Sponsored: The Importance of Zero Trust in the Cloud Environment
Federal agencies and especially the DOD are quickly embracing cloud computing for many IT requirements. Traditional computing paradigms are giving way to distributed computing that is fundamental to the dynamic and ephemeral cloud environment.
At the same time, the user base is also becoming much more distributed, particularly in this era of increased remote work. Teams of globally dispersed personnel from the DOD, partner organizations and even supporting contractors are now regularly leveraging the cloud to share information critical to mission fulfillment.
Securing cloud workloads and users is far more difficult than can be done through traditional protective measures. The cloud enables workloads to scale out during peak consumption and scale back afterward. Microservices and containers have largely become the building blocks of these dynamic environments. Because of the dynamic nature of the cloud and the orchestration environment used to manage microservices, an IP address alone is no longer an acceptable form of identity.
Redefining the Protect Surface
That continually changing, distributed environment makes Zero Trust an essential requirement for protecting everything within it. Rather than traditional methods like walling off network segments, the way the cloud environment is protected needs to fundamentally change. Security must now be linked to high-value assets or the criticality of each agency’s unique protect surface—data, classified applications, cloud-hosted services and a range of digital and physical assets.
In fact, NIST’s recently finalized Zero Trust guidance directs moving away from the practice of protecting resources based around a network segment or on-premises data center to instead utilizing policy enforcement points and policy engines that match the dynamic nature of modern applications and data. To accomplish that, security controls must now be pegged to a stronger form of identity beyond traditional static IP or hardware addresses. A better approach is to identify and define a user, other applications, and systems by what they do on the network, based on their least-privileged, need-to-know status.
Situational context matters. For instance, when is an employee trying to access a given resource—during normal work hours or the middle of the night? Does that make sense for their job role? Where is the employee physically located when attempting access—on U.S. soil or overseas? If the latter, is that acceptable? What type of device is the employee using—a government-issued asset or a personal device? It simply makes sense to specify controls that provide an identity for both a given user and the particular resource they're trying to access, and to limit that user’s actions with that resource.
Protecting Distributed Workloads
Given the varying classification levels of what distributed users will access, Zero Trust-level security controls should be applied to all of the assets across the protect surface. For instance, highly classified information likely requires multifactor authentication as well as strict regulations around time of day and type of user who can access it.
Distributed workloads are also significantly increasing application-to-application (east-west) communication. In multi-cloud deployments, microsegmented protection should be instituted around traffic going between cloud service providers. The same is true for workloads in the private and hybrid cloud environments that are increasingly used by the DOD.
Security needs to be embedded within the application itself. Newer technology like machine learning (ML) can understand what specific communication looks like and automatically implement policies around it. Using such tools to track workflows will enable a scalable and far more effective security posture than attempting to manually define security for individual application flows—next to impossible in an environment as large and complex as the DOD.
Securing Cloud-Based Application Development
More and more agencies and branches are also leveraging the cloud for their development environment. As with that distributed user base, some developers may be working from their contractor’s locations; others (especially now) are working from their home offices; and still others may be working from hotel rooms or even coffee shops. Wherever developers are, their workloads are no longer restricted to a DOD-hosted secure data center.
Distributed development environments require Zero Trust-strength protection. A reliable approach is to employ microsegmented cloud access point technology that allows developers to securely reach their preferred resources and tools, and do their work in highly secure environments. Such granular controls will wall off authorized developers and ensure that only those who should have access will have access.
Cloud Native Security from Palo Alto Networks
Palo Alto Networks provides a robust platform for securing cloud-based development and computing. Having fully integrated our acquisition of Aporeto—a machine identity-based microsegmentation platform—into Prisma Cloud, we now offer a comprehensive suite of cloud native security for containers and microservices, using identity-based access controls to create a Zero Trust posture across the entire environment.
Prisma Cloud assesses the context for the application workflow, validates the metadata around the application, and assigns it a unique fingerprint to ensure that the level of segmentation is specific to the application itself. This approach makes defining what to protect much easier than the traditional practice of identifying a long list of IP or hardware addresses.
Our VM-Series firewalls also provide strong enforcement for cloud access points, allowing developers to connect into cloud-based development environments over a secure medium. Providing all the best-in-class, ML-powered capabilities of the physical Palo Alto Networks Next-Generation Firewall, our virtual firewalls provide the authentication and authorization that ensure developers access only what they need to, preventing unauthorized information extraction or eavesdropping from unauthorized development environments.