Home / Resources / News and Trends / Newsletters / AtIsaca / 2022 / Volume 13 / Zero Trust as Security Strategy to Prevent Data Exfiltration in the Cloud

Zero Trust as Security Strategy to Prevent Data Exfiltration in the Cloud

Gary Carrera
Author: Gary Carrera MBA, CISA, CISM, CDPSE, HITRUST CCSFP ISO27001 Internal Auditor, Manager, Governance, Risk and Compliance at Meta
Date Published: 30 March 2022

Before diving into how zero trust security can factor into cloud security, it is worth clarifying that zero trust is not a new concept, nor is it a new technology that you can simply implement in your infrastructure to enhance the security of your data. The zero trust concept started back in the early 1990s and is an aggregation of various elements summarized by never allowing implicit access, but instead enforcing continuous validation. 

Zero trust challenges the traditional network architecture focused on perimeter defense built regularly with firewalls and VPNs. The concept requires additional levels of granular verification and access control to ensure individuals can only access the data and resources they need.

Zero trust has three core principles:

  1. Never Trust, Always Verify: In simple terms, this principle refers to the action of rejecting implicit access to all data and network resources to devices connected inside the network or through a secure VPN channel. In a traditional architecture based on perimeter security, once we are connected through a valid network point, you may access various resources and data. Zero trust goes beyond by requiring continuous verification and allowing access only to the data and resources needed, and only after device trust verification.
  2. Implement Least Privileged: This is not a strange concept for security professionals; implementing role-based access requires preventing devices and individuals from accessing data and resources they don’t need and limiting access on a least-privileged basis.
  3. Assume Breach: This is an interesting principle; if we try to stay ahead of an attacker, we need to assume a compromised device and a set of credentials will result in the exfiltration of confidential and sensitive information. Once the attacker is inside the network, the lateral movement could expand the attack surface.

Core Zero Trust logical components
Source: NIST SP-800-207

Several logical components make up a zero trust architecture (ZTA) deployment. These components may be operated as an on-premises service or through a cloud-based service. Here is a list of some of these components:

  • Policy Engine (PE): Ultimate decision to grant access to a resource to a particular subject trying to access
  • Policy Administrator (PA): Controlling communication between the subject and the target resource
  • Policy Enforcement Point (PEP): Enabling, monitoring and terminating connections not compliant with policy

Additionally, other components support a ZTA deployment and could be implemented to enhance the result. Some of these additional components may include continuous diagnostics and mitigation (CMD), Security Information and Event Management (SIEM) logging, ID management, data access policies and threat intelligence feeds.

Zero Trust Architecture as a Security Strategy
As stated before, the is not a piece of technology that on its own can achieve the goal of Zero Trust. ZTA is rather a security strategy to reduce the risk of data exfiltration and the potential lateral movement if a cybersecurity attack results in a data breach by implementing a set of concepts to continuously monitor and validate access to data and network resources.

Implementing ZTA requires a combination of advanced technologies such as multi-factor authentication (MFA), mobile device management (MDM), identify and access management (IAM), next-generation network security, and robust cloud security controls to validate users or devices when accessing data and network resources at a particular point in time.

But also, ZTA requires strong organizational controls supporting the technologies in use: access control protocols such as role-based access and least privilege are essential for ZTA. More importantly, ZTA requires a clear understanding of assets hosted in a corporate network or a cloud service.

Not so long ago, companies had better control over the devices and users connecting to data and network resources. This has drastically changed with the increase in the remote workforce influenced by the COVID-19 pandemic.

The recent changes in the IT architecture landscape forced companies to adopt large-scale deployments of VPNs, PKI certificates, MDM and other technologies for better control and visibility over devices and users accessing data and network resources. The operating models adopted by different businesses have also pushed for a massive increase in the use of cloud services to allow faster connectivity and easier collaboration between the workforce now in a hybrid remote/onsite arrangement.

The NIST Special Publication 800-207 contains an abstract definition of ZTA and proposed deployment models with use cases that companies can consider. In 2021, US President Biden’s administration issued an executive order mandating US federal agencies to adhere to NIST SP-800-207 as a required step to implement zero trust. This was the result of the increasing number of high-profile security breaches, such as the SolarWinds incident.

Zero Trust Architecture and Cloud Security
With the increasing use of cloud environments to support business operations, ZTA becomes critical to prevent exposure to data contained in such services.

In a scenario with a company using Cloud Service A connected to a data source, the ZTA approach will place policy enforcement points (PEPs) in Cloud Service A or Cloud Service B that could serve as a connection point between the devices and Cloud Service A. The PEPs will contain policies to route validated endpoints and users to the specific resources they need.

ZTA in cloud security can be a combination of different technologies such as, but not limited to: 

  • MDM to enforce specific device policies to all the endpoints. A device not compliant with the MDM requirements may not access the cloud service
  • PKI certificates can enhance the device-level security by placing an additional layer requiring a valid certificate plus compliant MDM settings before allowing access
  • MFA to support Identity and Access Management and minimize the risk of compromised credentials
  • Data stored in the cloud should be classified and labeled to enable strict access to controls and ensure devices and users can only access the data they needed only at the moment they need it
  • Encryption controls can prevent compromised data from being easily decoded by an attacker
  • Data loss prevention (DLP)to monitor unusual behavior in data traffic and generate alerts to reduce lateral movement
  • Logging to allow forensic analysis if a data breach occurs
  • PEPs to enforce logical rules for continuous validation of user-level access to resources in the cloud with the support from Policy Decision Points (PDPs).

The following figure is a base representation of the implementation of ZTA core components with support from other technologies to enhance continuous validation and monitoring:

Control Plane

Beyond NIST SP 800-207, various frameworks and initiatives support the enhancement of cloud security. The combination of the different concepts could result in a ZTA that prevents access to data and resources in the cloud unless continuous validation is achieved. Here are some of them:

  1. The industry standard frameworks for cloud security support and combine the above concepts in various ways; adopting the Cloud Control Matrix (CCM) v4 and the Security, Trust, Assurance, and Risk (STAR) Program from the Cloud Security Alliance are a great starting point when planning an implementation of a ZTA for a cloud service.
  2. ISO 27017:2015 is another comprehensive set of guidelines or security practices for cloud services based on ISO/IEC 27002; it contains various similarities with the CCMv4 and other standards, and can support ZTA deployments.
  3. ISACA and the Cloud Security Alliance recently partnered to produce the Certificate of Cloud Auditing Knowledge (CCAK) as the industry’s first global auditing credential and a perfect complement to the CISA and CCSP credentials. CCAK enhances the tools and knowledge available to support professionals in this field to identify opportunities to implement suitable and effective ZTAs.
  4. In the United States, the Chief Information Officers Council (CIO Council) has supported the development of Cloud Smart as a strategy to focus on security, procurement and workforce related to the use of cloud services. This strategy supports the core principles of ZTA.

Although in past years various companies (primarily cloud providers) have developed technologies that combined different elements to achieve zero trust, we need to remember that zero trust is a long-term security strategy that requires multiple layers of security controls and may be hard to implement with a single technology.

About the author: Gary Carrera is a Manager in the Global Data Protection Program at Meta. He has over 15 years of experience supporting large tech companies in Information Security and Privacy programs, most recently at Meta and Apple. He holds an MS in Business Administration and Project Management and CDPSE, CISM, CISA, CCSP, HITRUST CCSFP, ISO27001 among other certifications. The postings on this site are the author's own and don't necessarily reflect his employer's positions or opinions on the subject.