Securing Cloud Workloads with Zero Trust Architecture

Leaders must drive the adoption of approaches and frameworks focused on protecting data in the cloud.

Zero Trust Maxxa Satori
istock.com/Massa Satori

Seasoned cybersecurity professionals remember the days when protecting digital assets was mostly about configuring network firewalls and ensuring that anti-virus software was up-to-date. Those were simpler times. Today, things look dramatically different, with a growing number of manufacturing firms having workloads in the public cloud.

In a world where the old paradigm of perimeter defense as we know it no longer applies, leaders must drive the adoption of new approaches and frameworks to protect their code and data in the cloud. One of the most popular approaches in recent years is the concept of zero trust.

What Makes Cloud Workloads Vulnerable?

Cloud workloads can be virtual machines, containers, and serverless functions that employ processing, network, and storage infrastructure in the cloud. They are tempting targets to malefactors because they often contain sensitive (and, thus, valuable) information, including PIIs, code secrets, and proprietary application code. With code secrets exposed or access permissions misconfigured, cloud workloads can serve as a gateway for lateral movement within a manufacturing firm’s systems, granting attackers access to credentials.

Why and how does that happen? The shift to DevOps in cloud-native development workflows made it extremely easy to deploy cloud workloads, contributing greatly to development velocity. Yet, it left cybersecurity and information security teams in the dark, struggling to regain visibility and control over their security in a climate of increasingly sophisticated attacks. 

Your typical cloud workload configuration is (often unnecessarily) more complex than the traditional VM or on-prem workload configuration, with (often overly permissive) machine identities accessing cloud resources. Gaining complete visibility into cloud workload configurations can be very challenging, considering the many layers of abstraction involved, including container security, network security, and hypervisor. 

The speed at which granular components of microservices (pods) are deployed and their often unpredictable lifespans make it virtually impossible to secure and monitor each individual node or pod. Traditional network firewalls are not a solution either – IP addresses in a cloud-based infrastructure change frequently. Firewalls also don't protect against threats already lurking in the network. 

Why Zero Trust is the Key

To stay ahead of threats to cloud workload security, many manufacturers are adopting a different framework that protects each individual workload or resource – a zero trust architecture (ZTA). 

Zero trust is considered a strategic approach to cybersecurity that follows a simple directive: 'Never trust, always verify.' Essentially, entities in the system (human and machine) must have only the minimal access permissions required to perform their tasks. Their identity and access permissions are continuously validated with every interaction and across all applications. 

Zero trust for workloads is a unique domain in the zero trust security architecture. Unlike traditional zero trust policies that account for north/south traffic, zero trust for workloads also considers east/west communications between various services, applications, and data stores in your cloud.

The shift-left security approach to application security is not a new concept. But, in a cloud-native context, it also applies to securing the infrastructure behind those applications by implementing the same cybersecurity tools and processes on codified infrastructure – infrastructure as code (IaC). 'We’ll protect it in production' may no longer be a valid tactic in a cloud-native world.

DevOps teams today must bridge the gap between development velocity and continuous workload security from day one. They can achieve this by adopting DevSecOps principles and using zero-trust policies with enforcement automation to secure cloud workloads at the earliest stages of development.

A shift in how development teams treat the code they deploy to the cloud is not enough, especially if you already have cloud workloads that need protection. The first step in managing your existing cloud workloads is to identify and categorize each based on cyber risk, purpose, and criticality to business continuity and operations. At this point, you will also need to record the internal and external gateways for connectivity, creating a workload profile that helps you identify which components require authorization and access.

This is where zero trust really comes into play. To ensure that cloud workloads can communicate with other workloads or resources only under a very specific set of associated conditions, you must create and enforce least privilege access policies across your cloud workloads. Achieving this may require multiple levels of security, including Identity and Access Management (IAM) and IDS/IPS solutions.

Cloud workloads are especially attractive targets for a wide range of cyber attacks. It’s no longer about breaching a clearly defined perimeter around a server but finding a tiny hole in some untested functionality or unpatched vulnerability in a cloud-based workload. 

Zero trust architecture is a strategic approach to all things InfoSec. In the context of cloud workload security, it involves shifting left infrastructure security, identifying your workloads, and automating the enforcement of policies that protect them throughout their lifecycle.

More in Cybersecurity