Cloud security starts with zero trust
In this interview for Help Net Security, Mark Ruchie, CISO at Entrust, talks about cloud security and how zero trust should be implemented to guarantee overall cloud protection.
Organizations are increasingly moving their operations to the cloud, thus making security a top priority to make sure employee, personal and customer data is safe. Are organizations up to date with the security requirements?
Many organizations today are not close to where they need to be in order to have sufficient cloud security in the current work environment. Most organizations have outdated security systems that are generally based on-premises. Many times, these outdated systems add an extra layer of complexity to the process of shifting to the cloud, but this complexity does not mean organizations should hold off on this shift. In fact, holding off will only postpone the inevitable and make a system update even more complex down the line. An outdated system will also make an organization more susceptible to outside attacks due to limited security. This is why it is imperative for organizations to implement security controls when shifting to the cloud.
What are the steps organizations have to take to implement zero trust in their cloud environment?
Generally speaking, the best way for an organization to approach zero trust is for security teams to take the mindset that the network is already compromised and develop security protocols from there.
With this in mind, when implementing zero trust into a cloud environment, organizations must first perform a threat assessment to see where their biggest vulnerabilities lie. Zero trust strategy requires an inventory of every single item in a company’s portfolio, including a list of who and what should and should not be trusted. Additionally, organizations must develop a strong understanding of their current workflows and create a well-maintained inventory of all the company’s assets.
After conducting a thorough threat assessment and developing an inventory of key company information, security controls must be specifically designed to address any threats identified during the threat assessment to tailor the zero trust strategy around them. The nature of zero trust is inherently complex due to the significant steps that a company has to take to achieve a true zero trust atmosphere, and this is something that more businesses should take into account. Zero trust will not be achieved overnight and takes time, but it is worth it in the long run.
How can zero trust help protect data stored internally and externally?
Today, zero trust is the new “zoning” of legacy on-premise networks. However, zoning was tough to implement and introduced a lot of friction whereas zero trust has the potential to provide better security capabilities and not introduce as much friction to the business.
Additionally, zero trust provides more clarity for organizations as it is focused on protecting data rather than securing different segments. Zero trust limits access to data based on individual roles within an organization and protects access by role, helping to better secure valuable, sensitive company data by specifically identifying who has access to information. This is especially important in a cloud-based working environment since a zero trust strategy focuses on protecting data from bad actors. While employees may work on different networks or devices, zero trust can help ensure that important company data stored in the cloud is secure while still being accessible to those who need it.
At its core, zero trust inherently means security teams do not trust anything, so individuals accessing the organization’s network must prove they are trustworthy. This trust determines who is able to pass an organization’s firewalls. This is why it is important for organizations to go through a thorough assessment before granting trust.
How can zero trust optimize business operations money wise?
Implementing zero trust can greatly help organizations determine which areas are significant threats and which areas need increased security. This can help businesses ensure they are spending money on more targeted services that their IT teams need most to improve security. This can also help eliminate overspending on aspects of the company’s security strategy that are already sufficient. Overall, zero trust helps businesses focus on what is truly needed to improve security and helps inform business leaders to spend money wisely.
How do you see cloud security evolving in the future?
As more and more businesses migrate to the cloud, cloud security is already maturing and spreading out, requiring different solutions based on different design principles, processes and technologies. Several years ago, most people thought that they only needed to replicate on-premise security controls like web application firewall, and then came cloud access security brokers (CASBs), which required a new set of security controls.
Today, we have SaaS security posture management (SSPM), cloud workload protection platform (CWPP) and combined cloud-native application platform protection (CNAPP) tools. All these different tools make it more difficult for businesses to keep up with the changes to cloud security. There are only going to be more tools coming out in the future, so it’s critical businesses prioritize cloud security today so they can better keep up with the ever-changing cloud landscape.