Cloud adoption is still on the rise as organizations worldwide continue to increase their cloud infrastructure spending in 2024. Cloud maturity plays an important role for a successful implementation of the cloud infrastructure strategy according to HashiCorp’s 2024 state of cloud strategy survey. One rule of thumb says that the higher the maturity, the more it helps increase the return of invest by speeding up development cycles and innovation. Plus, it optimizes allocation of resources and operational expenses via automation, and enhances security and compliance. But the survey results also indicate that a large majority of organizations don’t reach a high maturity level, because they struggle to apply proper cloud security measures. This issue can be overcome by applying suitable principles.  

In this blog post, we show how your organization can strengthen cloud security and reach a higher level of maturity by adopting a zero trust approach. We also explain why you should apply it, the basic principles behind it, what measures should be considered to implement them, as well as how you can avoid common pitfalls. 

What is the zero trust security model?  

 «Zero trust» follows the principle of trusting no entity – whether inside or outside of your network. This effectively eliminates the traditional concept of trusted internal and untrusted external network. With the zero trust approach, it is assumed that security breaches can occur from any direction and angle. It protects your IT landscape by defining mechanisms for different domains: from identities requesting access to systems, endpoints like devices and sensors to network setups and data protection.

The principles of zero trust 

blog_cloud_zero_trust_image_en_1

Zero trust operates on the tenets «verify explicitly, use least privileges, and assume breach».  

The principle of «verify explicitly» is enforced by means of security guidelines. These are applied dynamically based on the access context like location, sensitivity of data or behavioral anomalies.  

The principle of «use least privileges» propagates that an identity by default is only granted the least amount of privileges to fulfill the task at hand. This limits lateral movement and reduces the impact in case of breaches. Secure communication between systems and components, as well as data encryption at any time keeps data protected in case of unauthorized access.  

The principle of «assume breach» is realized by continuous real-time analysis of user and network activities along with automated response mechanisms. This allows predicting, identifying, and quickly responding to anomalous activities. 

To apply those principles in practice, we recommend the following measures:

Enforcement of security guidelines: Automate enforcement of security policies across resources based on threat intelligence, access context and suspicious activities.

  • Network micro-segmentation: Isolate the environment in a private secure network zone and sub-divide workloads based on their context into sub-networks that control inbound and outbound traffic flow via policies.
  • Identity-based access control:  Identity the most important security enforcement. Verify them via robust mechanisms like multi-factor authentication (MFA) and apply strict access permissions on data, services and actions.
  • Data encryption: Identify data and categorize them based on sensitivity. Secure data at rest and in transit using the latest cryptographic protocols.
  • Continuous monitoring and analytics: Ensure unified and continuous monitoring to detect anomalies, attacks and breaches. Plus, automate incident handling. 

What to consider when using Security as a Service for zero trust in the cloud? 

Due to cost efficiency, skills shortage, scalability and responsibility reasons, organizations tend to prefer Security as a Service (SECaaS) solutions for applying zero trust measures. There are numerous services and tools that can be used to apply zero trust. Hyperscalers like Azure, AWS, and GCP already provide built-in cloud-native services. Yet, how to apply which tool for which measure? This may be confusing as tools can support overlapping capabilities. Based on our experience, we shed some light on which built-in essential security services may be considered when using Azure or AWS as a cloud provider: 

Measure

Cloud services supporting zero trust principles 

AWS

Azure

Enforcement of security guidelines 

AWS Security Hub, AWS Organizations 

Azure Policy, Entra Conditional Access Policies, Microsoft Defender for Cloud 

Network  segmentation 

AWS VPC Lattice, AWS WAF 

Azure Firewall, Azure WAF, Azure Bastion 

Identity-based access control 

AWS IAM, AWS System Manager Session Manager 

Microsoft Entra ID mit Entra ID Governance, Privileged Identity Management 

Data encryption 

AWS KMS, Amazon Macie 

Azure Key Vault, Microsoft Purview 

Monitoring and analytics 

AWS Cloud Trail, Amazon Detective 

Microsoft Defender, Azure Sentinel 

 

 

 

If you already use managed compute and storage services with hyperscalers, built-in services can get you started fast to improve your security posture thanks to out-of-the box integrations and convenient initial setups via configuration. But be aware of the skills needed to configure and manage those services in a way that they support zero trust. Also consider the risks of vendor lock-in and unpredictable costs that can arise from resource usage and data traffic.  

In contrast, on-premise systems and tools are typically more static and therefore more predictable in terms of resource allocation, dynamic network traffic and costs. In-turn, they often require more effort to control, configure, customize and integrate them with existing workloads. This is especially true when data is distributed and not as easily accessible as in cloud environments providing standardized APIs for integration. This can mean that complete coverage through security measures is made more difficult.

What are common pitfalls when implementing zero trust? 

Assuming 1:1 migration 

when_implementing_zero_trust_avoid_pitfall_1_assuming_complete_landscapes_can_be_migrated_to_the_cloud_1:1

One of the most common pitfalls is to assume that systems or complete IT landscapes can be migrated to the cloud 1:1, while maintaining the previous security standards. This often leads to the overlooking of multiple ready-to-use services such as firewalls, monitoring and notification systems or secure storage media that are provided and managed by cloud providers. For example, if perimeter-based boundaries that trust internal traffic are applied within a virtual private cloud or subnet, lateral movement of an attacker is possible in case one workload is compromised. Consequently, reviewing system architecture and aligning it with zero trust is a must. This initially incurs costs, but ultimately reduces the security risks. 

Strategically budgeting protective mechanisms 

when_implementing_zero_trust_avoid_pitfall_2_and_only_use_services_incurring_a_fee_if_subject_to_particular_risks_or_compliance_requirements

Another pitfall are the costs for the implementation of robust policies via identity and access management (IAM), defining resource owner, establishing clear access controls, as well as applying and reviewing security best practices.  

Basic protective mechanisms such as secure storage media, threat analysis, and role management are usually inexpensive and easy to implement. However, extended services like Security Information and Event Management (SIEM), Security Orchestration and Automation Response (SOAR), or comprehensive asset protection such as digital keys by means of Hardware Security Modules (HSM) can be costly. These services are generally only useful for organizations that are subject to particular risks or compliance requirements. Examples hereof are healthcare providers that need to secure sensitive medical information, financial institutions that need to be compliant with Payment Card Industry Data Security Standard (PCI DSS), or government agencies that handle sensitive data and operate critical infrastructure. It is therefore crucial to use the extended services strategically for areas that are sensitive and security-relevant. This helps to balance costs and benefits.  

In order not to let the costs for security escalate, we recommend the following:  

  • Implementing zero trust step by step – from IAM access control and network segmentation to optimized monitoring and response
  • Prioritizing already implemented free cloud services
  • Selecting appropriate tools to meet specific security requirements
  • Automating taks such as incident monitoring and response if possible
  • Comparing costs of multiple operating models based on the shared responsibility model
The emergence of the FinOps framework highlights the importance of budget management in the cloud. Segmenting resources according to cost centers or budget allocations and identifying responsible teams or individuals are crucial for effective budget management. Enforcing these practices company-wide ensures consistent and efficient resource utilization. 

Neglecting IAM rules and access control  

when_implementing_zero_trust_avoid_pitfall_3_by_defining_IAM_policies_and_access_controls_across_teams_avoiding_fragmented_systems

Best practices for cloud security include implementing a comprehensive IAM policy and robust access controls. These need to be defined across teams to prevent the creation of a fragmented access rights system, which can be challenging to manage and secure in the long term. This principle also applies to network segmentation. Among the various methods of securing a network are access policies for virtual networks. However, it is key to keep an overview and follow a coherent strategy. Otherwise, there is a high risk of losing control, which in turn jeopardizes a secure network configuration. The motto here is: keep it as simple as possible, but ensure it is a secure as necessary. 

«Secure by default» – a varying concept

blog_cloud_zero_trust_image_en_5

The principle of «secure by default» is another key factor. While many cloud services offer high levels of security by default, such as blocked public access by default and encryption of objects in Amazon S3, others may be exposed to the Internet with default configurations. Common risks include public storage buckets or misconfigured access control for APIs. Particularly dramatic are credentials leaked in code repositories or in unprotected log files. To avoid those and maintain a secure environment, regular threat analysis and security reviews of resources and their configurations are essential as well as implementing SecDevOps practices, which integrate security into the deployment automation process.   

Follow certain principle and you will be safe in the cloud

As the adoption of cloud infrastructure continues to grow, so does the importance of cloud security. By enforcing a zero trust approach following best practices, organizations achieve a higher level of maturity and strengthen their cloud security posture. When implementing zero trust, ready-to-use SECaaS solutions provided by hyperscalers should be considered. However, organizations should avoid common pitfalls such as assuming that local concepts can be adopted 1:1 to the cloud without changing architecture design. Cloud security services also don’t necessarily come for free or at a lower cost than on-premise services. Effort is involved to understand the needed security measures according to zero trust, to define and plan specific requirements, as well as to understand and select appropriate SECaaS components. In addition, you need to build up the skills to configure and manage them professionally. Remember: Security «by default» is only built-in to a certain degree in the cloud. If you want to successfully implement best practices, you have to review and redesign your IT architecture, budget according to FinOps, and to regularly evaluate security. 

 

Authors

blog_cloud_zero_trust_portrait_hongg

Daniel Hogg

Head of Architecture

blog_cloud_zero_trust_portrait_kottelat

Frederic Kottelat

Security Consultant