Zero-Trust Security — Part 1: How Is Zero-Trust Security Helpful for the Cloud?
By Raghav K.
A decade has passed since the zero-trust security model was introduced. Today, in the ever-changing technological overlays, security is a paramount concern for organizations worldwide. Digital transformation has led to a major shift in the standard operating policies for organizations in all industries with practices ranging from multiple business types.
Enterprises have been implementing the zero-trust security architecture rapidly. After a decade, zero-trust architecture has moved to a more mainstream zone, with enterprises depending on the model to protect the most sensitive systems. You may ask why? Attacks are becoming more sophisticated. A newer security system that changes the complete architecture and provides a zero-down security approach was necessary to maintain the integrity of the core system.
What Is the Zero-Trust Model?
The zero-trust security architecture (or model) is a concept that tells the system not to automatically trust anything, whether it comes from inside or outside the system. The architecture requires everything (including users, devices, nodes) requesting access to internal system resources to be authenticated and authorized using identityaccess protocols.
One of Forrester’s blogs states, “In what is possibly the first of its kind, social engineers were able to defraud $243,000 from a German energy company through the use of natural language generation technologies earlier this year. Now that a precedent exists showing economic gains from AI-backed deepfake technology, expect more to follow. Expect the development of more deepfake-based attacks fabricating convincing audio and video at a fraction of the cost. To mitigate risk, IT departments need to further invest in training and awareness programs. Without savvy employees who understand the similarities and differences between deepfake-based attacks and legacy phishing schemes, the costs associated with the former will continue to rise.”
In another article, Gartner stated, “ Worldwide spending on information security (a subset of the broader cybersecurity market) products and services exceeded $114 billion in 2018, an increase of 12.4 percent from 2017. For 2019, they forecast the market to grow to $124 billion, and $170.4 billion in 2022.”
Security for Tomorrow
The traditional security models focus on keeping attacks at bay by doing what kingdoms and countries have been doing for ages, fortifying the boundaries and borders. In there is an IT system, these boundaries are protected by firewalls. There are web firewalls and application firewalls. Organizations have spent millions to strengthen their parameters. User access and identity verification is also an external defense mechanism. Nobody thinks about looking inside the perimeters of your defense.
People assume that whatever is inside the defense parameter is already secure and authenticated and cannot pose any threats to system security. These systems were automatically cleared for access without paying any due attention to them. This castled approach became outdated and had to be replaced by something modern.
The concept originates from the idea of “What’s Next?” After an attacker gains access to your internal system or systems, they can freely move around while changing things and accessing different systems and modules. The zero-trust security model plugs this gap. Even after an attacker breaches the first firewall, each independent system would require another level of authorization before providing access.
With the introduction of the Internet, sharing among the masses became a phenomenon. Everyone shares some kind of data every day. The security measures were highly contained to protect a certain segment in the public domain. Zero-trust changes this approach.
The enterprise scale data and information transmission require a new standard for security so the processed data can be utilized to extract the most value. In the traditional client-server architecture, all of the information was centrally-stored in a main-frame. Access and bypass only required a single password.
In the cloud model (or the cloud-native model) we are moving forward with, security can no longer be implemented using traditional approaches. The most complex systems can be crippled in seconds if security practices cannot be deployed to follow a new stricter model of trust-based security architecture.
Today, enterprises could have multiple stakeholders, such as internal users, customers, partners, or IoT devices, that require system access anytime and anywhere. A large amount of data is stored either on-premise or on the cloud. It could be any cloud architecture, hybrid cloud or multi-cloud, but the information is stored in a distributed manner.
In a way, the distribution of information channels increases the security when data is at rest. Generally, systems across a network are isolated using a Virtual Private Cloud (VPC). The data is protected at rest. However, when the data is in motion or transmission, special security protocols must be followed to ensure no data breach occurs.
Based on Identity and Access Management and Privileged Identity Management services, the zero-trust security model introduces a newer channeled approach for security. It gives identity access to users and every device or system that tries to access it. Authentication, authorization, and identity are the three pillars that give strength to the zero-trust security model.
In the End — What Matters?
Alibaba Cloud has worked its way up the security ladder by introducing multiple products and solutions to cater to different segments and levels of security requirements at every stage of an enterprise solution. Alibaba Cloud introduced Identity as a Service (IDaaS), Anti-DDoS protection, security center, Sensitive Data Discovery and Protection (SDDP), and many other products.
In Part 2 of this series, I will discuss the technical implementation behind zero-trust security architecture and preparing enterprises to implement zero-trust security architecture.
- Zero-Trust Security — Part 2: Getting Started With Zero-Trust Security
- Zero-Trust Security — Part 3: Zero-Trust Security With Cloud-Native Microservices and Containers