Why Zero Trust in the Cloud Requires On-Demand Machine Identity Management


Why Zero Trust in the Cloud Requires On-Demand Machine Identity Management
Scott Carter
Fri, 17/06/2022 – 09:38

So, as machines are launched in the cloud, we need to assign security settings based on their purpose.

What are they doing? Do they do calculations? Do they offer web pages? Or do they enable another kind of automated infrastructure?

In this sense, Zero Trust automatically assumes that a given activity is not allowed on a machine unless it falls within acceptable security parameters for the user and the function. That’s why I like to think of Zero Trust in terms of on-demand trust governed by machine identities.

So where do you start to build and protect on-demand trust for cloud environments? Enforcing policies for the keys and certificates that make up your machine’s identities will play a critical role in this type of environment. This way, you can focus your security on each connection, rather than each network or segment of activity.

Organizations have many ways to meet the zero trust challenge in the cloud. For example, an organization might have a single team that operates solely in AWS. Thus, they obtain certificates only from AWS Certificate Manager. In this way, they have already isolated the trust of their applications in their environment. They only trust certificates in their environment. But this scenario only works for them because they don’t care about dealing with other teams within the company. Otherwise, they would need a more granular way to enforce Zero Trust, with different apps being assigned their own trust levels.

Another organization might implement Zero Trust for orchestration services that rely on self-signed certificates. And these certificates are only trusted in the environment where they are created. So, for this organization, self-signed certificates define trust by limiting it to a specific CA that issues certificates and keys for this environment.

But these environment isolation strategies don’t work very well in today’s dynamic cloud environments. To make the information available to the services that need to access it, you need to find a way to set the trust on demand. And the only way to make that possible is to automate machine identity policies that control who can access which machines. And it must be available on demand.

How does it happen

Here’s how it might play out in a cloud instance. You create an instance in AWS and assign it an upstage key. Then you find the user, say here is your key, go do your thing. Say, upload some code, then publish it. And when it’s over, you’re done. End of trade. But for this scenario to work, all of these improvised steps must be authenticated in near real-time because all of these steps must occur within milliseconds. It also requires an impressive number of machine identities. So you will need exponential scalability for your machine identities in the cloud.

If you trust the request, you should be able to dictate machine access via policy. Having visibility into disparate trust systems is also important as machines come and go in a virtual containerized world and we need to be able to revoke trust on demand. Additionally, you’ll need to provide machine identities in a way that automatically scales up or down to meet trusted systems on demand.

Zero Trust access would consider which servers, as well as policies that determine which certificates would establish trust for how long. In other words, authenticated access would be granted and then removed when revoked, whether it be five days or a few hours. In the future, lifespans are going to get much, much, much shorter. So these things will have to be done quickly.

With a machine identity management platform, like the one we offer here at Venafi, you can establish trust on demand by creating and controlling access at the machine identity level. Moreover, you will have the visibility on the confidence in the environment. So you can enforce Zero Trust in your cloud and on-premises environments and verify that your machine identities protect what they should.

How do you manage Zero Trust in the cloud?

Similar Items

cloud cybersecurity, cloud security, zero trust security

Ivan Wallis

By its very nature, the cloud resides outside the perimeter of your business. It is therefore not always appropriate to apply traditional notions of perimeter security to the machines that reside in your hybrid cloud environments. In other words, you can no longer automatically trust everything in your “castle and moat” because those limits no longer exist.

As Cloudflare observes, “This vulnerability of castle-and-moat security systems is exacerbated by the fact that companies no longer have their data in one place.. Today, information is often distributed among cloud providers, making it more difficult to have a single security control for an entire network. »

Elastic computing has become the norm. So in an on-demand environment, such as the cloud, Zero Trust bootstrap systems require identity from the start. And in this kind of machine-centric world, human nature doesn’t make sense as a checkpoint – we can no longer make crude assumptions about which external systems to trust.

In fact, I would argue that trust should be established on demand based on the relying parties security boundary.

Tale of 3 Clouds eBook: How Venafi Creates Digital Transformation
Cta Bg

Are security managers protecting the identities of their machines in the cloud?

See the results.

Cta Bg

Learn more about machine identity protection.

Explore now.


*** This is a syndicated blog from the Security Bloggers Network of the Rss blog written by Scott Carter. Read the original post at: https://www.venafi.com/blog/why-zero-trust-cloud-requires-demand-machine-identity-protection


Comments are closed.