Examples of implementing Zero Trust in your cloud architecture

Zero Trust, or Zero Trust Architecture (ZTA), was coined in 2010 by John Kindervag for the Forrester Research Group. The Zero Trust model shifts from "trust but verify" to "never trust, always verify".

This post is intended to share a few concepts that can be easily be introduced in your cloud architecture in support of a ZTA. This is not intended to be an exhaustive or comprehensive list, but more of a "getting started" type of approach.

Ramping Up

Here is some background information to be aware if you plan on embarking on your zero trust journey.

Zero Trust Implementation Guides from Cloud Service Providers

Each of the major cloud providers has implementation guides for zero trust:

• AWS: https://aws.amazon.com/security/zero-trust/
• Microsoft Azure: https://www.microsoft.com/en-us/security/business/zero-trust
• Google Cloud: https://services.google.com/fh/files/misc/zt_implem_guide_800_27.pdf
• Oracle Cloud: https://www.oracle.com/a/ocom/docs/whitepaper-zero-trust-security-oci.pdf

Zero Trust Mandate from the U.S. Federal Government

In 2022, the White House released a memorandum that sets forth a ZTA strategy, requiring agencies to meet specific cybersecurity standards and objectives by the end of fiscal year 2024.

The goals in this 29-page memo align with CISA's five pillars of identity, devices, networks, applications and workloads, and data.

NIST SP 800-207

NIST SP 800-207 is a publication from the National Institute of Standards and Technology (NIST) that outlines the principles and guidelines for implementing a Zero Trust Architecture, "a cybersecurity model where no entity, regardless of location, is automatically trusted and must be verified before access is granted," essentially shifting the focus from network perimeter security to data protection at the application level; it provides strategies and components to implement Zero Trust within an organization's IT infrastructure.

The 5 pillars of the NIST zero trust architecture are:

• Identity - think enhanced identity governance
• Device
• Application
• Network - think microsegmentation and software defined perimeters
• Data - think data in-transit and at-rest

The link to this documentation is here: https://csrc.nist.gov/pubs/sp/800/207/final

Tactical Objectives

Keep in mind that you cannot migrate to zero trust overnight. However, the Department of Defense (DoD) also stated in their DoD Zero Trust Strategy that "incremental improvements will not give us the security we need."

Start with:

1. Deny by default
2. Log, inspect, and continuously monitor all configuration changes and network access
3. Enforce least privilege (think Role-Based Access Control and Just-In-Time permission) (some info here)
4. Verify explicitly
5. Create a DAAS (data, assets, applications, and services) inventory to understand the protect surface (and prioritize)