During the Cloud Native Security Summit last month in New York, zero trust networking held a prominent place on the agenda. In addition to a dedicated talk and a panel session, several other speakers noted the rising prevalence of zero trust as a methodology for protecting hybrid cloud and cloud-native environments. Which makes a lot of sense. Companies developing, storing, processing, and running business-critical applications in another company’s (or companies’) infrastructure(s) need to ensure the security of those applications and workloads while relinquishing control over the environment.
The backbone of the summit was joint study by Duo Security, Capsule8, and Signal Sciences which revealed that 62% of companies rely on cloud-native applications for more than half of their applications. Further, 73% of companies say they lack actionable insight into emerging threats and ongoing attacks in their cloud environments.
With so much to lose, it’s no surprise that organizations are looking for ways to improve the security of their applications in the cloud, and zero trust—when applied correctly—offers that capability.
What is this “zero trust,” anyway?
Moderated by Wendy Nather, Director of Advisory CISOs at Duo Security, the panel session “Learning to Trust Zero Trust” focused on demystifying the term “zero trust,” which is getting its moment in the spotlight at present but doesn’t necessarily have an agreed upon definition. Starting at the logical beginning, Nather posed the question to the panelists: What is zero trust? Nick Selby, Director of Cybersecurity at the New York Police Department (NYPD), responded that, in its simplest form, zero trust means that every time authorization and/or access to a service is requested (in the data center or cloud), certain criteria must be met before a connection is permitted. Harry Sverdlove, CTO & Founder of Edgewise, expanded on Selby’s definition, saying that zero trust means starting at a place of “no trust” for every network communication, and that companies cannot rely on static attributes to determine trustworthiness. Instead, data access decisions should be dynamic and based on as many criteria as possible. Ross McKerchar, CISO at Sophos, added that zero trust is “a marketing term” but also said that zero trust is a whitelisting approach which allows companies to use identity as the new perimeter. Together, these definitions serve as a starting point for understanding zero trust.
Digging in a little deeper to this thread, the panel discussed how identity, in and of itself, is a fluid term. “Identity” is traditionally used in networking to describe a person using a device to access applications and services. Identity, though, can also mean the attributes that describe applications and services in the cloud. Therefore, saying that “identity is the new perimeter” can mean that security teams focus on heightening security around their cloud applications, themselves, or tamping down on who and what accesses apps.
Either is a viable approach to zero trust, noted the panel. The key to applying zero trust is moving away from the mindset that everything inside the network can be trusted and realizing that trust is neither binary nor permanent. This is why, the panel agreed, in a zero trust environment, attestation must occur every time applications, services, users, hosts, and devices request communication. A “one-and-done” approach to authorization and authentication is not viable in today’s threat landscape, nor does it provide the fine-grained control security and networking teams need to manage their cloud workloads.
Moving towards zero trust
When adopting a zero trust model, said McKerchar, security teams must realize that they don’t need to change everything at once. Each incremental step of removing trust and adding a requirement for iterative verification of communicating workloads helps organizations mitigate cybersecurity risk. Selby added that it’s useful for organizations to prioritize assets in terms of criticality before deciding where to begin with zero trust. That could mean starting at the core—data and applications—or placing greater protection around who and what access data and applications. “ Whichever you choose,” said Nather, “you are limiting your attack surface and making improvements to security.”
Before an organization can fully embrace a zero trust security model, it’s imperative to understand what applications it has in the cloud. This isn’t always an easy step and Selby, whose primary focus during his career has been incident response, warned that the worst incidents he’s worked have been for companies that have taken a laissez-faire approach to asset inventory. “Visibility is everything,” he said, adding that “It’s important to get an actual enumeration of your apps in the cloud. If you’re conducting surveys [through personnel] to find out where your applications are, you’re already in trouble.” This is why a zero trust environment requires automated tools that provide visibility into all applications in the cloud and the network pathways used to communicate. Visibility is always the #1 step.
What’s driving zero trust now?
Many people in the security industry have pondered why zero trust is just now gaining momentum, given that the Jericho Forum introduced the concept in 2003 and John Kindervag, then at Forrester Research, solidified and defined the term as it’s commonly used today. The panelists stated several reasons. To start, better technologies for asset discovery/inventory, authorization/authentication, and microsegmentation exist today. Next, the industry has matured to a point where “it’s almost an embarrassment” if a security vendor doesn’t include certain, fundamental security functionality in their products. Third, the vendor landscape is so vast and competitive that enterprises are no longer stuck with a security vendor longterm if that vendor isn’t delivering on stated capabilities. This reduction in purchasing risk has forced vendor companies to evolve and rise up to customer needs to survive. And one of the reasons zero trust is so “hot” right now is that security end users realize that trust-based controls don’t protect cloud workloads in sufficient ways.
The ability to start at a place of zero trust is appealing to security teams because it means they have more control over business-critical applications and services in the cloud. “Zero trust gives users the ability to question security assumptions at every point during a network communication,” said Sverdlove. The days of the “trusted insider” may be long gone, and organizations now have a modern approach to securing cloud workloads that doesn’t rely on static network constructs like IP addresses, ports, and protocols. In short, Sverdlove concluded as time on the panel ran out, “protecting network communications is the most important thing,” and zero trust provides a reliable way to do that.