Cloud Data Security: Adopt a Zero Trust Approach 

Cloud Data Security_ Adopting a Zero Trust Approach for a Safe Environment (March 01, 2021)

Securing the data across multiple environments by ensuring data visibility in a structured manner and defining the policies, and identifying the potential risks through tracking suspicious user behaviour. 

Zero trust security is the IT security model, which requires strict identity verification for every person and the devices trying to access resources on a private network, regardless of whether they are sitting within or outside the network’s perimeter. No single specific technology is associated with zero trust architecture. It is a holistic approach to network security that incorporates several different principles and technologies.

Traditional IT network security was based on the castle-and-moat concept. Because it is intrusion centric, the castle-and-moat model’s weakness lies in its misplaced intense focus on external threats. As high-profile attacks have taught us in recent years, external treats are usually the least of everyone’s issue. Insider threats are frequently overlooked, even if they render all secure attack surfaces irrelevant. 

The vulnerability in castle-and-moat security systems is exacerbated by the fact that companies no longer have their data in just one place. Today, the information is often spread across cloud vendors, making it more challenging to have a single security control for an entire network.  

What is Zero Trust Security?

Zero Trust security – means no one is trusted by default from inside or outside the network, and verification is required from everyone trying to access resources on the web. The added layer of security has been shown to prevent data breaches. A recent IBM-sponsored study showed that the average cost of a single data breach is over USD 3 million. Considering the facts – it should come as no surprise that many organisations are now eager to adopt a “Zero-Trust Security” policy.

Why is it the right time to invest in Zero Trust Security?

Corporate executives are feeling the pressure to protect their enterprise systems and data. Even the investors and customers insist on better data security. Security issues get even more complicated when some portion of the data and applications are on-premise and some on the cloud.

Everyone from employees to contractors and partners is accessing those applications using various devices from multiple locations. Also, at the same time, government and industry regulations are ramping up the requirements to secure essential data. At that time, Zero Trust security will be a help to demonstrate compliance with such rules.

What are the main principles and technologies behind it?

The technology supporting Zero Trust is advancing rapidly – making the approach more practical to deploy. There is no single approach for implementing a Zero Trust cybersecurity framework, and neither is there a single technology.

Pieces fit together to ensure that only securely authenticated users and devices can access target applications and data. For instance, if the access is granted based on the principle of “least privilege” – providing users or employees with only the data they need to do their job when they are doing it.

This includes implementing expiring privileges and using credentials revokes automatically after access is not required. Also, traffic is inspected and logged continuously, and access is confined to perimeters to help prevent the unauthorised lateral movement of data across systems and networks.

A Zero Trust framework uses several security technologies to increase the granularity of access to sensitive data and systems. Like, identity and access management (IAM), role-based access control (RBAC), network access control (NAC), multi-factor authentication (MFA), encryption, policy enforcement engines, policy orchestration, logging, analytics and scoring and file system permissions. 

Also, technology standards and protocols are available to support the Zero Trust approach. The CSA – Cloud Security Alliance has developed a security framework called a software-defined perimeter (SDP) used in some Zero Trust implementations.

In addition to all this, the Internet Engineering Task Force (IETF) made its contribution to zero trust security models by sanctioning the Host Identity Protocol (HIP) – which represents new security networking layer within the OSI stack.

It’s Time to Adopt to Zero Trust in IT: Five steps for building a secured environment with Zero Trust.

The Five-step approach to building a Zero Trust-IT environment will eventually help you adopt the Zero Trust methodology and implement better security practices within the organisation.

1. Define the Protected Surface

With the Zero Trust, you do not focus on your attack surface but only on protecting the surface – like the critical data, applications, assets and services (DAAS). For instance, a protected surface includes credit card information, protected health information (PHI), personally identifiable information (PII), intellectual property (IP), applications (off-the-shelf), assets like SCADA controls, POS terminals, medical equipment, manufacturing assets and other IoT devices. 

Once the protected surface is defined – you can move your controls as close as possible to it. It will enable you to create a micro perimeter with policy statements that are limited, precise and understandable.  

2. Map Transaction Flows

In a way, the traffic moving across the network will determine how it should be protected. You will need to gain contextual information around your DAAS’s interdependencies (data, applications, assets and services). Documenting how specific resources interact will allow you to properly enforce controls and provide valuable context to ensure optimal cybersecurity with minimal disruption to the users and business operations.

3. Architect your Zero Trust IT network

Zero Trust networks are fully customisable as they are not derived from a single universal design. Instead, the architecture is constructed around the protected surface. After defining the protected surface and transaction flows are mapped relative to your business or an enterprise’s needs, you can design a Zero Trust architecture – starting with a next-gen firewall. 

The next-gen firewall will act as a segmentation gateway, creating a micro perimeter around the protected surface. You can also enforce the additional inspection and access control layers with a segmented gateway – like a seven-layer security wall. 

4. Create your Zero Trust Security Policies

Once the Zero Trust network is designed – you will need to define the Zero Trust policies determining access. You will need to figure out who your users are – what applications they need to access, why they need access to particular applications, how they connect to those applications and what all controls can be used to secure the ticket. 

And, with such a level of granular policy enforcement, you can rest assured that the only allowed traffic would be known and legitimate. 

5. Monitor and Maintain the Networks

So after defining the protected surface, mapping the flows, and defining security policy, the last step left is to review the logs, internal and external aspects focusing on Zero Trust’s operations. As we all know, Zero Trust is an iterative process; inspecting and logging all traffic will give you valuable information on improving the network over a while.

This and many more exciting topics will be discussed at the Enterprise Cloud and Data Centre Forum 2021, Middle East’s biggest cloud and data centre summit on March 10, 2021 (UAE edition), and March 16, 2021 (KSA edition). For registration, please visit https://ecdc.datatechvibe.com/