Operationalizing Zero Trust in the Cloud: Don’t Fly Blind

A version of this article was published on Help Net Security. 

A common theme I hear about the cloud and security is that the cloud is secure. As organizations rapidly migrate, some have bought into the idea that workloads in the cloud are inherently more secure than those on premises. This idea is reinforced by the concept that the cloud service provider (CSP) assumes responsibility for security. However, while a secure cloud workload is possible, one should not automatically assume this as there are important steps to ensure its security.

Cloud Security Is a Shared Responsibility

Migrating to the cloud does not alleviate an organization’s cyber risk, nor does it transfer the risk to the CSP. Instead, it requires a shared security model where respective roles and responsibilities are clearly defined. While the shared services model does make some aspects of cloud security easier, managing the risk of exploitation by sophisticated cyber threat actors is not one of them.

For most security operations teams, monitoring on-premises workloads was easier. They could see what entered and left the environment, they owned the data, they had visibility into anomalies, and could easily triage them with a deeper investigation without involving a third party. Doing this across a hybrid and multi-cloud environment is more complex. It requires a new approach beyond what is typically offered by a CSP, which is usually not robust or ideally suited for a security-first organization. Complicating the task of securing data in the cloud further is the emergence of Zero Trust architectures (ZTA), as defined by NIST SP 800-171 Zero Trust Architectures.

Misconfigurations Magnify Risk

Many security issues involving cloud environments are caused by misconfigurations that expose large amounts of data to the world in seconds. Cyber adversaries are constantly scanning the internet looking for these mishaps and are prepared to act upon discovery. As a result, organizations are potentially one misconfiguration away from public access. Compounding this risk is a new class of cloud administrators who may not have a background in security and governance.

In on-premises deployments, most organizations typically employ a defense-in-depth strategy that includes perimeter controls, which provide some mitigation against the misconfiguration risk. As organizations migrate to the cloud, CSPs are fielding many capabilities to better manage misconfiguration and other similar risks. CSPs do not, however, routinely mitigate risk associated with motivated adversaries and insider threats. Each organization remains responsible for securing its own data against these sophisticated adversaries. This reality dovetails into the industry-wide movement for organizations to transition to ZTA driving out implicit trust and ensuring defense-in-depth across the organization.

Visibility Is the Best Defense Against Cyber Threats in Cloud Environments

The federal government is leading the push to accelerate the migration to ZTA. This is not only an immense technical challenge but also a policy, process, workforce, legal, and cultural challenge. One major technical concern that organizations need to anticipate is that moving to a complex and segmented environment that leverages multiple cloud and SaaS offerings will create blind spots for your security teams, as they will no longer be able to see lateral movement by cyber adversaries within segments, containers, and virtual platforms.

It is something of a truism, but you can’t defend against attacks you can’t see. Visibility into network traffic is a precondition for security in any environment you seek to defend. Leveraging consistent network visibility across all cloud service providers and on-premises environments enables competent cyber defense. The analysis of telemetry about network communications is critical to ensure that your analytics platform provides high assurance so that you can detect attacks before the threat actor can take action. In fact, visibility into network traffic is recognized as a requirement for ZTAs, as stated in NIST SP 800-207 and reinforced in the recent CISA Zero Trust Maturity Model v2.0.

Your Traditional Observability Solutions Aren’t Sufficient

Unfortunately, today, over 60 percent of IT leaders believe that today’s observability solutions serve narrow requirements and fail to provide a complete view of current operating conditions. As such, the only way to successfully protect your data, verify that your defenses are working, and provide an insurance mechanism in the event that some of your security controls are subverted is to gain deep observability across your hybrid cloud infrastructure.

With deep observability, organizations address broader security requirements and enhance traditional observability capabilities that rely on metrics, events, logs, and traces (MELT) with real-time network-derived intelligence and insights to mitigate security risks across hybrid and multi-cloud infrastructure.

Furthermore, only with this deep observability can organizations find the greatest value from observability across both on-premises systems and cloud services, core and edge components, and cybersecurity functions to eliminate network blind spots, lay a solid foundation for your ZTA, and avoid flying blind on their respective cloud journeys.