Edgewise is now part of the Zscaler family. Learn More

Size, Scale, and Complexity: Mastering Cloud Security with Zero Trust

When you hear the words “zero trust,” what comes to mind?

Many people may think that “zero trust” means we shouldn’t trust anyone, anywhere, at any time, under any circumstances. It sounds nice and simple, doesn’t it? Until you need something...

While, “don’t trust anyone” may be a good strategy for maintaining your personal privacy or physical safety, it is very real challenge to maintain these same principles online and when you’re connected to company or public networks. Instituting a zero trust framework for a company involves several important principles that need to be understood before you can appreciate and appropriately implement them.

Traditional network security approaches

Legacy security is based on the concept of keeping the good things in and keeping the bad things out. It relies on a hardened perimeter supplemented by additional layers of protection against targeted attacks from the outside. The reality is that the perimeter-based security model is neither effective at protecting the organization from an insider with malicious motives nor adequately protecting the enterprise from advanced external attack scenarios; it lacks encrypted traffic visibility and it can’t prevent an attacker from compromising privileged accounts then using them to move laterally within an environment to extract data.

The traditional network security model implicitly trusts internal users and traffic and provides unrestricted network access while attempting to control only the external or untrusted network. This model has failed and will only continue to fail organizations of all sizes—because trusting first and verifying second is not thoroughly effective or scalable enough to address emerging threats. Data can’t only be protected from outside risks; it must be protected at all times under all circumstances.

The challenge with traditional network security approaches is to embed security transparently regardless of where you are, what device is being used, or where the data resides.

Come see Edgewise at Secure360 Twin Cities, May 14-15, 2019 in Prior Lake, MN

Cloud Security Monitoring Challenges

Business needs are pushing all companies to leverage cloud services. Multiple benefits exist—ubiquitous access, speed to market, increased uptime, and lessened burden on overcommitted IT teams all play into the migration of previously internally-managed commodity services to cloud-based SaaS providers. Types of cloud services in use span the network, storage, and compute layers of IT as well as the corporate back end systems supporting HR, finance, legal, and operations. All of these systems house sensitive and proprietary data, and data security remains the primary concern of security professionals whose organizations are leveraging cloud service providers. The cloud shared responsibility model offers some level of security around the environment and looks good on paper, but it’s imperative for organizations to apply additional controls for data protection and monitoring in cloud environments, and that’s a multi-faceted challenge. 

Data security is a primary tenet of cloud architecture, cloud monitoring, and cloud incident response capabilities. Focusing on a data security model oriented around networks can restrict access to only those who require it, but we must go beyond basic virtual networking to support cloud environments. This includes placing data security controls into a combination of policies that look at the assets involved, the applications in use, as well as the data being accessed by a particular identity (whether that identity is human or machine).

Deploying a zero trust model includes the positive enforcement of specific checkpoints that are required to be successfully passed before access is granted to a given piece of data or a digital resource. 

What to do to update your cloud security capabilities

The best way to think about updating your cloud security capabilities to maximize your benefits is to ensure that you don’t immediately throw away all of your current tools. While many of your existing security tools and solutions in your on-premises security stack will not easily migrate or even function successfully in a cloud-native environment, you need to take an inventory of what tools you have, look at why they were purchased, and review the use cases for which they were implemented. By looking back, you will now be positioned to move forward.

Once you have a solid understanding of your existing on-premises or hybrid security tools, you can then determine what can be augmented to help support a zero trust architecture (i.e., data-centric focus; assumed-hostile network environment; ever-present threats; untrusted internal network: all devices, networks, users must be verified; and all traffic is logged and inspected). By evaluating and comparing current tools you can determine what else you will need to implement: cloud services identity authentication, device access authorization, network segmentation, logging and inspection of data access traffic, and data activity monitoring and auditing of controls.

Existing networks can be further secured through segmentation or monitoring gateways that apply granular policies and controls based on the data being accessed, the applications being used, and the identity of the users and services requesting access. These network-focused gateways can help you extend into the cloud quickly while providing viable security through continued expansion. One potential issue that may arise when extending existing directories or security user groups into the cloud is that you could be replicating an over-permissioned user into the cloud environment. But a zero trust architecture will help you identify these situations by enforcing a verification process at every step instead of allowing unfettered access to any cloud resource.

Keep in mind that you will want to take the time to rationalize your security stack and simplify it wherever possible as you enable cloud security gateways, network segmentation, and monitoring controls. This will drive cost efficiencies while ensuring effective data security is in place.

Zero trust throughout the stack

While a traditional zero trust architecture is network oriented, you must also ensure you include endpoints and applications in the security equation. Importantly, an endpoint-only strategy will not be effective, as endpoints are where the highest risk occurs from an exposure, internet access, and business email compromise standpoint. You always want to begin your zero trust journey at the network or application layer to define policies prior to implementing them on the endpoint, but you will need all three to be successful. Remember, the network is the mechanism by which users, processes, and services communicate while endpoints contain the highest risk of exploitability and applications contain the data attackers are after.

Planning for and upgrading client certificates will help ensure only validated endpoints connect and communicate. By doing so, anything outside of an encrypted and validated communication session will be dropped. This step alone will eliminate several risk vectors from an insider threat and stolen credentials perspective. But even if you’ve implemented controls on the endpoint, it’s the easiest thing for adversaries to exploit and so you must layer security on the network and around your applications.

Extending cloud-native security controls

Cloud architectures naturally align with zero trust models given the virtualized services that begin by defining virtual network zones where workloads are deployed and where sensitive data is accessed and stored. While native security controls in the cloud were initially weak, these controls and threat monitoring capabilities are increasing in effectiveness quickly. AWS Guard Duty, Microsoft Azure Monitor and Azure Sentinel, and Google Cloud Platform’s BackStory are all examples of enterprise-level security features that are being built and offered by the cloud service providers. Extending virtual segmentation gateways into the cloud service provider stack can support several layers of zero trust policies to enforce controls on the traffic, regardless of what identity is performing the action, what applications are in use, and what data is being accessed.

Logging and auditing are not only a critical compliance requirement, but a security imperative. Given the cloud architectures in place, not only will you need to enable logging at the virtual network, workload/system, and access control layers, all of the available traffic will need to be analyzed by a threat correlation and behavioral analytics engine to ensure appropriate response can be taken if any unusual or malicious traffic or events are observed.

Cybersecurity strategy impacts 

The benefits of a zero trust design and data security control model extend to all organizations regardless of size, scale, and complexity. Ensuring that the strategy is aligned with business priorities and goals is paramount. Even the least technically-oriented leaders of a company can understand the benefits, goals, and purpose of zero trust. Making sure that the architectures are solid, the use cases are documented, and the policies are thoroughly tested will all help in ensuring that the zero trust technology is effective even as the IT landscape is aggressively evolving. Maintaining a clear focus on data security will help all zero trust initiatives maintain the level of assurance and transparency that is being continually challenged by every new, successful security breach. 

Ensuring that the zero trust model is built as a multi-layered approach and implementing new capabilities where traditional security models have faltered will allow organizations to provide custom policies and controls for their specific assets and sensitive data.  Allowing a scalable, proven, and customizable data security capability with zero trust helps businesses meet the obligation of safeguarding and protecting their data.  Zero trust allows businesses to understand what the data is, where it is located, and how it should be protected with adaptive and scalable data security solutions that work in across all networks, with any devices, and in all user circumstances.  


Mark Butler, Senior Vice President & Chief Information Security Officer

Written by Mark Butler, Senior Vice President & Chief Information Security Officer

As Senior Vice President and Chief Information Security Officer, Mark leads the innovation and adoption of all services provided by MegaplanIT that deliver security testing, compliance assessments, consulting expertise and managed security capabilities. Mark continues MegaplanIT’s client-first focus and tradition of long term relationships established by earning trust, driving year over year efficiency gains, and ensuring that a holistic understanding of risk is realized within complex development, computing and operational environments. MegaplanIT’s mission is to help our clients reach and maintain compliance, but never stop enhancing technical controls to close security gaps by integrating the identification, detection, prevention & response capabilities across sensitive client environments. Formerly CISO at Qualys and Fiserv, Mark bring over 27 years of Information Technology, entrepreneurial and deep management experience spanning startups, vendors, consulting firms and corporate enterprises. While at Fiserv, he led Security Strategy, Architecture, Security Fusion Centers, Threat Intelligence, Internal Pen Testing and developed a holistic Cyber Security Framework and maturity model that allowed the business to understand and prioritize investments in talent, strategy and results across teams, processes, and technology stacks.