“Trust but verify” may have once seemed like a wise access policy. But the growing number of threats both from the inside and from the outside have forced enterprises to rethink their access controls and implement stronger data loss prevention measures. That’s where Google Zero Trust policy comes into play.
Perimeter security or perimeter protection is a security solution that utilizes physical and software technology systems to protect from unauthorized access and intrusion, with the goal of detecting and deterring unwanted intrusions, to prevent theft, vandalism and risks to public safety.
Perimeter security or perimeter protection is a security solution thThere are two main problems with the traditional perimeter-centric network approach from a security perspective.
First, if we focus all our resources on establishing external barriers while ignoring similar protections internally, then it only takes one crack in the dyke for our data protection levee to break.
Second, it turns out that blithely ignoring half of each public network transaction – for example, assuming all outbound traffic is valid – essentially guarantees that when (not if) your system is breached, the bad guys will have free reign to do whatever they want … in many cases, without you even knowing that they’re doing it. Phishing is one example of an “insider threat” that has proven extremely difficult to combat under traditional network security concepts. (I myself have clicked on those links, as I know you have, too.)
When 20 big tech companies were attacked in 2009, the industry realized that their cloud network security needed a serious overhaul. Data protection came into the spotlight. New measures, especially for sensitive data, were devised and implemented.
A Zero Trust security model came to be the industry standard. As many as 83% of global organizations are committed to migrating to zero trust security policies, according to the latest, 2022 Forrester research.
Zero trust is a security model used to secure an organization based on the idea that no person or device should be trusted by default, even if they are already inside an organization’s network. A zero-trust approach aims to remove implicit trust by enforcing strict identity authentication and authorization throughout the network, not just at a trusted perimeter. In this model, every request to access resources is treated as if it comes from an untrusted network until it has been inspected, authenticated, and verified.
1. Assume all network traffic is a threat: at all times. Zero trust takes the view that every user is hostile and that threats are omnipresent, both inside and outside the network. Therefore, any traffic that does not have explicit permission is automatically denied access. Every device, user, and network flow is authenticated, authorized, and validated when requesting access on an ongoing basis.
2. Enforce least-privileged access: Zero-trust security approaches grant least-privilege access, the minimum privileges and access to the necessary resources when they are needed without impacting the ability to complete a task. Least-privilege access helps restrict attackers from moving laterally to more critical resources if an account or device is compromised.
3. Always monitor: The zero-trust model advocates for continuous monitoring and analyzes and manages activity on the network at all times. This enables real-time understanding of what entities are trying to access resources and helps identify potential threats, active incidents, and any anomalies that should be investigated.
4. Micro-Segmentation: Implement network segmentation on a micro-level, dividing the network into smaller, isolated segments. This prevents lateral movement within the network and limits the impact of potential security breaches.
5. Data-Centric Security: Prioritize the protection of data by implementing encryption, access controls, and monitoring at the data level. This ensures that even if a breach occurs, the exposure and impact on sensitive information are minimized
When 20 big tech companies were attacked in 2009, the industry realized that their cloud network security needed a serious overhaul. Data protection came into the spotlight. New measures, especially for sensitive data, were devised and implemented.
A Zero Trust security model came to be the industry standard. As many as 83% of global organizations are committed to migrating to zero trust security policies, according to the latest, 2022 Forrester research.
The Zero Trust model is essential due to the changing landscape of data breaches. With cloud computing and remote work, traditional perimeters are porous, and data is dispersed globally. Breaches often result from compromised accounts, social engineering, and weak third-party security. Recognizing threats from both inside and outside the network, organizations need a robust, adaptable approach. Zero Trust incorporates defense-in-depth but focuses on minimizing the threat surface. It aims to secure environments without exhaustive identification of threats, providing unified, comprehensive protection for distributed setups while enabling secure access.
1. Improved Security Measures: The first and most obvious benefit of zero trust is that it improves your company’s security posture. Zero trust requires verified identity and device context — meaning that only authorized users can access corporate resources, and they can only do so from verified devices. In a well implemented Zero Trust environment, asset management is required. This includes understanding the context of endpoints (location, OS version, etc) and allowing user access based on the user and device meeting policy guidelines. Above that, access controls are granular, meaning user to specfic application for additional control.
2. Greater Control: Leveraging the 5-pillar model ensures controls are deployed such as micro-segmentation, based on the policies of the agency. In most networks today, controls are static (think of FW rules) and are limited to a single pillar (device vs network). The more mature deployments of Zero Trust will have automated controls (such as shunting traffic or forcing re-authentication) based on out of policy activity. These controls will also be based on real time anonymous behaviors and multi-pillar analysis.
3. Increased Visibility: Another important benefit of zero trust is that it increases visibility into your network traffic. Beyond continuous authentication, zero trust requires continuous device, network, and application monitoring. Visibility into your environment will be better than ever, and this will allow for anomalous behavior to be identified and addressed. Using analytics tools will allow machines to take on the load of sifting through the good to find the bad. Additionally, AI and ML will be used to provide near real time malware detection and mitigation by leveraging threat intelligent feeds
4. Improved Compliance: Though Zero Trust was created in the private sector, it quickly became a focus for the public sector. NIST (National Institute of Standards and Testing), has worked on defining and providing guidance to achieve Zero Trust over the last 5 years. Based on this pedigree, there is a lot of compliance cross-referencing and delivery as part of the Zero Trust framework.
5. Increased Efficiency: As described in the DHS Zero Trust Maturity model, automation is a key component to achieving advanced and optimal status. The goal of automation is to remove the need for human intervention in basic security functions such as patching and updating configurations. This becomes easier as more tools become software defined and agencies move to infrastructure as code methods. These enabling tools will not only make agencies more secure by minimizing human modification, but also make processes more efficient and timelier.
Now we'll explore the steps to implement Zero Trust Security on GCP.
1. Identity and Access Management (IAM):IAM is the foundation of Zero Trust Security on GCP. It allows you to define who can access your resources and what actions they can perform.
Start by following these best practices:
Principle of Least Privilege: Assign the minimum permissions necessary for each user or service account to perform their job.
Multi-Factor Authentication (MFA): Enforce MFA for all users accessing GCP resources to ensure an extra layer of security.
Regular Review: Periodically review and audit IAM policies to ensure they're up-to-date and aligned with your organization's needs.
2. BeyondCorp Implementation: BeyondCorp is Google's implementation of Zero Trust Security. It focuses on securing access to applications and services, regardless of where users are located.
To implement BeyondCorp on GCP:
Use Identity-Aware Proxy (IAP): IAP allows you to define fine-grained access controls based on user and device attributes, providing secure access to web applications running on GCP.
Context-aware Access: Implement context-aware access policies to make access decisions based on user context and device health.
3. Implement network security: Network security is another important component of zero trust security. Network security helps to protect your resources from unauthorized access and attacks. When implementing network security, it is important to Microsegment your network and implement strong security controls for each segment.
To implement network security, GCP offers a number of network security features and services:
Cloud Firewall: Cloud Firewall is a stateful firewall that allows you to control traffic to and from your GCP resources.
Cloud VPN: Cloud VPN provides a secure way to connect your on-premises network to your GCP network.
Cloud Interconnect: Cloud Interconnect provides a dedicated connection between your on-premises network and your GCP network.
4. Implement workload security: Workload security helps to protect your applications and data from unauthorized access and attacks.
GCP offers a number of workload security features and services:
Cloud Armor: Cloud Armor is a web application firewall that protects your applications from web attacks.
Cloud Intrusion Detection System (IDS): Cloud IDS detects malicious traffic to and from your GCP resources.
Cloud Key Management Service (KMS): Cloud KMS provides a secure way to manage encryption keys.
When implementing workload security for zero trust security, it is important to encrypt your data at rest and in transit. You should also implement strong security controls for your applications, such as input validation and access control lists.
Data encryption is crucial in a Zero Trust Security model. Ensure data protection with:
Encryption at Rest: Enable data encryption at rest for all storage services, such as Cloud Storage, Cloud SQL, and Bigtable.
Encryption in Transit: Use TLS/SSL to encrypt data in transit between users and your GCP services.
5. Implement monitoring and logging: Monitoring and logging are essential for detecting and responding to security threats.
GCP offers a number of monitoring and logging features and services:
Cloud Monitoring: Cloud Monitoring provides a unified view of the performance, health, and availability of your GCP resources, set up alerts and monitoring in Cloud Monitoring to detect unusual activity.
Cloud Logging: Cloud Logging collects and analyzes logs from your GCP resources.
Cloud Security Command Center: Cloud Security Command Center provides a central console for managing and responding to security threats.
When implementing monitoring and logging for zero trust security, it is important to collect and analyze logs from all of your GCP resources. You should also implement alerts so that you can be notified of any security threats or suspicious activity.
Implementing Zero Trust Security on Google Cloud Platform represents a forward-thinking strategy for protecting your organization's assets and data. Strengthen your security stance by implementing rigorous access controls, network segmentation, data encryption, and ongoing threat monitoring. These measures not only bolster security but also lower the likelihood of data breaches. Maintain a vigilant stance, adapt to evolving threats, and routinely revise and enhance your security protocols to remain resilient in the ever-evolving cybersecurity landscape.