The following article originally appeared in Dark Reading.
Applying Zero Trust in Cloud
Zero trust came about as an evolution of a concept called de-perimeterization, or security beyond the firewall, which the Jericho Forum pioneered.
John Kindervag, an analyst at Forrester Research, developed the concept further. Kindervag understood that security extended beyond the edge of an enterprise's defenses made sense given where security trends were leaning.
He devised a term to describe the primary issue: removing trusted relationships within computer systems. When you remove inherent, default, installed trust, you gain a better security paradigm. Zero trust was born.
Today, zero trust is a dominant security strategy; it's being adopted globally. In most cases, zero trust moves the control pane closer to the defended asset and attempts to tightly direct access and privileges, which are the objective arbiters of trust within most systems.
To put it another way, zero trust is nearly always an inversion of the old security paradigm that relied on high-security walls and granted overly permissive access. Instead, zero trust views, validates, and enables every request and move within the system on an as-needed basis.
Why Is Access So Critically Important?
Think for a moment like an adversary or a hacker. Successful hackers know that the biggest bang for the buck comes when they gain access as a user on a compromised system. The golden ticket here is acquiring credentials, access, passwords, user accounts, and privileges. In fact, one of the most used hacking tools is called the "Golden Ticket." Ever heard of Mimikatz? Look it up if you haven't.
Non-validated or compromised access is what an adversary wants – it gives them the keys to the kingdom. A good username and password give you precisely what you need. From a strategic standpoint, it makes sense to eliminate what the bad guys most want to use.
Managing Access Control Using Zero-Trust Strategic Principles
A long-held tenet of zero trust is that everything is compromised until proven otherwise. At some point, for some reason, an asset or entity will get popped – period.
Therefore, we must limit their ability to move laterally in a compromised system. If we can keep hackers "stuck" on the hacker machine or tied to a user account with limited privileges, we can mitigate the attack by isolating the hacked machine or user from the rest of the network.
Applying Zero-Trust Access in Cloud Systems
Data and trends tell us that cloud is the future of the enterprise and business. The cloud infrastructure approach has massive benefits; it has enormous potential avenues of compromise as well. As cloud data storage and repositories grow, more data becomes available for an attacker to target and compromise.
Vendors and third parties often access corporate cloud systems with little (if any) visibility and control, and bring their own security vulnerabilities with them. It's the equivalent of someone walking into your house with dirty shoes on – they might not have meant to track mud all over your nice clean floors, but by the time they have taken their shoes off, it's far too late, and you're left cleaning up the mess.