Zero Trust and Cloud Services: How a Layered Approach Strikes a Balance Between Convenience and Security

The Place of Cloud Services in the Modern Business Environment: An Overview

Since its first steps in the early 2000s, cloud services have seen a steep rise in the business space. Storage solutions and services such as Amazon Web Service, Dropbox, Microsoft Azure, OpenNebula, OpenStack, and many others took the business by storm between 2002 and 2017. The success of the cloud as a service solution was cemented with the launch of the European Grid Infrastructure Federation Cloud in 2014.

By 2020, 81% of businesses had migrated at least a part of their infrastructure to the cloud, according to a study by IDG. Over half (55%) of all businesses questioned in the study said they use more than one service: 34% use two, 10% use three, and 11% use more than three services.

Cloud services bring many advantages, often making them the best choice to support business processes effectively. However, cloud services are often targeted by attackers, and successful breaches have a very significant impact since the impact radius is huge and dependent customers lack control and transparency.

To address this, a layered approach to structure security architectures is beneficial. A solution based on zero trust principles is ideal to avoid introducing further dependencies to centralized services. This provides the best possible combination of a modern, convenient workplace and top-of-the-line security.

Cloud Services in the Workplace: Effective Collaboration, but More Security Risks

The Benefits of Cloud Services

Cloud services are now mainstream in the corporate environment. By 2021, 74 percent of organizations reported using cloud infrastructure services, according to Statista. Businesses are choosing the cloud over traditional ways of computing and storing data for a variety of reasons.

By outsourcing functions and management to an experienced provider, companies can focus on their core business and gain a competitive advantage in the marketplace. Cloud services are the strategy of choice for handling large volumes of data and facilitating digital transformation to become more agile as a business. Moreover, according to a PwC 2023 survey, cloud-enabled organizations report higher productivity and improved collaboration capabilities than those that don't use the cloud.

The Downsides of Cloud Services

While benefits are significant, it's important to consider the drawbacks that adopting cloud services implies:

  • Downtime due to Internet outages or weak connections
  • Vendor lock-in due to high switching costs and data migration issues
  • Security concerns, especially with public cloud services and multi-cloud usage

From 2020 to 2022, businesses observed a sharp rise in target cyberattacks, with cloud services becoming the main target. This concern was clear in the IDG survey 2020: 38% of respondents cited security challenges as a top issue for cloud services. In 2023, this number rose to around 75%.

In a 2021 Statista survey, a total of 40% of respondents reported experiencing cloud data breaches with financial consequences. In 2022, the number increased to 50%. A study by IBM reveals that the global average cost of a single data breach in 2023 is estimated to be $4.45 million.

There are also privacy issues about service providers' access to their customers' data. The more cloud services are adopted, the greater the challenge in managing these risks.

Zero Trust: Bridging the Gap between Convenience and Security

Consequently, security experts recommend taking control of business data and communications by adopting a Zero Trust strategy rather than relying solely on cloud services and their security features. This requires a layered approach that uses multiple measures to protect an organization's assets. Thorough defense should be based on a trusted hardware foundation, with encryption and platform protections providing another layer of protection. Cloud services can be used safely when all layers are protected.

This direction is relevant for private businesses and paramount to securing operations in the public sector while making services more efficient and accessible.

A great example of an in-depth overview of zero-trust architecture is the NIST 800-207 executive order released by the US Government in 2020. This directive established a comprehensive set of Zero Trust principles and detailed recommendations for cybersecurity.

The following chapter outlines a layered approach for a Zero Trust strategy in a cloud environment.

A Modern Security Solution: What is Zero Trust?

A Zero Trust approach can be summarized as "never trust, always verify," meaning that no user or device is automatically trusted, and all activity must be continually authenticated and authorized. This approach minimizes the risk of data breaches and cyber-attacks by ensuring that only trusted users and devices have access to sensitive information.

This also means that centralized trust anchors should not be used. This opens a challenging question: if I cannot trust even my trust anchor, how can I verify the identity of the subject I need to authorize for resource access?

To implement a Zero Trust architecture in its security network, an organization must shift from perimeter security to a granular approach with continuous risk assessment. Users must be trained in security awareness and contingency plans must be in place, as breaches are always to be expected.

As a security principle, this is a combination of established security tools and cybersecurity concepts aimed at reducing uncertainty about an organization's infrastructure and network security.

A Layered Approach: Keeping the Cloud Convenient and Security Risks Low

Implementing Zero Trust in a cloud infrastructure provides enterprises with improved visibility into risks, data, and assets while maintaining a consistent level of security. A thorough cybersecurity strategy will lower overall operational costs and ensure business agility. To ensure this, one needs to adopt a layered approach. The key areas that require safeguarding against potential attacks include devices, applications, networks, and users. Let's look at four layers of protection to cover these areas safely:

1. Adaptive Zero Trust Architecture

To build a Zero Trust architecture with cloud services, a company should clarify and map the identity providers, applications and devices in use, users themselves, and their behavior.

An adaptive system means continuously verifying the user's identity as they're working. When logging into a cloud service, users are assessed based on past behavior, location, risk score and device type. Access is granted or denied based on the results.

Best practice:

  • Establish risk-based policies that leverage machine learning to deny or revoke access automatically
  • Implement self-service identity verification with multi-factor authentication and robust access controls

2. Threat Protection

This layer is dedicated to tracking and responding to events on the tenant. A dedicated Security Operations team is typically responsible for monitoring and responding to suspicious activity. The protected surface can grow thanks to active monitoring, enabling you to modify the architecture to improve security.

Best practice:

  • Use a unified platform (Extended Detection & Response - XDR to integrate alerts from disparate security products
  • Perform frequent maintenance
  • Set up DLP rules for endpoints and cloud services

3. Assume Breach

Traditional trust anchors, specifically central servers and Certificate Authorities, have been the standard for secure communication. Such services provide an extremal confirmation that the subject of the certificate owns the public key.

Previously, this allowed users to trust signatures or statements made about the private key.

The fundamental weakness of this design is the implicit trust placed in CAs. If browsers and operating systems trust CAs by default, the failure of one compromises the security of all users. An example is the breach of DigiNotar, a digital certificate authority, where a cyberattack resulted in the creation of fake certificates for many websites, compromising data security on a large scale.

The mindset required for a Zero Trust approach is that a security breach will happen or has already happened. This leads to different defense strategies and requires continuous monitoring of the entire infrastructure.

Best practice:

  • Prepare emergency remediation plans
  • Implement backup systems
  • Create 'break the glass' accounts
  • Limit the blast radius by reducing your perimeter: with truly end-to-end encryption, a compromised device won’t immediately expose any other device
  • Limit the time to detect breaches: a breach or theft of a physical device is detected much quicker than an attack on a central server

4. User Awareness

As employees are considered the weakest link and the first point of contact for cybercriminals, it is essential to foster a culture of security throughout the organization.

Best practice:

  • Schedule regular IT security awareness training with a focus on hands-on exercises
  • Use attack simulations, such as phishing simulations, to reflect current human vulnerabilities

Zero Trust and Cloud Services: Secure Email Communication and File Sharing

Securely using a cloud service is possible by applying Zero Trust principles. Email is an excellent example of how this can be applied. To ensure absolute security, asymmetrical encryption methods with privately stored keys on devices, as opposed to cloud-based applications, must be utilized for end-to-end encryption. Key distribution must be implemented peer-to-peer rather than relying on central distribution, which may be compromised. Every session generates a distinct encryption key via forward secrecy, which precludes significant security infringements, even if offenders decrypt a key. With a simple plug-in setup, keeping an existing email provider and cloud infrastructure is possible.

Trusted file-sharing services can enhance the collaborative benefits of cloud services. Confidential data is encrypted in the file and can be easily attached to the message. Zero-trust file sharing can provide genuine data transparency and visibility while ensuring security. This can be achieved through retention policies, granular folder and file permissions, SSL/TLS protocols, and custom DLP rules to restrict and manage file access.

Conclusion

Establishing a Zero Trust architecture for cloud services necessitates proper planning and ample time. Adopting a phased process following the layered approach leads to secure operations while ensuring a streamlined, productive workplace. Ideally, a shift from centralized and multi-purpose trust anchors encompasses adopting such a shift toward a more layered approach. Each network segment will benefit from a layer of protection specifically tailored to its needs. Although the transition to a new security system may require a change in mindset and some time, it will ultimately improve the cybersecurity of the entire organization.

Recent posts

Insight

NIS2 Compliance: Checklist for Office 365 Users

Understanding NIS2 Compliance The NIS2 Directive (Directive (EU) 2022/2555) is a pivotal piece of legisl...

Insight

Fixing Proofpoint Email Protection: 3 Steps to Avoid Spoofing and Phishing Campaigns From Your...

How Malicious Actors Broke Proofpoint's Cybersecurity What happened with Proofpoint Email Protection? In...

News

Research Data Protection for DiNAQOR and DiNABIOS

Cyber incidents, like theft of confidential intellectual property (think research data and patents), are...

Insight

How to Avoid a Business Email AI Scam

Do you think you’d know the difference between your actual boss and an AI fake version on a video call? ...