"Zero trust" is a security model that requires strict access controls, not trusting anything by default for any person, application, or service—even if it resides inside a network perimeter.
Zero trust has always been a good idea, and in the decade since Forrester coined the term, numerous cybersecurity vendors have jumped on the zero-trust bandwagon, slapping the term on their marketing.
But there are two problems with this overuse of terminology: Zero trust vendors don’t all agree on what it means, and even worse, the entire concept is now out of date, given the complexities of cloud-native computing and hybrid IT that weren’t even on the horizon back in 2009.
How the industry should update zero trust in today’s cloud-native computing world is the question I hoped to answer at this year’s Black Hat USA conference in Las Vegas. To this end, I whittled the list of vendor PR pitches down to four from companies that were breaking the zero-trust mold.
These four vendors exemplify what it means to offer zero trust security in a cloud-native context. Here are the emerging best practices.
Network security without IP addresses
IP addresses are central to traditional network security. In the cloud context, however, they may be hidden from view. Add Kubernetes to the mix, and inherently dynamic, ephemeral resources make IP addresses useless for dealing with security challenges.
Tigera is one vendor that sufficiently abstracts the network to provide zero-trust security without referencing IP addresses. It also offers continuous compliance and visibility, and threat detection that centers on Kubernetes but extends to hybrid IT and on-premises environments, including legacy ones.
The challenge with securing Kubernetes—and by extension, for cloud-native computing in general—is that Kubernetes itself is essentially wide open. Its designers expect and demand that vendors secure the platform via an abstracted, software-defined security layer.
Tigera makes this layer a reality, freeing zero-trust security from physical network characteristics such as IP addresses, instead locking down all traffic entering and leaving Kubernetes pods that does not come from an authorized source—either a person or an application.
[ Partner resource: Subscribe to Intellix's Cortex and Brain Candy Newsletters ]
Fingerprinting applications and users
Cloud-native zero-trust doesn’t rely on any particular physical network configuration. Instead, it focuses on who is able to do what when—in other words, it keeps track of the activities that specific people, applications, devices, and services should be able to accomplish when they interact with any endpoint—and it blocks all other behaviors.
To this end, Aporeto centers its zero-trust capabilities on its implementation of "application IDs" or "application fingerprints." With these fingerprints, Aporeto abstracts the entire network context, regardless of whether endpoints are in Kubernetes, AWS Lambda functions, or more traditional endpoints in virtual machines or on-premises servers.
As a result, it can secure such application endpoints across any infrastructure or any cloud. The resulting capabilities are perfect examples of next-generation zero-trust redefined for cloud-native computing, including microsegmentation independent of the network, just-in-time privileged access management giving admins SSH access for specific purposes only, and remote access management without VPNs.
While Aporeto fingerprints applications, newcomer Odo does something similar with users. Odo is the youngest vendor on this list, and it's in the process of rolling out its product, but what it has already accomplished is remarkable.
Odo is able to build a user context that takes into account not only physical network characteristics such as IP address and location, but also multifactor authentication data, certificate information, and time to create a dynamic picture of each individual.
It then uses this context to provide zero-trust access management for IT and DevOps personnel, as well as for applications that require internal data access.
Odo enables its customers to provide granular access for each corporate resource based on these dynamic, contextual access permissions. Odo also supports multi-cloud, multi-site, and multi-region environments today, and Kubernetes support is on the vendor’s road map.
Zero trust stalwart micro-segmentation reaches its third generation
Micro-segmentation has long been a part of the zero-trust story, but how vendors approach it has evolved substantially.
Early micro-segmentation focused on physical network characteristics, such as IP address, network address translation (NAT), and virtual LAN (VLAN). The next generation added a software-defined layer, enabling operators to establish and configure microsegments as a matter of policy, thus freeing them from their physical location in the network topology.
Edgewise reinvents micro-segmentation for the cloud-native world. It essentially moves micro-segmentation to a third, cloud-native generation.
Given the inherently dynamic and ephemeral nature of Kubernetes-orchestrated endpoints, combined with the full complexity of software-defined networking across hybrid IT landscapes, it’s becoming increasingly impractical to expect operators to deal with micro-segmentation policies manually—or even programmatically.
Instead, Edgewise applies machine learning (ML) to this challenge. It leverages patented, proprietary approach for gathering data across the entire hybrid network landscape in order to provide end-to-end visibility across the network while also providing the raw material that drives its ML algorithms.
The result is the ability to create and modify vast numbers of individual policies on a continual basis in order to adequately verify the identity of every user, device, and application in the environment—independent of IP addresses or other characteristics of the physical network.
Understanding the big picture of zero-trust in a cloud-native world
Even though cloud-native computing spans traditional virtualization, containers, and serverless computing within the broader hybrid IT context, today Kubernetes is at the center of the storm. And where Kubernetes goes, so too goes cloud-native computing.
To understand how zero-trust networking must evolve, therefore, it’s essential to understand how best to secure Kubernetes. Containers’ dynamic, ephemeral nature, as well as other essential Kubernetes properties such as stateless processing and declarative, configuration-driven behavior, require a top-to-bottom rethink of how zero-trust works.
But there's even more at stake here. The best practices that these vendors exemplify are rapidly becoming essential for cybersecurity in general. Enterprise IT security professionals can't afford to continue pouring billions of dollars into cybersecurity solutions that leave their organizations vulnerable to attack. Cloud-native zero-trust is shining a light on the path out of this quagmire.
None of the vendors mentioned in this article is an Intellyx client.
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.