To understand Zero Trust, we first look at the history of Zero Trust. The term “zero trust” started as a doctoral thesis by Stephen Paul Marsh in 1994. He believes that the concept of trust transcends human factors such as morality, ethics, lawfulness, justice, and judgement. Thereafter the concept of “zero trust” has been discussed. In 2009 Google implemented a zero-trust architecture referred to as BeyondCorp which consider both internal networks and external networks to be completely untrusted.

In 2018, US cybersecurity researchers at NIST and NCCoE publish Zero Trust Architecture (SP 800-207). They define Zero Trust (ZT) as a collection of concepts and ideas designed to reduce the uncertainty in enforcing accurate, per-request access decisions in information systems and services in the face of a network viewed as compromised. In 2019 the United Kingdom National Cyber Security Centre (NCSC) stressed the important of considering a zero trust approach for new IT deployment especially for cloud services.

NIST defines that Zero Trust is not a single architecture but a set of guiding principles for workflow, system design and operations that can be used to improve the security posture of any classification or sensitivity level.

Zero trust architecture (ZTA) is a plan where enterprise uses zero trust concepts and implementing it in its environment that includes network infrastructure (physical and virtual) and operational policies. Oftentimes the term ZTA is also known as follows:

1. Zero Trust architecture (ZTA)
2. Zero Trust security model
3. Zero Trust network architecture
4. Zero Trust network access (ZTNA)
5. Perimeterless security

The aim of ZTA is to prevent unauthorized access to data and services and to make the access control enforcement as granular as possible. This focus of ZTA is:

1. Enforce authentication, authorization, and
2. Reduce implicit trust zones without impacting service availability and delays in authentication mechanisms.
3. Access rules are made as granular and enforcing least privileges principle.

In today’s market ZTA concept is commonly known as “never trust, always verify,” which means that devices should not be trusted by default whether they are in trust or untrusted network.

A Zero Trust Architecture is designed and deployed with adherence to the following basic rules. These rules are ideal goals and it must be acknowledged that not rules can be fully implemented in the ZTA.

1. All data sources and computing services are considered resources.
2. All communication to be secured regardless of network location (trusted or untrusted location)
3. Access to individual enterprise resources is granted on a per-session basis.
4. Access to resources is determined by dynamic policy.
5. Enterprise monitors and measures the integrity and security posture of all owned and associated assets.
6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
7. The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture

Interview with Cloud Leader “Swapnil Shah”

In this section I had the privileged to interview Cloud Leader “Swapnil Shah” who share insights into client adopting cloud, viewpoints on cloud security and Zero Trust.

1. What is the new Norm for clients adopting Cloud?

Cloud adoption is mainstream for some time now and Cloud First or Cloud Only strategies are commonplace across most enterprises across all leading markets. The adoption of the Cloud is key, and sometimes even synonymous, with Digital Transformation initiatives. It is common knowledge that Cloud adoption is the underlying key enabler for innumerable business use cases like telemedicine and connected health devices, smart grids for utilities, financial risk analysis, edge computing on 5G, IoT-enabled shop floors, contactless retail, drone-powered delivery, networks on the Cloud, autonomous and driverless cars, etc. Nevertheless, Cloud computing continued to languish as a mere technology upgrade project within most enterprises. The focus of enterprises is now shifting to how to innovate and differentiate by leveraging a wide range of cloud-native offerings and industry cloud solutions available from hyperscalers and various eco-system partners. The current pandemic has inserted an additional dimension of unpredictability and has accelerated the pace of digital transformation across industries. Multi-year project timelines are being compressed, and project requirements are being dramatically altered on-the-fly. Enterprises are now at a tipping point, for having to super-scale their Cloud-powered Digital transformation efforts.

2. Accelerated adoption of cloud combined with complex integration of eco-system, hybrid working environments is the new norm which poses interesting challenges to IT executives not only from architecture & technology side but also from culture and security perspective as well. What are your viewpoints on Cloud security?

In traditional IT world, IT security was completely owned and controlled by various teams within IT or ISG groups. Cloud Security is a Shared Responsibility now shared between enterprises IT teams, Cloud provider and any eco-system partners involved in the solution. Modern cloud adoption presents very challenging security realities due to below key elements:

• automated CI/CD methods
• distributed serverless architectures
• and ephemeral assets like Functions as a Service and containers
• no clear perimeter boundaries
• api adoption explosion

This creates unique challenges like below which enterprise security team needs to assess on continuous basis

• complex environments with complex integration points outside enterprise perimeter
• increased attack surface
• lack of visibility & tracking
• complex data flow patterns between on prem, hybrid cloud (IaaS/PaaS) & SaaS based applications and users spread everywhere
• everchanging workloads

3. How should customers adopt Zero Trust in securing their assets in Cloud?

Basic guiding principles for Zero Trust in cloud security is not to automatically trust anyone or anything within or outside of the network and to authorize, inspect and secure everything. A Zero Trust approach extends throughout the entire digital estate and serves as an integrated security philosophy and end-to-end strategy. Enterprises as part of their cloud adoption journey should look at below Zero Trust based elements at a high level:

• Leverage cloud-delivered security measures where possible to implement Zero trust on cloud
• Granular, policy-based IAM and authentication controls across complex infrastructures: Reduce the attack surface area by limiting user access based on context.
• Zero-trust cloud network security: Controls across logically isolated networks and micro-segments
• Enforcement of virtual server protection policies and processes such as change management and software updates:
• Safeguarding all applications (and especially cloud-native distributed apps): E.g. leverage a next-generation web application firewall
• Enhanced data protection
• Threat intelligence that detects and remediates known and unknown threats in real-time
• Develop apps using Zero Trust principles