Sponsored: Five Steps to Zero Trust
Federal agencies and especially the DOD are quickly embracing cloud computing for many IT requirements. Traditional computing paradigms are giving way to distributed computing that is fundamental to the dynamic and ephemeral cloud environment. At the same time, the user base is also becoming much more distributed, particularly in this era of increased remote work. Teams of globally dispersed personnel from the DOD, partner organizations and even supporting contractors are now regularly leveraging the cloud to share information critical to mission fulfillment.
Securing cloud workloads and users is far more difficult than can be done through traditional protective measures. The cloud enables workloads to scale out during peak consumption and scale back afterward. Microservices and containers have largely become the building blocks of these dynamic environments. Because of the dynamic nature of the cloud and the orchestration environment used to manage microservices, an IP address alone is no longer an acceptable form of identity.
That continually changing, distributed environment makes Zero Trust an essential requirement for protecting everything within it. Rather than traditional methods like walling off network segments, the way the cloud environment is protected needs to fundamentally change. Security must now be linked to high-value assets or the criticality of each agency’s unique protect surface—data, classified applications, cloud-hosted services and a range of digital and physical assets.
In fact, NIST’s recently finalized Zero Trust guidance directs moving away from the practice of protecting resources based around a network segment or on-premises data center to instead utilizing policy enforcement points and policy engines that match the dynamic nature of modern applications and data. To accomplish that, security controls must now be pegged to a stronger form of identity beyond traditional static IP or hardware addresses. A better approach is to identify and define a user, other applications, and systems by what they do on the network, based on their least-privileged, need-to-know status.
Given the varying classification levels of what distributed users will access, Zero Trust-level security controls should be applied to all of the assets across the protect surface. Distributed workloads are also significantly increasing application-to-application (east-west) communication. In multi-cloud deployments, microsegmented protection should be instituted around traffic going between cloud service providers. The same is true for workloads in the private and hybrid cloud environments that are increasingly used by the DOD.
Security needs to be embedded within the application itself. Newer technology like machine learning (ML) can understand what specific communication looks like and automatically implement policies around it. Using such tools to track workflows will enable a scalable and far more effective security posture than attempting to manually define security for individual application flows—next to impossible in an environment as large and complex as the DOD.
More and more agencies and branches are also leveraging the cloud for their development environment. As with that distributed user base, some developers may be working from their contractor’s locations; others (especially now) are working from their home offices; and still others may be working from hotel rooms or even coffee shops. Wherever developers are, their workloads are no longer restricted to a DOD-hosted secure data center.
Distributed development environments require Zero Trust-strength protection. A reliable approach is to employ microsegmented cloud access point technology that allows developers to securely reach their preferred resources and tools, and do their work in highly secure environments. Such granular controls will wall off authorized developers and ensure that only those who should have access will have access.
For more information about how Palo Alto Networks can help build your Zero Trust cloud environment, please visit https://www.paloaltonetworks.com/us-federal.