By Evin Safdia, Technical Marketing Manager, Prisma
The term “Zero Trust” has been around for almost 10 years, but it has recently picked up momentum as businesses look to proactively protect their data and infrastructure. With the shift to the cloud, Zero Trust is now a philosophy of choice for CIOs and CISOs, who are tasked with protecting their systems from outside attacks as well as from within the organization.
What Is Zero Trust?
Traditionally, network admins only needed to worry about protecting their organizations from outside threats. But the threat landscape has evolved. From zero-day malware to insider threats, network admins must now proactively protect networks and data to avoid breaches. With this evolution, the Zero Trust philosophy was born.
Zero Trust is based on the belief that trust should not be given to anyone or anything, no matter if they are within the network or outside. This “never trust, always verify” approach enforces least-privileged access in which, once users are authenticated and identified, continuous inspection is implemented on the traffic while the user is connected to the network. Simply assuming that a user connecting to the network and passing authentication requirements is in fact the user and not an attacker is not wise with the recent increase in the number and sophistication of breaches. In fact, a significant portion of hacking-related breaches still involve compromised and weak credentials – 29% according to the 2019 Verizon Data Breach Investigations Report.
To fully implement a Zero Trust approach, the following must be considered:
- Segmentation: Ensure only known, allowed traffic or legitimate application communication is allowed, by segmenting and enabling Layer 7 policy.
- Access Control: Adopt a least-privileged access strategy and strictly enforce access control.
- Threat Prevention, Investigation and Response: Inspect and log all traffic to quickly identify, prevent and respond to threats.
It is important to remember that secure access is not enough; constant inspection and prevention must be included to successfully enforce Zero Trust across your organization.
Extending Zero Trust to Cloud Environments
As the popularity of software-as-a-service (SaaS) applications and public cloud offerings has grown, so has the complexity of maintaining security and control over the data, traffic and users accessing the cloud. Zero Trust in the cloud requires complete visibility into the cloud apps, the data being stored and who is accessing the data. While securing the cloud may have become more complex, it is important that users are not impacted when accessing the cloud, no matter their location. If there are too many steps for users to gain access to apps or data in the cloud, they will bypass the secure way to access and find alternatives. Secure access is crucial for Zero Trust to work, and it must have minimal impact on users, especially those in remote locations or different offices.
To extend Zero Trust to the cloud requires security delivered from the cloud. Security from the cloud allows for policy enforcement, better protection and visibility into all internet traffic. By having users and offices connect directly to the cloud, instead of first going through headquarters or firewalls, your network and cloud architecture is simplified, and your overall attack vector is minimized.
There are several use cases where Zero Trust in the cloud can be applied:
- Zero Trust for Private Apps in the Public Cloud: As apps move from on-site data centers to the cloud, secure access is crucial. Managed or unmanaged devices need to have strict policy enforcement, allowing access to necessary apps per the user role, while also maintaining security and protection. You also need to maintain constant visibility into what data is being accessed and by whom.
- Zero Trust for SaaS Apps: With the rise of popular SaaS apps like G Suite, Box and Office 365, collaboration has become easier with employees located anywhere, along with contractors and third-party vendors; but this can lead to unauthorized users having access to data or apps that do not pertain to their job requirements. Securing SaaS apps requires prevention protocols and policy enforcement. Providing employees and contractors different levels of access is important to keep users happy and data secure.
- Zero Trust for DevOps in the Cloud: Least-privileged access is a key part of Zero Trust. The DevOps team is continuously building and tearing down cloud apps with APIs. However, ensuring those APIs are accessed by the right individuals, and the information being shared is protected, is necessary – with a granular level of visibility. By enforcing authentication at the security service layer, unauthorized users never have the chance to make an authentication attempt to an API, reducing the risk of attack.
Zero Trust Is a Strategy Not a Product
There is no one product that you can bolt on top of your existing security tools to enforce a Zero Trust approach. Zero Trust is a philosophy that must be thoroughly thought out and implemented across the entire organization, including at physical remote sites and users as well as in the cloud. Secure access is one ingredient in the Zero Trust philosophy. Ongoing traffic inspection is necessary to quickly identify and remediate threats. With constant traffic inspection, unusual user behavior and activity can alert network admins to a possible imposter or breach. Building your Zero Trust strategy can benefit your organization with:
- Better visibility into data, assets and risks.
- Consistent and comprehensive security.
- Speed and agility to stay a step ahead of evolving technologies.
- Reduction of operational cost and complexity.
- Aid in assessment and compliance.
Palo Alto Networks is revolutionizing the way companies transform their cloud security infrastructure. Prisma by Palo Alto Networks – the industry’s most complete cloud security suite – provides visibility and secure access into data, assets, apps, users and risks while enabling speed and performance. Prisma consistently governs access, protects data and secures applications as organizations move to the cloud. With Prisma, organizations can apply a Zero Trust approach to securely connect branch offices and mobile users to the cloud, confidently embrace the use of SaaS applications, and rapidly develop and deploy cloud applications.