Hybrid cloud is becoming the environment-of-choice for enterprises looking to modernise and stay adaptable. William Malik, Trend Micro’s VP of infrastructure strategies, discusses how to leverage the zero trust security model to enhance security and address common challenges across your hybrid cloud.
Ah, the cloud. No longer just a fluffy, white blob in the sky, it’s widely considered the backbone to any business—especially those with remote workforces.
While cloud services can increase cost savings, the main value is the ability to support fast-moving business needs spurred on by robust digital transformation. The hybrid cloud does just that. By combining public clouds, private clouds, and on-premises resources, your enterprise can adapt and change direction quickly.
However, securing disperse resources and infrastructure can seem complex. While you do have the benefit of keeping your critical data on-premises, if you have a hybrid cloud infrastructure, you still have data going in and out or permanently residing in the cloud that needs to be secured.
In this article, I’ll outline how to use zero trust security to reduce risks of a breach.
Zero trust security basics
Zero trust is, as the name suggests, an approach where you trust nothing before verifying it. Just like you shouldn’t leave your bags with a stranger at the airport, you shouldn’t let devices, users, and apps waltz into your network without thorough authentication.
Furthermore, after access is granted, user, device, and app behaviour should be carefully monitored for suspicious behaviour. If anything unusual is observed, access should be immediately terminated.
The basics of a strong zero trust approach are:
- Understanding the cloud has no perimeter: Wherever you are in the cloud, you should not be automatically given/denied certain rights or privileges.
- Source of trust: Establish an architectural model to demonstrate how trust is “seeded” in the organisation. For example, the Pentagon distributed the common access card (CAC) with employee photos and names, which were directly linked to the employee’s records. To receive the card, employees had to validate their ID at a guarded station. This process created the source of trust and trustworthy procedures to distribute the sensitive information.
- Assume a minimal need to know: Each user, act, and service must authenticate itself and validate its identity and reason for being in that environment.
- MFA for critical tasks: Static passwords assume the identity of the user; if you know the password, you must be the account holder. MFA adds an extra layer of validation to ensure compromised users are denied access.
- Log, verify, audit, review: Ideally, you want to incorporate carefully maintained and reviewed logs with technologies that correlate events happening in the cloud environment with those happening elsewhere (network, endpoints, servers, etc.)
- Establish separation of duties: You wouldn’t give your house keys to every stranger you pass on the street. Only people living in your home need keys. Similarly, each user only needs access to the most essential resources they need. Nothing more, nothing less.
Keeping these basics in mind, you can procure the correct security solution to apply the zero trust approach.
Implementing zero trust security approach in the hybrid cloud
To implement the zero trust approach, you need a security platform that enables comprehensive visibility and the ability to collect and correlate data across your distributed environments. Key word: platform. Using point products across your hybrid cloud environment creates siloed, obstructed views, hindering your ability to see what’s happening with who and where.
Leveraging the right platform aligned with the zero-trust philosophy enables you to address the following hybrid cloud security pain points:
1. Audit and governance
Compliance in the hybrid cloud requires additional considerations. For each environment you need to check if its compliant, know how to implement security baselines, and how to prepare for security audits. By carefully maintaining and reviewing logs and records of who uses what resources and how they gain access, you create a robust set of data from which you can use to validate your assumptions about governance of activities in the cloud.
As I mentioned earlier, agility is critical to meet customer needs and expectations. Therefore, you must consider how hybrid cloud security procedures and policies will impact build and release times while subsequently ensuring only the securest apps are developed and deployed.
Applying a zero trust approach to DevOps processes is critical to ensuring secure apps. Especially considering some parts of the part are built in-house, other components use tech purchased or leased from other vendors, and some of it is composed of open source code. The software supply chain must be protected by authenticating users’ credentials, continuously monitoring the network and user behaviour, and vetting any third-party or open source technology brought on board.
Will all this authenticating and monitoring slow down the development lifecycle? Not if you choose a platform leveraging automation and customisable APIs.
3. Information security challenges
Identity management and Shadow Cloud/Garbage Collection also need to be addressed. Shadow Cloud is when you may have purchased technology unbeknown to you is part of the cloud, which in turn creates a new attack vector. Zero trust helps identify Shadow Cloud by validating any technology before granting it access.
Identity management is the foundation of zero trust. By following the zero-trust principal of “never trust, always verify,” security teams can identify who or what is there and what resources are being used.
4. Procurement and contract administration
Shadow Cloud is often due to lacking an established, formal procurement process, or just ignoring it all together. With distributed environments, you need to make sure you’re buying the right product from the right vendor.
Zero trust can be applied to the procurement process by establishing a vendor database to regularly re-verify. Every vendor entry should include the sources used to verify the organisation (credit reports, publicly traded stock filing, debt filing, and business profile information). Necessary contact info and accepted methods of contact should also be recorded; if you log that passwords can only be reset by the phone, you will know not to trust any emails asking you to change your password.
5. Performance management, capacity management, and monitoring
Can you see everything in your environment? Do you know if an app has gone rogue and is running up the bill or consuming too much compute power?
People often assume since the cloud is elastic, they don’t need to worry about capacity management. However, the consequences of a “loopy” app can result in steep bills and the overconsumption of costly resources. Worst case scenario, the unvalidated app is breached and used for crypto mining.
Zero trust ensures capacity and performance are continuously monitored; if there’s an abnormal spike in consumption, security teams will be alerted to further investigate.
6. Skills and organisational challenges
The skills gap isn’t new to cybersecurity, but recent social movements like the Great Resignation are putting extra strain on organisations already struggling with finding knowledgeable employees.
Simultaneously, enterprises are going through a massive digital transformation, stretching existing resources even thinner. Preserving the integrity of your organisation, its culture, and its values as you go through digital transformation is crucial.
Zero trust helps retain organisational knowledge by “requiring” (strongly encouraging) organisations to keep and maintain records of security processes and procedures. This clarifies how individuals, resources, and procedures are validated before granting access, helping employees avoid short cuts that may weaken the established information security protections.
Lastly, by utilising a zero trust aligned platform, security professionals are empowered, instead of overwhelmed by manual threat collection, correlation, and monitoring across different environments.
For additional insights into leveraging the zero trust approach to secure your hybrid cloud environment, check out these resources: