Cloud security is tough enough, but hybrid cloud adds a few extra challenges, such as visibility between cloud platforms and the difficulty of remaining current with compliance protocols for industry and government regulations.
Is zero-trust the answer for hybrid cloud security and its unique challenges? Bill Malik, VP of infrastructure strategies with Trend Micro, addressed this issue at RSA 2021 information security conference, held virtually May 19-21, 2021, which celebrated the theme of resilience for its 30th year. Malik pointed out that no matter what cloud platform you use, you will always be responsible for at least part of the security.
“The cloud will take some responsibilities off your desk, but not all of them,” he said. It’s an important point, because there is still misunderstanding that cloud providers handle all security related to their platforms.
Why Zero Trust?
“The philosophy behind zero-trust is there is no perimeter,” Malik said. “There is no boundary of trust. There is no reasonable assumption that people who are inside that mythical boundary are somehow trustworthy, and don’t need to be authenticated.” The cloud has no perimeter, which makes it ideal for zero-trust security. But to apply zero-trust to the hybrid cloud, security teams need to rethink the ways they traditionally approach cybersecurity. Malik discussed these traditional security models and how they must be adjusted for a zero-trust philosophy:
- On the private network, everything is trusted, but when applying zero-trust, nothing is trusted by default.
- Traditionally, identities are not assumed to be compromised, but in a zero-trust model, everything and everyone must be verified.
- Similarly, traditional security models assume users will act responsibly, but in zero-trust, it is better to limit access.
- Finally, rather than use an approach designed to detect attacker behavior, zero-trust creates greater challenges for attackers.
Using Zero Trust in the Hybrid Cloud
There are a lot of security issues in the cloud, and the hybrid cloud must address the security concerns facing both the private cloud and public cloud. New services and new applications are introduced with increasing frequency, and these new capabilities offer threat actors new routes of attack, Malik explained. The problem is, security teams continue to default to traditional approaches, and that ends up leaving the hybrid cloud’s attack surface more vulnerable. The hybrid cloud needs to be able to identify users in real time. Because employees’ jobs evolve over the course of their career, their online permissions will change.
However, that change doesn’t come at once. Sometimes, the employee will need to keep an access permission just for the transition from one job to another; in other cases, it should be shut down immediately. There will be permissions that depend on completed training. Whatever the situation, identity management is a complex task, especially across the multiple platforms of the hybrid cloud. Deploying zero-trust makes it easier to determine access and authorizations.
Layered Cloud Security
While zero-trust improves on traditional security methods for the hybrid cloud, it can’t solve every problem. According to Malik, the following are the major security pain points found in the hybrid cloud:
- Audit and governance
- Information security
- Procurement and contract administration
- Performance management and monitoring
“Zero-trust does not address most of these capabilities,” Malik said. “That’s the split between where zero-trust helps the cloud and where it doesn’t. There are some problems zero-trust doesn’t solve.”
Every cloud is perfectly secure when it is created, said Malik. “It is only by the intentional acts of the people working on that cloud that it is rendered insecure and rendered visible to unintended persons.”
In hybrid cloud, it is time to get rid of the notion of a perimeter and using traditional security methods to protect the cloud network and assets. Zero-trust network architecture offers a structure to protect areas of the hybrid cloud that are otherwise difficult to protect.