Zero-trust models can fix cloud security, but most firms are sticking to (very) old tricks

Most businesses have been unquestioningly relying on 90s-era virtual private networks (VPNs) for so long that they aren’t conceptually or technologically ready to embrace a step change that would resolve a host of cloud security issues, a technical specialist has noted.

The transition to cloud computing had fundamentally changed security models by forcing companies to rework their secure access controls, but Zscaler director of emerging technology solutions Lisa Lorenzin told CSO Australia that these changes often weren’t explicitly addressed and users were struggling to retrofit old VPN-styled technology to the new environment.

“People were using the idea of cloud as a get out of jail free card about security, when really it was just moving the problem from one point to another,” she said.

“They were struggling with moving private applications from the data centre to the cloud. The user experience just kept getting worse and worse, and users didn’t realise how bad it was. But we’re still doing basically the same thing that we were 20 years ago.”

New zero-trust architectures address a core difficulty of the previous, access-based VPN idea – namely, that authentication is a one-time affair that unlocks access to all authorised resources.

This idea may work in closed corporate networks, but in the cloud arena myriad authentication mechanisms, network architectures, and widely distributed applications and data had outmanoeuvred the capabilities of point-to-point encrypted connections.

A zero-trust model replaces this model, forcing every connected element – whether a user, application, infrastructure component, remote site, or device – to authenticate itself to the network on a regular basis.

“In today’s world, you need to connect a user from everywhere to an application that can be anywhere,” Lorenzin explained. “And when you think about granting access, you want to be able to know not only who the user is, but why they need access.”

This model will be enabled by a software-defined perimeter (SDP) in which access rights are controlled through policies that can be easily updated and propagated across both on-premises and cloud environments. SDP architectures can also integrate other device-provided authentication factors, such as the location of the device in question.

Since no device is given free rein to access network resources, Lorenzin explained, the zero-trust model is intrinsically both more flexible and more secure than point-to-point architectures – and this, among other benefits, eliminates the possibility of lateral movement on which attackers routinely depend to explore infiltrated networks.

“The perimeter has always been the thing around the edge of your network,” she said, “but the perimeter is the wrong place to focus for security. An SDP allows for application-based microsegmentation where the perimeter is applied at the user and application level, rather than at the network level.”

Poor control over internal access between applications facilitates attacks such as the ongoing compromise of Germany’s government IT network, which has been reportedly linked to Russia’s GRU military intelligence agency. That attack was, by reports, first detected in December but was still ongoing as of the beginning of March.

Despite the recognition that a zero-trust network can reset the security bar, however, “most companies today aren’t ready to go fully to zero-trust,” Lorenzin said. “They’re still trying to solve the remote access use case, the cloud application use case, and the M&A use case.”

Switching authentication infrastructure in midstream is intrinsically difficult, particularly because standards are still evolving and ubiquitous zero-trust networking requires broad adherence to a suitable standard.

The increasingly capable SAML (Security Assertion Markup Language) was streamlining the exchange of endpoint information, but its application across different vendors and products still needed to be standardised before it could become an enabler for zero-trust cloud and on-premises environments.

“Standards are written to enable a technical use case,” Lorenzin said, “but you can’t just write a standard and throw it over the wall and expect people to know how to use it. SAML will be a good start.”

In the meantime, some companies were using the occasion of their cloud migration to lay plans for an authentication overhaul built around zero-trust concepts, with SDP technologies as the enabler and enforcer. But it’s not a change that will come overnight, Lorenzin warned.

“We are well on the path of solving today’s problems with the software-defined perimeter,” she said, “but it’s going to be 3 to 5 years before SDP solutions really start to be leveraged to their full power.”

“This will be something adopted because it solves the problem of the endpoint being unsecurable and the user always being the weak link; having something that’s flexible enough to serve both use cases is critical, and that will differentiate success from failure.”