Executing Zero Trust in the Cloud Takes Strategy

COMMENTARY

Zero trust is a high-level strategy that assumes that individuals, devices, and services attempting to access company resources, both externally and internally, can't automatically be trusted. The approach has become popular because it addresses the risk associated with the modern attack surface. However, tying together various data sources and creating context to reduce risk is not a simple proposition.

Enterprises starting down this path often struggle with a few key areas, including lack of visibility of the overall infrastructure and services the organization uses. There is no such thing as a simple infrastructure anymore. Digital transformation, embracement of software-as-a-service (SaaS), remote work, operational technology, third-party services, and data exchange have all led to a far more complex attack surface.

Organizations often focus their zero-trust program on authentication, but entitlement and environment are also critical. Deploying two-factor authentication (2FA) is just scratching the surface. What about a DevOps engineer being authenticated via 2FA on an unknown device in an untrusted environment with privileges on applications and platforms far more than they require?

Overentitlement is especially problematic in the cloud due to the complexity of provisioning engineers for the correct level of access and continuously validating their permissions on a constantly changing environment. The core concept of "never trust, always verify" holds true not just for the user, but for the assets they use and the access they have once authenticated.

Putting Zero Trust to Work

When implemented properly, multifactor authentication and other zero-trust authentication capabilities should enhance, not hinder, security. The user experience should streamline the verification process and then guide a user on which services are available to them.

From an asset perspective, it's important that organizations have an understanding of both leading and trailing indicators of attack — for example, knowing how secure the system is and whether there is any indication that that level of security has been compromised. Knowing how exposed an asset is, especially when it's being used to access services, should always be part of the verification process.

Within an increasingly complex and broad security infrastructure, there is no single solution that delivers on zero trust. However, a few techniques can help overcome the challenges that arise with a zero-trust approach.

1. Pair Up Data Lakes and APIs

Tools are available that help manage the chaos brought on by the cloud. Data-lake solutions have simplified the process of distilling disparate data sources into a unified view. But waiting on the shores of data lakes is the workhorse of the data-gathering world — the ubiquitous and useful API. APIs are making it far easier for platform architects to gather critical insights and dump them into the data lake for automated analysis.

Data lakes can centralize and streamline the analysis of vast amounts of logs, alerts, and other security data, enabling the use of machine learning to efficiently detect and respond to threats. Meanwhile, application programming interfaces (APIs) can facilitate real-time data sharing between security platforms, enhancing the speed and accuracy of threat detection and response. Both technologies require responsible use with adherence to stringent data governance and security measures.

2. Block Attack Paths

By implementing zero trust, a compromised asset or user is a lot less likely to lead to a domainwide breach due to the ability to isolate affected systems. Zero trust can prevent lateral movement and privilege escalation that lead to ransomware attacks.

To stop breaches, security teams should focus on breaking the attack paths favored by threat actors. To do this, teams need to address the underlying exposures on the assets, as well as employ the segmentation and verification inherent in zero-trust implementations. An easily exploited browser vulnerability or local privilege-escalation issue on a client system should affect only that single asset rather than lead to a broader issue.

Proactively focusing on the tactics adversaries favor on the one hand and automating the detection and isolation of affected systems on the other should make each step the attacker takes more difficult and costly.

3. Monitor the Right KPIs

Picking the right metrics can drive adoption and make the foundational controls associated with zero-trust operational. Metrics are the cornerstone to any good security program, ensuring the appropriate levels of coverage and controls and identifying gaps and areas for improvement. For example, in the case of cloud infrastructure entitlement management (CIEM), an organization might measure the percentage of cloud accounts that are known and assessed for compliance against the defined policies, or the response time for a compliance failure.

Metrics are generally control-specific, so it's best to leverage existing best practices from organizations like the Center for Internet Security. When measuring the effectiveness of the security program with metrics, though, it's important that the metrics are SMART (specific, measurable, achievable, relevant, and timely) and focused on desired outcomes. It's also far more effective to have a few metrics that have broad buy-in from the team than numerous and onerous metrics that everybody dreads measuring.

Zero-trust architecture is a pivotal enabler in the landscape of cloud cybersecurity, but its implementation is far from straightforward. The strategic integration of data lakes and APIs, coupled with automation of attack detection and isolation of compromised systems, is key to enhancing security in the cloud. And employing precise metrics helps security teams navigate the complexities associated with zero-trust adoption to unlock its full potential.