Move to the Zero Trust Security Model

Learning Objectives

After completing this unit, you’ll be able to:

Describe considerations for moving to the Zero Trust (ZT) security model in the cloud.
List five steps to implement the ZT security model in the cloud.

Zero Trust (ZT) is a security model that can be used in both cloud and non-cloud implementations. This module focuses on implementing ZT in the cloud.

Before You Start

If you completed the Zero Trust Security module, then you already know how to use existing technologies to implement the Zero Trust (ZT) security model. Now let’s talk about how to implement the ZT security model in your cloud environments.

Zero Trust Security in the Cloud

Many IT security leaders are embracing zero trust as an effective approach in today’s cloud-first world. With the rise of the cloud, the network perimeter no longer exists in the way it used to. By enabling safe application access in a cloud-native world, internal corporate networks can become a thing of the past.

The digital transformation accelerated by the COVID-19 pandemic created more demand for cloud services. More people moved to full or partial remote work and required access to their organization’s data from a wider variety of locations and devices. Today, employees connect to resources hosted in company data centers, in the cloud and in hybrid environments. This increases complexity and as access to computing resources becomes more distributed and heterogeneous, a defensible “perimeter” no longer exists. These trends all underscore the need for ZT.

Extending ZT security to your organization’s cloud-based assets can help your organization realize the cost savings of the cloud, while also applying high tech controls to protect dispersed applications and data. We know that ZT makes a lot of sense when it comes to precisely controlling access to sensitive resources. Let’s take a closer look at the steps you can take to implement ZT for the cloud.

Five Steps to Implement Zero Trust for the Cloud

It’s important to recognize that implementing ZT doesn’t necessarily require you to remove and replace all your existing information technology (IT) or operational technology (OT) devices. Your organization likely already has a network infrastructure in place and is looking to transition off the perimeter-based approach for security. As your organization moves more of its resources to the cloud, you have the opportunity to also gradually transition your cloud-based resources to the ZT security model.

While there are many methodologies an organization can follow to implement the ZT security model, we focus on the following five steps.

Identify applications, assets, data, services, and users.
Map key processes and transaction flows.
Architect your cloud infrastructure.
Develop and enforce ZT policies.
Monitor and maintain your environment.

Let’s follow along with Karen, a ZT cloud architect at a nonprofit, as she follows these five steps to implement the ZT cloud security model at her organization.

Karen, with a cloud behind her, and surrounding the cloud are circles containing symbols of the five steps

Identify Applications, Assets, Data, Services, and Users

The first step in implementing the ZT security model is to understand who and what needs access to your digital resources. Karen plans for the transition to ZT by identifying the applications, assets, data, services, and users that require access in her cloud network. She engages the organization’s systems and data owners to determine the user base. She first considers which users need access to her organization's cloud resources and how they’ll access them. She also considers which of these individuals need privileged access. Users include employees, third-party contractors, external customers, and service providers.

Karen identifies the assets (also known as devices or endpoints) that connect to her cloud network, who uses them, and how. She catalogs her organization's digital device assets inclusive of workstations, smartphones, tablets, Internet of Things (IoT) devices, and more. Karen also identifies her organization's digital artifacts, such as data, applications, and services that require cloud access and storage. This process can include performing a crown jewels or data governance assessment to establish what data her organization possesses. Additionally, it can include the criticality of systems processing or storing that data, where the data is stored, who has access to it, and how they access it.

Map Key Processes and Transaction Flows

A critical component of ZT is preventing adversaries from moving laterally in your cloud environment to access other assets. Karen knows it’s critical to understand how and where data-flows. She maps her cloud environment so she can create enforcement points throughout her architecture to secure, manage and monitor devices, users, applications, and other activity.This action enables her to properly build resource access policies and implement controls to best protect her organization’s critical data.

To successfully implement a ZT architecture, Karen must connect information from across each security domain. She knows security teams across the company must agree on priorities and align on access policies. They strive to secure all connections across the business, from data to users and devices to applications, workloads, and networks. Karen’s finished identifying applications, assets, data, services, and users and mapping key processes and transaction flows. Next she turns her attention to architecting her cloud infrastructure, developing and enforcing ZT policies, and monitoring and maintaining her ZT environment.