How to Use Zero Trust Security for the Hybrid Cloud
Applying a zero trust approach to DevOps processes is critical to ensuring secure apps. Especially considering some parts of the part are built in-house, other components use tech purchased or leased from other vendors, and some of it is composed of open source code. The software supply chain must be protected by authenticating users’ credentials, continuously monitoring the network and user behavior, and vetting any third-party or open source technology brought on board.
Will all this authenticating and monitoring slow down the development lifecycle? Not if you choose a platform leveraging automation and customizable APIs.
3. Information security challenges
Identity management and Shadow Cloud/Garbage Collection also need to be addressed. Shadow Cloud is when you may have purchased technology unbeknownst to you is part of the cloud, which in turn creates a new attack vector. Zero trust helps identify Shadow Cloud by validating any technology before granting it access.
Identity management is the foundation of zero trust. By following the zero-trust principal of “never trust, always verify,” security teams can identify who or what is there and what resources are being used.
4. Procurement and contract administration
Shadow Cloud is often due to lacking an established, formal procurement process, or just ignoring it all together. With distributed environments, you need to make sure you’re buying the right product from the right vendor.
Zero trust can be applied to the procurement process by establishing a vendor database to regularly re-verify. Every vendor entry should include the sources used to verify the organization (credit reports, publicly traded stock filing, debt filing, and business profile information). Necessary contact info and accepted methods of contact should also be recorded; if you log that passwords can only be reset by the phone, you will know not to trust any emails asking you to change your password.
5. Performance management, capacity management, and monitoring
Can you see everything in your environment? Do you know if an app has gone rogue and is running up the bill or consuming too much compute power?
People often assume since the cloud is elastic, they don’t need to worry about capacity management. However, the consequences of a “loopy” app can result in steep bills and the overconsumption of costly resources. Worst case scenario, the unvalidated app is breached and used for crypto mining.
Zero trust ensures capacity and performance are continuously monitored; if there’s an abnormal spike in consumption, security teams will be alerted to further investigate.
6. Skills and organizational challenges
The skills gap isn’t new to cybersecurity, but recent social movements like the Great Resignation are putting extra strain on organizations already struggling with finding knowledgeable employees.
Simultaneously, enterprises are going through a massive digital transformation, stretching existing resources even thinner. Preserving the integrity of your organization, its culture, and its values as you go through digital transformation is crucial.
Zero trust helps retain organizational knowledge by “requiring” (strongly encouraging) organizations to keep and maintain records of security processes and procedures. This clarifies how individuals, resources, and procedures are validated before granting access, helping employees avoid short cuts that may weaken the established information security protections.
Lastly, by utilizing a zero trust aligned platform, security professionals are empowered, instead of overwhelmed by manual threat collection, correlation, and monitoring across different environments.
Next steps
For additional insights into leveraging the zero trust approach to secure your hybrid cloud environment, check out these resources:
1. What is zero trust and why does it matter?
2. How zero trust and XDR work together
3. Cybersecurity trends for 2022