NordLayer - Network Security

How a Zero Trust approach can make the Cloud more secure

By NordLayer
10 Nov 2021
6 min read
Zero Trust for the cloud

Protecting cloud environments is essential nowadays – with a great deal of network infrastructure based in off-site locations like Google Drive or Office 365. The Zero Trust approach to network security is a series of linked products and services that form an identity-based protective perimeter – encompassing both specific users and applications within the network.

With Zero Trust solution, you’re able to hide the applications on your network from outsiders, with access restricted to only users who are trusted via specific gateways and pre-assigned permissions. 

The broker (middleman) verifies the identity of the user and evaluates their access credentials before allowing them into the network perimeter – minimizing lateral movement to other areas of the network.

Modern access solutions are built with the principle of Zero Trust in mind – deny all, permit some. 

Put another way; no user should be trusted until their identity is verified. Zero Trust essentially removes the implicit trust given to those entities outside any given network.

Some organizations have indeed acknowledged that Zero Trust is an effective method in combatting cyberattacks. However, outdated legacy infrastructure and the complex nature of denying access to most users has left these companies fearful of a difficult or problematic transition period when moving towards a Zero Trust model. 

In truth, it’s much easier and far more crucial to implement these days than you’d think.

How does Zero Trust help secure the cloud?

By addressing today’s IT Infrastructure needs, Zero Trust security solutions are the way forward. Data, applications, and even networks are stored and hosted through the cloud – securing it is essential. 

By verifying and authenticating each and every user – the Zero Trust security model allows for the monitoring and limiting of network traffic, as well as securing credentials through layered and protected authentication. Devices are locked down, and only the correct users are authenticated to those devices.

Geofencing by location and by IP allowlisting (whitelisting) is also available to more tightly control network access.

Additionally, achieving Zero Trust security within cloud-based architecture is more cost-effective and flexible for organizations of any size or type. Without the associated upkeep of on-premise hardware and significant integration – IT teams can enjoy enhanced security without relinquishing ease of use. 

Why do companies need Zero Trust in their cloud environments?

Implementing Zero Trust in a network is predicated on the organization itself controlling the network. It establishes where boundaries can be placed and enforce access controls to shield sensitive applications, such as those within on-premises data centers, from unauthorized access and lateral movement.

Today, it’s often more cost-effective to host an application in the public cloud instead of a data center. In fact, more than 73% of companies' applications or infrastructure are cloud-based.

These environments, operated by cloud service providers and Software as a Service vendors, are not a part of an organization’s network, so the same type of network controls do not apply.

Implementing a Zero Trust cloud

To make maintaining Zero Trust in the cloud easier, use cloud-delivered security measures to implement Zero Trust in public cloud services.

Provide users with a secure, consistent, and seamless experience wherever they’re physically located, how they want to connect, or which applications they want to use.

Otherwise, if the user experience is too complicated or requires too much change whenever they work from a new location or use a different application, they will not accept it. Reduce the attack surface area by limiting user access based on context.

Requirements for Zero Trust in the Cloud

Starting out with the basics - Forrester defines the basic premises of a Zero Trust strategy as:

  1. Ensure that all resources are accessible securely – regardless of location.

  2. Adopt a lowest-privilege access strategy and strictly enforce access management.

  3. Inspect and log all traffic.

If your architecture does not accomplish all three of these objectives, it is not adhering to the Zero Trust philosophy.

To achieve Zero Trust security in the cloud, organizations need to know which applications are used in the public cloud, the variety of data that are stored in it, the sensitivity of that data, and which users and services are accessing it. Sensitive data is, well, sensitive – and keeping it that way must be a priority.

Furthermore, cloud-based Zero Trust must be both simple and easy. If users are required to change their behavior when accessing applications and data from different locations, or the process is too complex, it won’t work effectively. Users will simply look for ways around the difficulties and seek access other ways.

Secure access should be seamless to users, no matter how they connect, from where they connect, or to which application they are trying to connect.

Zero Trust for SaaS applications

Software as a Service applications based on the cloud are becoming more and more popular. Typically, they're accessible via a wide spectrum of both employees and contractors. The beauty of cloud infrastructure is that it's accessible from anywhere – and sometimes even possible using devices that may not be owned by the organization itself.

It is vital to take a prevention-first approach to secure SaaS applications, with extensive prevention capabilities and access control.

A Zero Trust security approach includes the ability to identify and have complete visibility over applications in use – as well as by whom they are used. This enables security teams to enforce least privilege access and ensure that the corporate network is both visible and secure.

With granular visibility, organizations can minimize the opportunity for attack by enabling access to public cloud applications based solely on user identity. For example, employees with managed company devices should get immediate access to their sanctioned applications, while contractors on non-compliant devices may receive different levels of access via multi-factor authentication (MFA) based on their role and reason for accessing.

Share article

Related Articles

Protect your business with cybersecurity news that matters

Join our expert community and get tips, news, and special offers delivered to you monthly.

Free advice. No spam. No commitment.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.