Hackers of India

Zero Trust in the Era of Cloud

By  Vandana Verma Sehgal  on 07 Oct 2020 @ Rootcon

Presentation Material

Abstract

Cloud is the new cool thing, everyone wants to be in cloud but what about security and compliance standards. How do organizations manage safety as well as security in the era of cloud. The concept of everyone inside the network being good or trusted is blown out of the water with cloud deployments. Effectively everyone is a tenant on a big server farm when it comes to cloud.

The only way forward is to not trust anything or what can be called a zero trust model. This talk will explore the concept of zero trust and will try to demystify zero trust models. The talk will focus on implementation and deployment scenarios of zero trust for organizations. How should the business prepare for the transition, what are the architectural requirements and what policies are required to be implemented?

We will conclude the talk with some recommendations based on our own experience dealing with zero trust deployments across a broad spectrum of clients and market segments.

AI Generated Summarymay contain errors

Here is a summary of the main points discussed:

Key Takeaways:

  1. Implementing Zero Trust: It’s essential to identify sensitive data, from the start, . Map it, a zero-trust micro-segmentation design should continuously monitor and enforce security automation.

  2. Policies and Procedures: Governance and policies are crucial for managing cloud security. They must be comprehensive, comprehended across the organization, and enforced correctly.

  3. Security Controls: A combination of physical and virtual security controls is necessary to establish access based on micro-segmentation design. Encrypt all network traffic, regardless of origin.

  4. Cloud Security: To extend zero trust to the cloud, security must be delivered from and for the cloud. This requires policies that are enforced correctly and having users connect directly to the cloud.

  5. Automation and AI: Automation is not a full-off security team but rather an aid, providing more time to detect potential issues. Leverage machine learning and AI technologies to enhance security.

  6. Identity Verification: Identity is becoming a new parameter in zero-trust architecture. Implement single sign-on, multi-factor authentication, and device/application verification.

  7. Zero Trust Strategy: Zero trust is not just a product or technology but rather a perspective and strategy that requires continuous monitoring and adaptation.

Q&A:

The speaker emphasizes that it’s not ideal to totally trust third-party service organizational controls, such as SOC 2 reports provided by cloud service providers. Instead, organizations must:

  1. Understand their Environment: Before moving data to the cloud, understand what you have and what you’re planning to push to the cloud.

  2. Clearly Define Responsibilities: Ensure hosting agreements and contracts clearly outline responsibilities for security controls and enforcement.

  3. Verify Security Controls: Organizations should verify the security controls implemented by cloud service providers and not solely rely on third-party reports.