Keeping up with cybercrime is a constant battle in the virtual world. But what’s the point of protecting your castle if the criminals can get in when the drawbridge is down? Whether it’s to steal your data, hold it hostage, or sadistically wreak havoc, cyber threats are a real and present danger to any business. Current methods are no longer sufficient to protect your data.
This fact seems especially true for cloud services. Despite the convenience and opportunities that cloud services provide, they are often seen as less secure than more traditional networks.
The cloud has advantages over location-based network security protocols because of its inherent untrustworthiness. Businesses are more willing to think beyond the “castle and moat” type of security when building their cloud network. This makes cloud services the ideal place to start building your Zero Trust network.
What is Zero Trust?
The Zero Trust model of network security has been growing in popularity for many years now, spurred on by the constant barrage of cyber threats that seem to continually break through traditional security measures. Many businesses are recognizing that the “trust but verify” model often fails to stop cyber threats.
Zero Trust instead says that we must “verify and never trust.”No location or user is trusted enough to be given blanket access to the network every time they log in. Instead, data and applications are segmented, often through a next-generation firewall, so that each user, once authenticated, has access to only the information they need to do their job.
Zero Trust boils down to three main principles:
- Make sure all resources are securely accessed regardless of location.
- Adopt a policy of least privilege and enforce it.
- Inspect and log all traffic.
Unfortunately, transitioning from legacy systems to a Zero Trust model takes time and investment in next-generation hardware. For many small businesses, it would be more advantageous to approach Zero Trust one piece at a time. The cloud is a good place to start, especially if you are adding it to your current system and can build your Zero Trust cloud network from the ground up.
How to Build a Zero Trust Cloud Network
There are several ways to go about implementing a Zero Trust network in the cloud. Some cloud services companies offer these features already. Google has Beyond Corp, which is the foundation for its Cloud Platform. But if you are looking to build your own Zero Trust cloud network, or have your managed IT services team build it, then you need to focus on the three principles of Zero Trust.
- Make sure all resources are securely accessed regardless of location.
This is the core of the Zero Trust model. To ensure all data is securely accessed regardless of location means internal and external traffic are treated equally as untrusted. Cloud services makes implementing this easier because traffic to the cloud is already considered external and can be more readily adapted than an internal network.
Multi-factor authentication (MFA, 2FA), granular permissions, and segmentation are all tools used to ensure secure access in the Zero Trust model. It’s important to lock down ports other than SSL and web traffic, segment and encrypt all data, and use whitelists in addition to the traditional authentication tools, such as password policies and login failure rules.
- Adopt a policy of least privilege and enforce it.
This means that each person only has access to the data and applications that are required to do their job. Currently, role-based access control is the best option, but it must be enforced in as many ways as possible—computer level, user account level, and computing process level—and you need granular controls to build this out for each role.
Identify Access Management (IAM) services can handle most of these and also include the MFA and password policies necessary for secure access. Both Google’s and Amazon’s cloud services offer IAM.
- Inspect and log all traffic.
One of the problems with the “trust but verify” model is that only traffic coming through the perimeter is logged and inspected for malicious activity. In the Zero Trust model, all traffic is logged and inspected using network analysis and visibility tools. Cloud services once again makes this simpler as all traffic to the cloud is web traffic.
Wireshark is one of the most popular tools to analyze web traffic. Logging can normally be done through the firewall, but it’s important to remember this isn’t on by default. Proper configuration of your hardware is vital to the Zero Trust model. It’s also important to perform routine audits of your traffic and your system.
Joseph Baker, System Administrator at Anderson Technologies, recommends hiring an outside contractor to perform a penetration test of your network if possible. According to Baker, “Penetration tests will truly point out your weaknesses, whether that may be dropping flash drives on the ground with keyloggers on them to see who picks it up and plugs it in, shoulder surfing for passwords, putting on an orange vest and acting like they belong, or calling a user and pretending to be your IT vendor to gain access.”
Whether intentionally or by accident, it is the end user who is typically the point of access for cyber threats. By employing the “verify and never trust” motto to all your cloud services, you ensure that the people accessing your data are authorized to do so. Once you have the Zero Trust model built into your cloud services, you’ll have a place to begin the transition for the rest of your network until all your data is securely accessed.
Guest post courtesy of Mark Andrson. Mark is an IT Strategist and co-founder of Anderson Technologies. Mark specializes in implementing the best and most cost-effective solutions for his clients. For over 20 years, Anderson Technologies has leveraged its strengths for the benefit of its clients, pulling together the right team for every project.