How Does Zero Trust Translate to Cloud Security?

Uh , you know how we can become that kind of enabler towards the business itself .

Alex decided to leave the show , so we're uh , we , we get to call it twitter now and we have no one to combat us on that . Um , yeah , so we have a fun one in store for you today . Joining us is vaibhav malik , so , if you can , vaibhav , please take a moment and introduce yourself to the audience and tell us who you are and what you do .

Awesome , chris .

In professional world I'm currently working as a global partner solutions architect at Cloudflare and where my role is collaborating with global partners to design and implement different security and networking solutions for our customers . It's an exciting position .

It allows me to be at kind of forefront of a lot of cybersecurity innovation that Cloudflare is doing in that space . Been in this industry for last roughly around 15 years or so , started a lot in the networking industry and in the last five years or so have been pivoting into a lot of cloud networking and cloud security and application security space itself .

So yeah , I'm based out in St Louis , missouri , and , would you know , always been a fan of , you know , listening to Cables , to Cloud podcasts , and you know it's been a delight you know having over here and you know , talking to you all in flesh and blood .

So , yeah , we have a pretty nice neighborhood over here and yeah , I've been here for the last 12 , 15 years and love being part of the central US overall .

So we wanted to bring on Vaibhav and kind of dive into this and kind of help frame it from the lens of what people need to understand about zero trust and specifically implementing zero trust within the cloud and what that really means . So if we want to get started here , let's say obviously zero trust within the cloud and what that really means .

So if we want to get started here , let's say you know , obviously zero trust is a very big marketing term as well . Right , it's kind of stamped on every product out there . But the fact of the matter is , zero trust is a strategy .

Like I said before , it's a framework that you know you're supposed to use as guiding principles for how you implement security within your organization . So how would you yourself define Zero Trust ?

Zero Trust was the front and center and I think there's definitely a strong need as well when you look at what Zero Trust entails and what Zero Trust principles are .

The concepts and the philosophies around Zero Trust are very , very critical and I don't think we have still achieved a lot of that in the industry on how we do a lot of the IT projects and so on and so forth .

Just to let you all audience know as well that you know I am a big advocate for . You know identity based trust . You know I come from a very traditional networking industry . You know where IPs and you know IP-based networks were the biggest thing that we did for the 10 , 15 , 20 years that we have been in the industry . You know IPsec VPNs .

You know giving access to majority of your network itself . That was it , but I'm a strong advocate , at least in the last few years that I've been in now pivoting myself to cybersecurity , and you know understanding how zero trust is important , for example , your legacy based architectures , but also in the terms of your cloud based architectures itself .

Overall , you know , just to you know , make sure the audience understands where we are coming from and what we are talking about . Think of this as everything is inside a network perimeter that we used to think it's safe and it's trusted , right .

But that approach overall , if you think about it right from a hyper-connected world , it just doesn't cut it anymore , especially in the hybrid cloud distributed world where our applications are all over the place itself . So think of zero trust is basically based upon that principle of never trust and always verify .

You know , again , this is something that a lot of your audience might have heard about this before . So let's peel the onion a little bit and understand when I say never trust , always verify . So think of this as treating every access , every request , every user , every network as kind of potentially compromised .

You know we take it for granted that it is potentially compromised , regardless of where they are in the network . You know we used to have , if you remember , right in the firewall world . We used to have these things called trusted and untrusted , and you know now , if we have something in the trusted , we trust them right .

So this is basically moving away from that kind of a mindset . You know that something is either inside your network or outside . So there are a few key things I'll , you know , mention that are very , very critical from the zero trust mentality or philosophy standpoint itself .

Five of the major ones that I'll talk about are you know , think of this as continuously authenticate and authorize . You know we are not just checking your credentials . You know once at a login . So , for example , when you go and log in with your username passwords , what have you right ?

But at the same time , what we are also doing is we are constantly verifying the identity and security posture of your users , your devices , applications , throughout the session itself . So that's the number one . Think of this as always continuously authenticating and authorizing the session itself when you are looking at it .

The second core principle behind Zero Trust itself is least privilege access . So think of this as users will only get bare minimum permissions itself . Now , this is a fundamental principle within Zero Trust itself . You need to make sure that they are getting the bare minimum permission . So if I want to go and access a certain application , that's all I get .

That's about it my user to application behavior is based upon that particular one rather than the traditional network-based architectures that we did have . So that's the second one , least privileged access . The third I often say within Zero Trust is about you know , a lot of network engineers will relate to it .

Right , we always did segmentation , but think of this as more of a micro-segmentation , you know , taking that network into small and isolated segments . You know , and we want to make sure that there is no lateral movement .

That happens , right , if you even happens , you know , to go and access a network even if a breach occurs , we can limit that particular thing and it does not allow any of that lateral movement to happen . So that's the number three , which is the micro segmentation .

The number four , which I often always believe within Zero Trust that has to be there itself , is always making sure that there is a data-centric security towards it . Now , what does that mean ? Data-centric security ? It means that we are protecting the data itself and not just a perimeter around it .

We have to make sure that data is the most critical for us and when we are building Zero Trust philosophies and principles around it , we have to protect the data as well , because that's the most important value for any large enterprise itself . So that's the number four . There are many others as well , but I'll just probably talk about the fifth .

One , which I often say within Zero Trust itself is about giving the visibility and analytics as well , because we are also wanting to make sure that if we don't have that visibility , the monitoring , we have to analyze the behavior . What's the behavior happening within Zero Trust itself , Because we want to detect those anomalies as well .

So , fundamentally , if you look at it , a lot of these principles form and come together to what we go and call a Zero Trust architecture itself , and that can apply to any realm itself . It could be in AI world or your cloud distributed world , or in your legacy world itself .

That's like you're changing the entire approach towards how you look at designing large networks overall .

Right , but what it's generally thought of when people say the word zero trust , what they're immediately thinking of is a user to application type of of traffic .

Right , let's authenticate our users , give them the least privileged accents , just like you said , and and and then continually authenticate our users , give them the least privileged accents , just like you said , and then continually authenticate them . But the identity we're interested in is the identity of the user . So that's like everybody .

When everybody talks about zero trust , that's what they think about . What do you think about app to app zero trust ? Like it's a different thing , right ? Because it's not the same as identity . A user invokes a function and that function now has to make calls , has to go talk to things , and so the identity isn't the user's identity anymore .

Now we're talking like app to app identity . So isn't that a very different , or is it ? Is that a very different strategy or policy that you're looking forward for that ?

In a traditional sense , I could have an identity that's tied to me , but now I have these microservices containers running and one container needs to talk to another container in a cloud world itself . So these non-human identities needs to be taken from that same mindset on how do we allow certain APIs to talk to another APIs itself ?

How do we want to architect the entire solution ? And that's where I often say that zero trust overall is not a single product or technology right . It's building about overarching security strategy and mindset overall in the companies itself .

If you think about it , right , if you are a traditional software developer , right , you often would have heard you know agile and you know things about . You know how do you become more nimble and you know how do you change your software development overall itself . So think of the zero trust as more of a strategy around that .

When software development , you have agile methodologies to build about how to build secure and software design overall . Similarly , in this itself , you are re-architecting your entire approach to security itself .

I'll give you an example overall , just to give you a benefit , that one of the biggest things that I've faced within Zero Trust is with the legacy systems overall , where a lot of our older applications where I used to work and one of the big service providers where the largest of the subset of the you know the technologies that we had were never built with

zero trust mindset itself . You know it was had to do a lot of you know serious re-architecting , heavy lift and shift of you know , making sure that how we can have improved security posture and the main key aspects around . The first initial thing that you need to tackle within that is identity and access management itself .

You need to understand what kind of you know things . You know devices that you have , what kind of you know you know entire portfolio of assets that you have and we really had to you know up our game in terms about you know multitude of these things .

Right , it could be getting granular with your access controls or adding multi-factor authentication as well to add to that mix itself . So a lot of these things come into play itself . To build upon that , either it could be user-to-app or app-to-app , but yeah , things like that .

At this point , I'm curious , from your perspective , how does that change with cloud ? So obviously we have people working from home , maybe they're coming in over VPN connections , right , you can still kind of , you know , assume a bit about the network connectivity that they're coming from , et cetera .

But you know , with cloud , that being running on completely different infrastructure that you no longer own , right , how does that dynamic with zero trust change within a cloud environment ?

You are dealing with a lot of the newer stack of applications itself In the cloud . If you think about it , the principles of zero trust become even more critical . I'd say , when you look at it Right now we are dealing with things like , for example , shared responsibility model with the cloud provider itself . You have dynamic resources .

Now , often you also are dealing with a mix of public resources , your private resources , at the same time . When you think about this , your traditional network parameter is essentially kind of non-existent . Right , you had a network parameter before , but now you're dealing with a lot of this .

So how do you set up a zero trust kind of an architecture within cloud and how do you enforce it ? So , based upon my experience , I'll say first off , when you think about in the cloud , identity becomes your new parameter .

You have to think about taking that stance from how you dealt with a lot of the things in the legacy past but moving into a more identity based model where , even if you , for example , we have to , you know , implement , for example , robust , you know , identity and access management solutions which can work kind of seamlessly across our on-premises solution or your

cloud environments , and things like single sign-on or multi-factor authentication or adaptive authentication , really makes a lot more sense when you are trying to do things in the cloud itself . Now , here , if you think about it , we are not just checking your credentials at login itself , we are kind of continuously verifying your connections throughout the e-session

. So , in the cloud , when you think about this , this often means a lot of your security constructs as well .

So think of this as your security constructs , like your security groups , for example , your NACLs , or it could be your software-defined networking on how you have built a lot of these things , your knackles , or it could be your software-defined networking on how you have built a lot of these things . So we are essentially , if you think about it , in the cloud .

We are creating a lot of isolated environments . This could be your VPC within your applications , that you have your workloads and that kind of limits , the blast radius itself if there's ever a breach , right . So think of that principle when you are building out your architecture within the cloud itself .

Data protection , I'll also say , is a very , very critical element as well . So we have implemented , for example , encryption at rest , for example , or in transit , and there are many of the cloud native key management services that you can build to take care and control of your encryption keys as well .

So , when you are thinking of zero trust architectural model in the terms of cloud itself , you have to think about many things right . You have to think about , for example , your data classification schemes itself .

You need to think about how will you be able to leverage a lot of the tooling your legacy-based tooling , for example , you had in the past , like your SIM tools or your UEBA , to detect any anomalies in real time itself .

But one of the biggest critical challenges in the cloud itself is how do you manage your secrets and your credentials itself , because in a dynamic cloud environment , you can't just rely on static credentials right , you need to implement dynamic secrets management .

You need to understand how do you have those credentials which are generated on demand and things like that . One other thing I also believe within the cloud environments that becomes really critical itself is the concept of that what we've talked about in Zero Trust itself , which is the least privileged access .

So we have to be really critical in terms of just-in-time , just-enough access principle when we are building out in clouds .

And that also means that how do you leverage , for example , cloud-native IAM tools itself , or how do you have things like , for example , leveraging different kind of attributes within the cloud itself , like combination of cloud-based firewalls , your web application firewalls , your API gateways , to protect a lot of those resources itself ?

So things like that , I think , becomes really critical when you are designing within the cloud itself .

You know much later when zero trust , you know , was a thing that people were thinking about . There's a lot of tooling that better supports the ability to do a zero trust kind of framework in the cloud than you would have ever been able to do on-prem .

You can also use , for example , tools like you know understanding , you know becoming leveraging a tool like a broker tool itself to understand how your you know cloud security brokers you know happen . You know you could be leveraging Salesforce . You could be leveraging , you know , a distributed hyperscaler cloud itself .

So implementing zero trust , I'll say , in the cloud is the ongoing process itself . As you kind of think of this . As your cloud footprint evolves , you have to make sure your security strategy evolves along with it .

So what I've actually found is that you need to leverage a lot of those controls , the visibility tooling that you do have within the cloud providers itself that often we never had .

For example , in on-premises environment , there are tools that are being leveraged within the hyperscalers , which gives you the access to look at a lot of logs , a lot of the tooling itself . So I'll say , embracing that dynamic nature of the cloud becomes critical and taking that advantage of a lot of zero trust principles that you do have , you know .

It's also also making sure leveraging a lot of the automation based capabilities that are available as well within the cloud environments . That also is something that becomes really critical . Right , you know , enforcing a lot of zero trust policies becomes really , really difficult if you don't have the right automation tools in place .

So if you leverage , for example , your infrastructure as code tooling , like terraform , or security as code practices , make sure that your security controls are consistently placed , you know , across all the cloud resources itself , that also becomes really critical when you leverage a lot of these .

I'll also mention that in the cloud itself there is important need of having a solid incident response and business continuity planning as well that you have to have there . We have to make sure you know if there is any , for example , breach that happens , any potential breach that happens in the cloud itself .

You know cloud providers offer many security feature , but the onus is still on us to configure and use them correctly . So we just can't assume that the cloud is secure by default itself . We have to take those controls that we do have and build a strategy around that to build that governing process itself .

Um , uh , within within the environment , right , just uh , just as what we touched on before is you know you can no longer trust , you know an identity , just based on some data about where it's coming from , right , if it's within the network that you can't give it implicit access . To that .

I'm curious , curious to get your take on privileged access management right . So that's a common one that I see implemented . You know where .

You know most operators you know are given read only access to infrastructure , et cetera , and then , if they ever want a heightened level of access , they have to use a tool like privileged access management to gain temporary credentials for , for , you know , justification for a change that they need to make or something like that .

Where does zero trust have a role in that ? You know , is there , is there still inherent danger to read-only credentials to a large part of the organization and only giving them point-in-time privileged access ?

You know all the similar principles that we are talking about within Zero Trust itself . That could be related to your behavior analytics , that could be related to your Zero Trust network access itself . In case of privilege access management , what I found is that we have to balance security with usability itself .

We have to make sure that any of the strict controls that we do build because sometimes it becomes the resistance part right when you are like , okay , you are trying to go and achieve zero trust policies , but it comes with a lot of resistance within the enterprise itself , where many of your employees are at the back end .

You are trying to do something , but it becomes an inhibitor for leveraging a lot of this and you get a lot of resistance within the company itself . Another challenge that I've seen within the PAM itself is that it has to cover a lot of resistance within the company itself .

Another challenge that I've seen within the PAM itself is that you know it has to cover a lot of our assets across the enterprise itself . Right , you have to understand , in the enterprise you just don't have , you know , employees leveraging your laptops and things like that . You also have , you know , your BYOD devices .

You know you have contractor use cases as well where a lot of contractors are coming in . You have a lot of the devices which are sitting in your data center , but then you also have a lot of the devices which are sitting in your cloud provider itself .

So a lot of that PAM needs to cover a lot of that assets and asset visibility and asset management becomes really , really critical as well . In the case of PAM itself . Consistent policies is another important um criteria .

I'll say it becomes very critical , right , you have to make sure , as you're applying a lot of the policies , whether your certain provider is able to apply those policies consistently across distributed space .

Right , you can't have certain policies being applied in a one hyperscaler , but then you have a totally different set of policies being applied in in your , for example , in your own data center itself .

So PAM In the zero trust model , the privilege access management , isn't just about that technology solution itself , but think of this as majorly , a lot of cultural shift as well , because this requires the employees , the users itself who are trying to adopt this technology , adopt this technology .

From that cultural mind shift itself , you know , training and awareness becomes really , really critical when you are trying to go and adopt that particular solution itself . So things like that , I think , are very , very critical , you know , whenever somebody is thinking of applying the principles of , you know , the PAM within the zero trust space .

truly embraced and deployed and rolled out a zero trust deployment like soup to nuts , right . Part of it is probably the pain of having to essentially probably manage multiple zero trust systems because they have legacy and cloud and God knows what else . They have to do it between . There's not one zero trust framework , one zero trust product .

That's going to cover it all . But I think you hit on really the big one there , which is the , you know , eternal battle between security and the business , right , like secure , yes , we need to be secure , but we also need to be able to do business . And you know the business has an agility problem . And well , it's not .

It's not as much a problem except when it comes into , you know , butts heads against security frameworks , like like zero trust , right . So the business wants to be able to be agile , wants to be able to , you know , perform whatever revenue generating function it has , wants to roll out new products , wants to develop new things .

But you know we want to keep it all secure at the same time and part of security does involve , you know , throwing up gates , throwing up roadblocks , uh , you know , doing extra checking and and just slowing down the process for the process , you know , for the purposes of of being secure , you know , whatever that looks like in the , in the framework .

Um , I think that's probably what we haven't seen more of a big deployment and and adoption of zero trust as a framework is that businesses haven't figured out how to balance that in the zero trust favor right , ultimately , businesses have to make money and revenue kind of wins the day .

You know how we can become that kind of enabler towards the business itself . You know , often , whenever I talk to , for example , a lot of the you know folks within the network engineering , you know they often relate about how does that relate to me ? You know how does that relate to how I think about ?

You know they often relate about how does that relate to me ?

You know how does that relate to how I think about you know a lot of these places and I always say that , you know , let's start from that business mindset itself , business strategy itself , and then we relate to a lot of these topics of you know a lot of these topics might be technical but ultimately have that kind of a relevance into the business frames

itself and when we look at it from that policy governance strategy itself , a lot of these things you know I think it starts to , you know , easily decipher to the right audience itself .

So if we're talking about implementing a zero trust framework in your organization , obviously implementing security just for the sake of check boxes is going to slow down business and people are going to want justification for what you're doing right . So how do you make a zero trust implementation tangible ?

How do you actually measure things like what you've actually stopped from happening ? Because I could say you know I've stopped 100 breaches , but you know it never really happened . So how do you actually measure stuff like that ?

of the . The things that we do deal with right within the zero trust itself are very similar to how we have looked at a lot of the principles in the past itself . So think of this , as you know when , when I talked about , you know , micro segmentation itself .

Right , when I talked about micro segmentation , you know that is one of the biggest , probably the biggest change itself . You're not trying to do a lot of the net . You know the flat network segments itself we are dealing with not just longer with the similar concepts , like you know , your VLANs and your subnets and whatnot .

Right Now you're looking at a lot of that concepts from you know , the micro segments that you have built up right Also at the same time , from the micro segments that you have built up Also at the same time , from the traditional network sense itself . You're also dealing with , for example , a lot of East-West traffic itself You're dealing with .

How do you deal with customers coming in from one part of the network wants to go and talk to another part of the network itself ?

Many other principles are often tied towards that whether that could be your encryption , whether that could be a software-defined networking , whether that could be an encryption , whether that could be a software defined networking , whether that could be an entity based networking .

A lot of these similar principles apply in the zero trust world itself , right , when you're looking at it and when you look at a lot of these metrics in the traditional sense , when you have looked at it , also apply into the zero trust world itself .

So from the business standpoint itself , we have to also understand like are we building a lot of these ground up from the get-go of it , totally reinvent the entire world , or are there similar principles that we can often take on from the perspective of it ?

So these are some of the things that I often mention that really helps towards the implementation and the success and execution of a Zero Trust project itself . Taking it from the legacy part of it and then building upon that , I think are the most critical itself . Yeah , awesome .

So let's say , you know , someone's listened to this and you know , maybe they , you know , they have a you know somewhat of an understanding of what zero trust is , but they don't know how to get started with implementing it in the organization . I mean , what is there some things that you would recommend as how to how to get started ?

What are some quick wins , some easy grabs that you can start ?

I'll say start this entire narrative of zero trust you know from you know small chunks itself , like , what is your ultimate goal that you're trying to do and achieve ? Right , this is a larger project overall . Whenever an enterprise I've seen in my past experience , you know starts to build upon the zero trust strategy overall , they generally start somewhere .

And when I mentioned before , right , I started with you know looking at few of those things itself , you know looking at , hey , am I using in my enterprise the right tools overall in terms of multi-factor authentication ? Am I using the right tools for managing , for example , my tooling for private access using some identity-based tooling itself ?

Do I have an identity provider which is being tied to a lot of the SaaS-based tools that I'm leveraging as an enterprise itself ?

From the ultimate outcomes that you're trying to achieve , an organization's main goal overall is that , hey , how can I go ahead and reduce my risk posture , what are the risks within my organization itself and how can I reduce that attack surface that I have .

So , within that successful zero trust implementation , we need to understand regular vulnerability scans that you're doing or attack surface management tools that you're leveraging .

You need to understand your mean time to detection and your mean time how do you respond , and that often generally can be leveraged through a lot of the zero trust principles that we have discussed . Right , you get better visibility . You get better automated responses for incident response , for example .

Right , you want to make sure that , as you're leveraging a lot of these tooling , you're building this as to respond to a lot of the threats overall .

Respond to a lot of the threats overall In other cases I often also mention to a lot of the architects , engineers , cios , cisos that I often talk to is think of your organization from a maturity model perspective . Where are you exactly on the road to zero trust maturity ? What's your maturity lifecycle look like within your enterprise itself ? Where are you today ?

Are you at the beginning stage ? Are you somewhere in the middle ? You know , you know implementing a lot of the zero trust within your enterprise itself . Often that maturity model can give you an answer .

You know we , for example , have been a very big proponent of building that maturity model , not just based upon one single vendor itself , like your trust , has not been able to achieve just one through one vendor itself or within a few months itself . It's always an ongoing journey within an enterprise . You're looking at many , many things .

You're looking at , hey , as a metric , like you were asking before in your previous question , what are the kinds of things , how many policy violations that I do have ? Are my policy violations going down as I'm trying to imbibe on the zero trust model itself ? What's my authentication , success and failure looks like ?

You know , in in terms of , you know , my users satisfaction scores , or am I getting a lot more tickets now with a lot of lateral movement incidents itself ? Now , that's a critical metric . You want to make sure that there's a decrease in a lot of those incidents , right , where anything that moves laterally within the network itself .

What kind of data exfiltration is happening ? Any incidents that you are seeing or tracking within the zero trust environment , you want to make sure those are quickly contained , are minimal and you want to track any of the attempted , authorized , for example , data transfers itself .

So , a lot of these combination of things like we mentioned , right , you know , from the compliance standpoint , from the policy violation standpoint , from the user satisfaction scores itself . We want to make sure that a company you know adopts zero trust based upon a lot of these .

When you start adopting a lot of these principles , it often comes about you know , making sure that there is some kind of you know tool consolidation as well , because often in a large enterprise I often joke right you have 40 to 50 different security tools available and you can never , you know , achieve true zero trust with leveraging so many of the tools .

You want to make sure that you know , as you are trying to embrace upon a lot of these zero trust principles , it also means that you can think of a lot of these principles from the cost savings perspective as well .

How can you achieve a lot more with leveraging the security tools that you do have , where you can get a lot more outcome approach from the tools that you are leveraging itself within your enterprise ? So these are some of the things that I definitely mentioned .

The maturity model understanding your metrics , getting a good maturity score on your progress towards the implementation of the zero trust across different domains , I think becomes really , really critical .

I'm not on Twitter too much , you know , but LinkedIn is the best way to reach out to me and you know more than happy to , you know , talk to somebody who is either wanting to , you know , move into the Zero Trust you know frameworks , looking at a lot of the tooling and technologies from the network architecture mindset , or on the cloud application securities

mindset itself , on how zero trust can be taken in small chunks and not get overwhelmed with a lot of the buzzword technology that is being pushed out around the industry .

Tim says that one a lot and I like it , so I'm going to start saying it too , and with that we will wrap it up and we will see you next time . Thank you , bye .

You can also visit our website for all the show notes at Cables2Cloudscom . Thanks again for listening and see you next time .