Many business leaders are convinced of the benefits of the cloud. But they still struggle to understand the subtleties of this world. This is particularly true when it comes to data security, which depends on a division of responsibilities. If measures are not taken internally, the cloud can become a security hole. Hence the need to rely on a "Zero Trust" model to protect all applications and sensitive data.
Cloud Security & Zero Trust
Appearances die hard. Such is the case with cloud security. Sure, cloud providers' datacenters are bunkers. But they do have one weak point: you! Providers make this clear in their contracts: they look after the security of their infrastructure, not your data.
It's your responsibility to protect the data you entrust to them, and to manage access to it. In a nutshell, if you host critical data on a SharePoint instance or a drive of any kind, and it's accessible to anyone (no encryption, no password...), that's your problem.
Not the provider's! It gives you a number of options (some providers have also turned options into default settings, due to their customers' negligence...) on how you can configure and parameterize its security tools and thus reinforce the confidentiality of your information.
Traditional, perimeter-based security strategies are outdated. They can no longer ensure adequate visibility, control and protection of traffic and applications.
And by definition, a cloud provider's security options are not tailored to the specifics of each of its customers. Some of them may be subject to specific regulations, or have customers who impose certain security processes on them.
It is therefore necessary to take a number of measures to achieve a "Zero Trust" approach. With such an approach, you apply the "never trust, always verify" principle to all entities (users, devices, applications...), regardless of who they are or where they are located.
These principles may be simple to implement in a corporate network, but how do they apply to the cloud?
Zero Trust objectives
Before getting started, it's important to define the objectives for implementing "Zero Trust in the cloud", as well as the desired business outcomes.
Identify your applications and data by classifying them (e.g. confidential, sensitive, unimportant). Then find out where they are located. Normally, all companies that have begun their RGPD compliance have already completed this step...
Map flows, i.e. how your applications really work;
Create boundaries between users and applications and implement microsegmentation. This involves dividing security perimeters into smaller zones to maintain separate access. A person or program with access to one of these zones will not be able to access any of the other zones without separate authorization;
Develop "Zero Trust" policies based on who should have access to what, and apply access controls based on the principles of least privilege. The ANSSI (Agence nationale de la sécurité des systèmes d'information) reminds us that "it is customary to restrict the component's execution environment to the resources strictly necessary for its needs. At the same time, inform your staff about the implementation of this new policy;
Monitor and maintain your Zero Trust environment.
All traffic should be continuously inspected and recorded to identify unusual activity. With active monitoring, your protection area can expand;
Set up multi-factor authentication
Simply entering a password is not enough to gain access. A common application of MFA (Multi-factor authentication) is two-factor authorization (2FA). To use Office 365, for example, employees have to type in their password, but also enter a code sent to another device, such as a cell phone, thus providing two proofs of identity.
Implementing a "Zero Trust" policy adapted to the cloud is essential. In late 2016, hackers stole Uber's Amazon Web Service account credentials and then stole data on millions of its customers...
Cloud security policies need to be dynamic and reliably enforced. This requires visibility of the data and applications that reside there. Never-used Office 365 subscriptions can represent a loophole. One study showed that a third of companies didn't know how many Office 365 accounts were actually in use...
Zero Trust in the cloud" complements the security measures applied by the provider, leading to a more secure cloud computing environment.
