Skip to main content
banner image
venafi logo

Why Zero Trust in the Cloud Requires On-demand Machine Identity Protection

Why Zero Trust in the Cloud Requires On-demand Machine Identity Protection

cloud cyber security, cloud security, zero trust security
June 4, 2019 | Ivan Wallis

By its very nature, the cloud resides outside of your enterprise’s perimeter. So, it’s not always appropriate to apply the traditional notions of perimeter security to machines that reside in your hybrid cloud environments. In other words, you can no longer automatically trust everything that is within your “castle and moat” because, as I mentioned in a previous blog, those boundaries no longer exist.

Microsoft_Logo_PNG.png

As Cloudflare observes, “This vulnerability in castle-and-moat security systems is exacerbated by the fact that companies no longer have their data in just one place.
Today, information is often spread across cloud vendors, which makes it more difficult to have a single security control for an entire network.”

Elastic computing has become the norm. So, in an on-demand environment, such as the cloud, Zero Trust bootstrapping systems require an identity right out of the gate. And in this type of machine-centric world, human nature doesn’t make sense as a checkpoint—we can no longer make gross assumptions on which external systems should be trusted.

Microsoft_Logo_PNG.png
In fact, I would argue that trust should be built on-demand based on the security boundary of the relying parties.

So, as machines are spun up in the cloud, we need to assign security parameters based on their purpose.
What are they doing? Are they crunching numbers? Are they serving up web pages? Or are they enabling some other sort of automated infrastructure?

In this sense, Zero Trust automatically assumes that a given activity is not allowed on a machine unless it falls within the acceptable security parameters for the user and function. So, that’s why I like to think of Zero Trust in terms of on-demand trust governed by machine identities.

 

Are security leaders protecting machine identities their machine identities in the cloud? See the findings.

So, where do we even begin to build and protect on-demand trust for cloud environments? Enforcing policies for the keys and certificates that are your machine identities will play an essential role in this type of environment. In that way, you can focus your security on each connection, rather than each network or business segment.

Microsoft_Logo_PNG.png The organizations I’m speaking with have many different ways of addressing the challenge of Zero Trust in the cloud. For example, one organization has a single team that operates solely in AWS. So, they're getting certificates only from AWS Certificate Manager. In that way they've already isolated trust for their applications within their environment. They trust only the certificates within their environment. But this scenario only works for them because they don't really care about dealing with other teams within the company. Otherwise, they would need a more granular way to enforce Zero Trust with different applications being assigned their own levels of trust.
Microsoft_Logo_PNG.png

Another organization told me that they implement Zero Trust for orchestration services that rely on self-signed certificates. And those certificates are only trusted within the environment where they are created. So, for this organization, self-signed certificates define trust by limiting it to a specific CA that issues certificates and keys for that environment.

But these strategies for isolating environments do not play very well in today’s dynamic cloud environments. To make information available to the departments that need to access it, you need to find a way to define on-demand trust. And the only way to make this feasible is to automate machine identity policies that control who can access which machines. And it’s got to be available on demand.

Microsoft_Logo_PNG.png

Here’s how that might play out in a cloud instance. You create an instance in AWS, and you give it an upstage key. Then you find the user, say here's your key, go do your thing. Say, upload some code, then publish it. And when that’s completed, you're done. End of transaction. But for that scenario to work, all those extemporaneous steps have to be authenticated in near-real time because all those steps must happen in miliseconds. That also requires a stunning number of machine identities. So, you’ll need exponential scalability for your machine identities in the cloud.

If you're doing on-demand trust, then you've got to be able to dictate access to machines via policy. Having visibility into disparate trust systems is also important because machines come and go in a virtual containerized world and we need to be able revoke trust on demand. Plus, you’ll need to deliver machine identities in a way that automatically scales up or down to meet on-demand trust systems.

Microsoft_Logo_PNG.png

Zero Trust access would take into account which servers, along with which policies that determine which certificates would establish trust for how long. In other words, authenticated access would granted, then retired when it is revoked—whether that’s five days or a couple hours. In the future the lifetimes are going to get much, much, much shorter. So, these things will have to be done quickly.

With a platform for machine identity protection, like the one that we offer here at Venafi, you can establish on-demand trust by creating and controlling access at the machine identity level. Plus, you’ll have the visibility into trust across the environment. So, you can enforce Zero Trust in your cloud and on-premises environments and verify that your machine identities are protecting what they should.

centered image

 

How are you handling Zero Trust in the cloud?

Learn more about machine identity protection. Explore now.

Related posts

 

Learn more about machine identity protection. Explore now.

Like this blog? We think you will love this.
DevOps, DevSecOps, CALMS
Featured Blog

CALMS for DevOps: Part 1—Why Culture Is Critical

DevSecOps seeks to address these challenges, and I find a useful way to break down how it does th

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

Why Zero Trust Requires Machine Identity Protection

Why Zero Trust Requires Machine Identity Protection

About the author

Ivan Wallis
Ivan Wallis
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat