You are here

Zero-trust in a cloud-native world: Best practices emerge

public://pictures/jasonbloomberg-tight-300x412.jpg
Jason Bloomberg, President, Intellyx

"Zero-trust" is a security model that requires strict access controls, not trusting anything by default for any person, application, or service—even if it resides inside a network perimeter

Zero-trust has always been a good idea, and in the decade since Forrester coined the term, numerous cybersecurity vendors have jumped on the zero-trust bandwagon, slapping the term on their marketing.

But there are two problems with this overuse of terminology: Zero-trust vendors don’t all agree on what it means, and even worse, the entire concept is now out of date, given the complexities of cloud-native computing and hybrid IT that weren’t even on the horizon back in 2009.

How the industry should update zero-trust in today’s cloud-native computing world is the question I hoped to answer at this year’s Black Hat USA conference in Las Vegas. To this end, I whittled the list of vendor PR pitches down to four from companies that were breaking the zero-trust mold.

These four vendors exemplify what it means to offer zero-trust security in a cloud-native context. Here are the emerging best practices.

[ Get valuable insights to improve your SOC’s maturity and success. Download the 2019 State of Security Operations report today. ]

Network security without IP addresses

IP addresses are central to traditional network security. In the cloud context, however, they may be hidden from view. Add Kubernetes to the mix, and inherently dynamic, ephemeral resources make IP addresses useless for dealing with security challenges.

Tigera is one vendor that sufficiently abstracts the network to provide zero-trust security without referencing IP addresses. It also offers continuous compliance and visibility, and threat detection that centers on Kubernetes but extends to hybrid IT and on-premises environments, including legacy ones. 

The challenge with securing Kubernetes—and by extension, for cloud-native computing in general—is that Kubernetes itself is essentially wide open. Its designers expect and demand that vendors secure the platform via an abstracted, software-defined security layer.

Tigera makes this layer a reality, freeing zero-trust security from physical network characteristics such as IP addresses, instead locking down all traffic entering and leaving Kubernetes pods that does not come from an authorized source—either a person or an application.

[ Partner resource: Subscribe to Intellix's Cortex and Brain Candy Newsletters ]

Fingerprinting applications and users

Cloud-native zero-trust doesn’t rely on any particular physical network configuration. Instead, it focuses on who is able to do what when—in other words, it keeps track of the activities that specific people, applications, devices, and services should be able to accomplish when they interact with any endpoint—and it blocks all other behaviors.

To this end, Aporeto centers its zero-trust capabilities on its implementation of "application IDs" or "application fingerprints." With these fingerprints, Aporeto abstracts the entire network context, regardless of whether endpoints are in Kubernetes, AWS Lambda functions, or more traditional endpoints in virtual machines or on-premises servers.

As a result, it can secure such application endpoints across any infrastructure or any cloud. The resulting capabilities are perfect examples of next-generation zero-trust redefined for cloud-native computing, including microsegmentation independent of the network, just-in-time privileged access management giving admins SSH access for specific purposes only, and remote access management without VPNs.

While Aporeto fingerprints applications, newcomer Odo does something similar with users. Odo is the youngest vendor on this list, and it's in the process of rolling out its product, but what it has already accomplished is remarkable. 

Odo is able to build a user context that takes into account not only physical network characteristics such as IP address and location, but also multifactor authentication data, certificate information, and time to create a dynamic picture of each individual.  

It then uses this context to provide zero-trust access management for IT and DevOps personnel, as well as for applications that require internal data access. 

Odo enables its customers to provide granular access for each corporate resource based on these dynamic, contextual access permissions. Odo also supports multi-cloud, multi-site, and multi-region environments today, and Kubernetes support is on the vendor’s road map.

[ Effective SecOps requires staying one step ahead. Get up to speed with this Webinar covering UEBA and MITRE ATT&CK ]

Zero-trust stalwart microsegmentation reaches its third generation

Microsegmentation has long been a part of the zero-trust story, but how vendors approach it has evolved substantially.

Early microsegmentation focused on physical network characteristics, such as IP address, network address translation (NAT), and virtual LAN (VLAN). The next generation added a software-defined layer, enabling operators to establish and configure microsegments as a matter of policy, thus freeing them from their physical location in the network topology.

Edgewise reinvents microsegmentation for the cloud-native world. It essentially moves microsegmentation to a third, cloud-native generation. 

Given the inherently dynamic and ephemeral nature of Kubernetes-orchestrated endpoints, combined with the full complexity of software-defined networking across hybrid IT landscapes, it’s becoming increasingly impractical to expect operators to deal with microsegmentation policies manually—or even programmatically.

Instead, Edgewise applies machine learning (ML) to this challenge. It leverages patented, proprietary approach for gathering data across the entire hybrid network landscape in order to provide end-to-end visibility across the network while also providing the raw material that drives its ML algorithms. 

The result is the ability to create and modify vast numbers of individual policies on a continual basis in order to adequately verify the identity of every user, device, and application in the environment—independent of IP addresses or other characteristics of the physical network.

Understanding the big picture of zero-trust in a cloud-native world

Even though cloud-native computing spans traditional virtualization, containers, and serverless computing within the broader hybrid IT context, today Kubernetes is at the center of the storm. And where Kubernetes goes, so too goes cloud-native computing.

To understand how zero-trust networking must evolve, therefore, it’s essential to understand how best to secure Kubernetes. Containers’ dynamic, ephemeral nature, as well as other essential Kubernetes properties such as stateless processing and declarative, configuration-driven behavior, require a top-to-bottom rethink of how zero-trust works.

But there's even more at stake here. The best practices that these vendors exemplify are rapidly becoming essential for cybersecurity in general. Enterprise IT security professionals can't afford to continue pouring billions of dollars into cybersecurity solutions that leave their organizations vulnerable to attack. Cloud-native zero-trust is shining a light on the path out of this quagmire.

None of the vendors mentioned in this article is an Intellyx client.

[ Data privacy regs GDPR and CCPA are the new norm. Learn best practices from top organizations for staying on the right side of the law. ]