A Zero Trust Approach to Multicloud Security
Cloud service providers (CSPs) have matured to offer feature-rich services that provide significant cost benefits for client companies. By using a multicloud strategy, client companies can combine the best resources available from different CSPs when building their application architectures.
While a multicloud strategy helps companies keep pace with innovation and improve scalability, it introduces challenges for security teams. The traditional, perimeter-based security model is no match for today’s dynamic, multicloud deployments. Zero trust security, based on the principle of “never trust, always verify,” is emerging as a foundational approach to multicloud security. The zero trust model works by authenticating, authorizing and encrypting all access requests before granting them, independent of the user’s location, device or network.
In outlining the essentials of a zero trust-based multicloud security strategy, three cloud security questions guide us:
- What cloud-specific security challenges do organizations face today?
- How can a zero trust security approach handle these issues?
- What are the stages for implementing a zero trust cloud security program?
Common Cloud Security Challenges
Understanding each CSP’s shared responsibility model is crucial for organizations adopting a cloud-first strategy and developing multicloud systems. The shared responsibility model puts clients in charge of data and application security while CSPs remain responsible for physical security. These obligations vary per CSP and service model (e.g., Software as a Service, Platform as a Service or Infrastructure as a Service), so clients must understand their provider-client limits and duties. The challenges and threats they face include resource misconfigurations, handling insider threats, device and endpoint management, managing high volumes of alerts, and continuous monitoring.
How Zero Trust Addresses These Cloud Security Challenges
The security threats and challenges enterprises face today require unique strategies and solutions within their cloud security program. A zero trust security model can help mitigate many of these challenges by enforcing strict access controls, minimizing attack surfaces and enhancing visibility into cloud resources.
Building a Zero Trust Cloud Security Strategy
The zero trust approach can address many cloud security challenges, including data breaches and account hijacking, compliance and regulatory issues, insufficient visibility and control, and inadequate training and awareness. This approach emphasizes strong access controls, malware containment, secure configurations, thorough vetting of third-party vendors, continuous monitoring, secure authentication and robust incident response strategies. The National Institute of Standards and Technology (NIST) zero trust model provides an evolving set of cybersecurity protocols that focus on protecting users, assets and resources.
NIST’s recommendations include:
- Identify and classify assets and data to determine ownership and document asset metadata (tech stack, production/nonproduction environment).
- Classify assets and data to determine which need protection. Compromised databases, application servers and files could harm an organization.
Strategic plan or processes
- Apply the zero trust model’s fundamental principle, “never trust, always verify,” to all business components, regardless of location.
- Use policy-based security to practice consistent security and compliance.
Network access management
- Microsegment the network into smaller, isolated segments to restrict lateral mobility and keep attacks in one region.
- Develop a cloud-agnostic process to manage infrastructure across several CSPs.
Access and identity management
- Manage user and device identities, providing each user and device a unique ID. Find a system that supports many CSP authentication models and lets you centrally configure user and service principal accounts, roles and permissions, and access policies.
- Enable and enforce a strong password policy.
- Require users to utilize multifactor authentication to prevent attackers from gaining access if credentials are compromised.
- Use privilege identity management to separate privileged and break-glass users from others.
- Establish a conditional access policy to grant access permissions by user and device identity, device location, time of access and so forth to prevent unusual user access. This also applies to principal cloud resource access.
- Enforce least-privilege access to give users only the privileges they need to work. Review and update privileges regularly.
- Manage vendors to make sure third-party providers meet your security criteria and support the zero trust concept.
- Protect data, encrypt it both at rest and in transit so that data intercepted or accessed without authorization cannot be understood.
- Implement a secure software development life cycle (SDLC) to develop applications securely using SDLC principles. Update and patch apps regularly to fix vulnerabilities.
- Accelerate application deployment and life-cycle management with automation.
Continuous visibility and incident response
- Keep track of activity by using monitoring tools to track network traffic and user activity. This can help identify suspicious conduct and inform incident response.
- Analyze user behavior with user and entity behavior analytics to spot security threats.
- Use automated response solutions. Security orchestration, automation and response tools speed up incident response and reduce downtime.
Internal and third-party audits
- Periodically audit and evaluate vendors to verify the zero trust approach is operating and identify opportunities for improvement.
- Conduct security awareness training. Regularly teach staff about zero trust, dangers and online safety so that all employees understand their security responsibilities.
- Provide periodic secure development training. Since the cloud is innovating and CSPs regularly offer new services and resources, cloud solution architects and developers must engage in security training on a regular basis.
- Track metrics to assess process performance and remediation risks using key performance indicators and key risk indicators.
- Zero trust is an ongoing effort, so review, update and upgrade your security strategy as threats and business needs change.
Develop a Multicloud Security Strategy
Adopting zero trust is a journey, not a destination. It requires constant examination and adaptation to new threats and business demands. A dynamic strategy helps keep your security resilient and effective as the security landscape changes.
Building a comprehensive multicloud security strategy is a complex undertaking that necessitates a zero trust security model. One place to start is with our Building a Multicloud Security Strategy: A Zero Trust Approach white paper. This paper details how organizations can implement zero trust strategies to overcome the challenges associated with multicloud environments, ensure a consistent and unified security posture, and protect their valuable data and applications in the cloud.