Why Is Cloud Security So Hard? (Hint: It’s Not)
Securing a new environment without knowing the rules of the road can be hard. Take the time to learn the rules and avoid speedbumps.
If you believe that firewalls, VPNs, and Anti-Virus are enough to keep your company and data secure, then this article is for you!
If you’d talked to me recently and mentioned the words “VPN” or “firewall,” I may have been triggered and mentioned Zero Trust. However, Zero Trust is a concept that takes time to digest (it took me a while when I first heard it several years ago). So, this is a primer aimed at providing a straightforward vendor-neutral explanation for Zero Trust.
Zero Trust is not giving access until an entity (human or machine) has proven or strongly authenticated they are who they are. Additionally, they are given access based on least-privilege, or, in other words, access to only the resources they need to do their job. Access can be based on a number of contextual factors such as:
With the ubiquity of SaaS-based apps used in the workplace, we can no longer rely on simple networking rules to protect us. Zero Trust moves the perimeter out where IAM (Identity and Access Management) is the new perimeter.
“IAM is the new perimeter”
To better understand Zero Trust, let’s briefly visit the traditional method access was given. In the old world, we relied on an IP address to “trust” an entity. So we would allow access based on an IP address and nothing else. That’s it! Oh, and once you got access, then you had access TO THE ENTIRE NETWORK and can roam freely. We trusted that if you got past the gate and moat of the castle, you could roam around anywhere else in the kingdom without being asked again for identification or re-verification of your access permissions.
Can you imagine that?
Would you allow all the doors to be unlocked in an office building provided that they got through the lobby doors successfully?
In the Zero Trust world, trust comes in many forms and ways. It’s up to you to measure that trust and decide what to provide access to based on your requirements. Sometimes, we are not even letting you see the application front door until you authenticate. In this case, we are asking for Multi-Factor Authentication (MFA), which would be a username, password, and a second factor such as a TOTP code. We could also use other contextual factors, or instead, a device certificate installed on a company-managed laptop.
With Zero Trust, network access would be more available, but strong authentication would be your gateway in.
“Zero Trust is useful when you have a dynamic workforce that needs access to secure environments. Instead of relying on IP Allow Lists, which is impossible to scale, Zero Trust enables secure access dynamically for multiple scenarios.”
Let’s take a look at a few examples.
The most common scenario is for executives and engineers to access various data from their mobile devices. This could range from a Business Insights (BI) dashboard like SAP Hana to Confluence (Wiki) access for engineers and employees. Previously, we would require them to have MDM configured and/or a VPN client setup and connected before access was provided. This obviously increases the level of complexity to access data but often does not variate the level of access once past the VPN moat.
So we have the following issues with this methodology:
Your company is working on launching a new, super-secret product, and the marketing or product team has a beta version of the website. However, as with many companies, they are relying on several people internally and externally to test and update the website. People are scattered globally. Additionally, automation scripts are in use to run tests.
Place the beta website behind Zero Trust. Individuals who need to access the website can use their EXISTING credentials and access the site for a longer period of time without re-authenticating. If they change computers or locations, they will need to reauthenticate.
For scripts running against the site, it could be as simple as generating a limited duration token such as a JWT (JSON Web Token) to include in the request. A more complex yet trusted system would be a role-based authentication.
I know, Zero Trust is a hard concept. However, with an ever-increasing distributed workforce and the proliferation of applications coming online, Zero Trust helps improve security while making it manageable and possibly a better user experience. Think about it: you’re already using Zero Trust with many SaaS applications like GSuite, O365, Slack, Atlassian, and GitHub. These are highly available applications, allowing access from anywhere. They have mechanisms in place to detect whether you who you say you are or if something goes wrong.
Don’t take my word for it. This is a complex topic. Go and read on and let it soak in.
If you found this article helpful please share it and let me know. Any comments or questions, please feel free to email me firstname.lastname@example.org.