The migration towards cloud infrastructure has changed the way companies protect their data. Traditionally, companies used the ‘trust but verify’ philosophy, but now they have to follow a “never trust always verify” approach. Statista estimates that spending on cloud infrastructures will reach 133.7 billion USD by 2026.
The zero trust architecture requires all users, devices, and applications attached to an organization’s infrastructure to be continuously authenticated. It also authorizes and monitors the authenticated devices to ensure the usage of appropriate configurations.
Basic Principles of Zero Trust
All Zero Trust architectures abide by the National Institute of Standards and Technology Special Publication 800-207, the NordLayer Zero Trust solution is based on these basic principles:
- Assume breach.
- Assume the environment is no different than any other public environment.
- Continuous analysis to evaluate risk.
- Continuous implementation of risk mitigation protection protocols.
- Minimize access to resources.
- Continuous authentication and authorization of identity through security policies.
Occasionally, organizations rely on more than one cloud service provider and host multiple applications to meet their business requirements. Therefore, adopting a Zero Trust approach will give you the necessary security by requiring users to access cloud resources through a portal that follows NIST SP 800-207.
Steps to better understand the Zero Trust Architecture
Many organizations find implementing a Zero Trust architecture challenging to enhance their cloud security. These steps can help you move forward:
Identifying users who require network access
First, you need to build an understanding of who needs access to your organization’s digital resources. However, you need to consider the following elements to identify users:
- Bots or RPAs
- Serverless functions
Next, you need to identify users that require privileged access, such as developers and system administrators.
Identifying devices that require access to your network
Since a Zero Trust architecture tracks all devices connected to your network, you need to create an asset catalog. The increased usage of the Internet of Things has made it time-consuming to identify and create one. Here are some things you need to include:
- Employee workstations
- Other IoT devices such as printers, or cameras.
The Zero Trust architecture requires organizations to maintain security configurations of all devices that are a part of their ecosystem.
Identifying digital artifacts in need of network access
Numerous applications and other non-tangible digital artifacts require access to the organization’s network. While building your list, you need to consider user accounts, applications, and digital certificates.
However, Shadow IT is another challenge here as some departments within the organization might be using different technologies without the knowledge of the IT team. To ensure a smooth migration to a Zero Trust model, you must conduct a thorough network scan to identify all access points.
Identifying key processes
After identifying the applications in use within your organization, you need to define those crucial for operations as these key business processes assist in setting resource access policies. For the first round of migration, low-risk candidates are the perfect candidates as they will not cause downtime.
Additionally, you can move the organization’s cloud-based critical resources that can protect sensitive data and services. If your organization puts control around these processes, you can save costs by analyzing performance, user experience, and impact on your daily workflows.
Moving forward, your IT department needs to establish policies for all users, technologies, and key business processes that were identified by your team. For every asset or workflow, your IT department needs to identify the following:
- Upstream resources Items that flow into your organization’s current cloud asset; for example, ID management console, employee databases, and critical systems.
- Downstream resources Items that flow out of your organization’s current cloud asset; event logs, for example.
- Entities Items connecting to your cloud asset, which includes users and services accounts.
Using all of the previous steps, you will choose a Zero Trust solution that utilizes all of the different tools used within your organization as they enable different business goals to drive revenues. NIST recommends that you ask the following questions before making a decision:
- Does the proposed solution require any components that need to be installed on the client’s assets?
- Will the solution work where business process resources are stored on-site?
- Does the proposed solution allow the team to conduct analysis by logging interactions?
- Does your proposed solution need changes to address user behavior?
Deploying the solution
Once you have obtained the answers to your questions, it’s time to deploy your solution. However, it must be deployed in stages to avoid unexpected business interruptions. For the first stage, you should:
- Initially operate in observation and monitoring mode
- Ensure all privileged user accounts are getting access to your resources
- Ensure all privileged user accounts access to resources is appropriately limited
- Review the access details to ensure all user accounts are accessing the resources as intended
If everything is working as intended in the first round, you need to engage in periodic monitoring of the controls set in place. However, you need to set certain baselines for activities like user behavior, communication patterns, or asset and resource access requests,
Additionally, you should also monitor the basic policy functionality of your Zero Trust Architecture and see if it:
- Denies any requests that fail Multi-Factor Authentication
- Denies requests from subverted IP addresses from known attackers
- Grants access to other requests
- Ensures the generation of all necessary logs
Expanding your Zero Trust Architecture
After successful completion of the first phase, you will have obtained the required baselines and perfected logging. This will give your IT team confidence while monitoring workflows. You will now be able to expand and scale your Zero Trust model to initiate more phases of the rollout for your entire organization.
Ensuring the security of your cloud assets and remote employees has indeed become a challenge for organizations. However, a Zero Trust Architecture can give you a fighting chance against cyber attacks. It also gives you visibility of all activities taking place on numerous access points like your cloud, employee laptops, or other IoT devices.