the digital landscape harbors. As cloud services take over more and more of that environment, ZTA implementation is one of the only ways to keep your business secure.

Our robust NIST advisory services include tailor-made solutions implementing the guidelines of NIST special publication 800-207, whether you’re installing a ZTA from scratch or migrating from the perimeter.

We’ll also ensure your compliance with NIST and other regulatory protocols.

But that’s not all.

We’re a one-stop-shop for every cyberdefense measure you need to stay safe, well into the future. Contact RSI Security today to see what a difference professional cybersecurity makes.