Architect Cloud Infrastructure and Develop ZT Policies
Learning Objectives
After completing this unit, you’ll be able to:
- Describe considerations for architecting your cloud infrastructure.
- List steps to develop and enforce Zero Trust (ZT) policies.
- Define how to monitor and maintain a ZT environment.
Architect Your Cloud Infrastructure
In moving to a ZT security model in the cloud, Karen’s goals are to give users secure access to her organization’s applications and data across the public cloud, Software as a Service (SaaS) applications, and private cloud and data centers. To achieve these goals, she knows her organization must put in place a single, unified security architecture that controls and limits who has access to cloud assets, and how they can be used. She also needs to ensure the architecture inspects traffic and enforces security policies on an ongoing basis.
In moving to a ZT security model in the cloud, Karen takes into account different types of cloud architecture (public, private, and multi-cloud), to ensure she understands the drawbacks and benefits of each in enabling her ZT implementation.
Recall from the Cloud Security Engineering module that the main difference between public and private cloud is that in the public cloud, you do not have control over the infrastructure. Karen knows this is troublesome because a single mistake in the configuration of the cloud environment can leave it open to attack and loss of sensitive data. She also knows that the data stored in the public-cloud environment is at greater risk of exposure than data in the private data center.
Karen knows that when high- and moderate-sensitive data and applications live in the public cloud, she must secure the cloud infrastructure and govern the data stored in the cloud environment as part of Zero Trust. Regardless, she’s aware that all applications and services should be segmented behind a next-generation firewall. She also considers that in the public cloud, there might be different paths into the infrastructure for traffic sourced from the internet versus traffic sources from within the organization.
If there are multiple paths into the infrastructure she must take care to ensure all paths traverse a next-generation firewall before reaching the application or service. Like with the private data center, how she accomplishes the segmentation is dependent on the public-cloud provider. She also knows that to protect applications and services in the private data center and public cloud, security rules for traffic inbound from the internal network should be limited to the appropriate user groups. One tool she can use to provide edge security for cloud-based resources is to use a web application firewall (WAF). WAF filters malicious traffic, including cross-site scripting (XSS) and structured query language (SQL) injection via custom-defined rules.
Karen knows that many businesses today are already moving to a multi-cloud architecture and deployment, leveraging multiple public and hybrid cloud providers. A multi-cloud strategy allows organizations to deploy workloads across multiple platforms, providing much more flexibility than working with only one cloud platform. The high complexity of multi-cloud deployments also increases the attack surface and the risk of cyberattacks, raising new cloud security concerns. She knows that a multi-cloud architecture requires a holistic approach that addresses diverse security vulnerabilities and establishes consistent security controls across multiple heterogeneous environments.
One tool Karen considers in implementing ZT in the cloud is using a cloud access security broker (CASB) to protect her SaaS applications. A CASB is like a firewall, which allows her organization to extend security control beyond its network boundaries. CASBs provide visibility into who is using the cloud service and the way it’s being used. CASBs can also provide her control to ensure data stored outside your organization meets all compliance as per regulatory requirements. They also help her monitor access to data stored in the cloud, providing access control on various parameters such as location, internet protocol (IP) address, browser, operating system, and device. Finally, CASBs can also provide various alerts to inform her IT team about threats that are detected within her organizations’ users based on users’ behavior.
Another tool Karen considers is Zero Trust Network Access (ZTNA). ZTNA replaces traditional technologies, like virtual private network (VPN), and enables secure, granular access to applications, without granting wide network access. The isolation afforded by ZTNA improves security, removing the need to directly expose applications to the internet. The internet becomes an untrusted transport, and access to applications occurs through an intermediary. The intermediary can be a cloud service controlled by a third-party provider, or a self-hosted service.
In determining the best architecture for her organization, Karen works with the IT security and infrastructure team to document:
- Existing components within the environment that enable ZT
- Additional capabilities and technologies that require installation to support ZT
- Feasibility of new and existing technical tools or services working across the organization’s IT environments
- Workflow to log processes and transaction flows for analysis
- Policies and training requirements to help users understand the new ZT model and enforce new security controls
- Staffing and financial resources required to support ZT implementation
Developing this list allows the organization to establish the right architecture, tools, policies, and timelines for implementing ZT in a manner that’s the most beneficial and easiest to scale. Once Karen presents the findings of this analysis to the organization’s lead infrastructure architects, she collaborates with other cybersecurity team members to determine the best course of action for procuring and deploying the necessary resources to support ZT.
Develop and Enforce ZT Policies
To successfully implement the ZT security model at her organization, Karen next turns to developing and enforcing technical and nontechnical ZT policies. She considers risks that users and devices pose, and compliance requirements. She starts by configuring, testing, and implementing allow rules. These rules authorize users to access specific resources using the specified devices and applications at the right time in the right places. To do so, she can use role-based rules to ensure only the right employees can access secure areas or resources, without needing to create a rule for every user.
Karen knows these policies rely on real-time visibility into the user, device, and application identity attributes in her environment. She collects these through identity and access management (IAM), asset management, and monitoring tools. She uses the data from these tools to implement strict policies and permissions for all accounts, following the principle of least privilege, and limiting connection privileges for service accounts. Other policies she creates and enforces determine access and authorization enforcement, such as which identities can access certain hosts and whether this requires multi-factor authentication (MFA). Additional policies define access restrictions to prevent devices that don’t meet her organization’s security and maintenance standards from accessing resources.
With the ZT policies established, Karen methodically works to implement them into the environment. She starts by setting baselines for activities like asset and resource access requests, user and service account behaviors, and transaction flows and communication patterns. From there, she monitors how the implementation of the policies impacts the environment and adjusts accordingly. Karen knows that the time it takes to move to a ZT security model depends on the complexity of her organization’s environment. She communicates this to her leadership, stressing that the process is a gradual one that in some cases can span multiple years.
Monitor and Maintain Your Environment
After these initial steps implementing ZT and ensuring everything works as intended, Karen knows her work isn’t done. She also needs to monitor and maintain her cloud environment to confirm whether the policies she put in place are functioning as expected. For example, if MFA is required on certain resources, does a request that doesn’t use MFA fail?
Karen also checks whether the controls and policies she put in place successfully deny requests from known attacker-controlled or subverted IP addresses. She then checks to make sure legitimate access requests aren’t being denied. She monitors how the new security controls and policies are impacting users’ experience in conducting regular business functions. Karen also ensures the proper logs are being generated to enable the level of monitoring the team needs. And she uses monitoring data to continue to update the ZT environment as needed.
Finally, Karen applies the lessons learned from the initial migration of business processes to the ZT cloud environment to plan for migrating additional workflows in the future. For each phase of migrating new workflows to the ZT cloud environment, she follows a similar process in implementing new controls and policies, and monitoring the environment. As she does so, she continues to update her environment’s baselines as appropriate. And she works with the broader team to document policies and procedures so the organization knows how to implement and maintain ZT for their cloud environments moving forward.
