Understanding Cloud Drift Enables Zero Trust Cloud Management
This blog was originally published by OpsCompass here.
Written by John Grange, OpsCompass.
True Insight into Your Security Posture and Drift is Key to Zero-Trust
In the cloud everything is configurable software. This sounds a little obvious, if not trite, but it actually represents an important insight into how the cloud really works, as well as how the cloud should be managed. From networking and storage to policies and backup, everything in the cloud is defined by its configurations. Every interaction with your cloud, every deployment, every change, represents some drift in your overall configuration state – or what I simply call cloud drift. Understanding drift in your cloud means truly understanding the security posture of your cloud.
Multi-cloud, distributed teams, and ubiquitous automation make cloud environments and applications more difficult to secure. This poses a problem for the CloudOps and DevOps teams that are being charged with managing a rapidly growing environment, while tightening up security at the same time. To address this challenge, many organizations are adopting a Zero Trust architecture for their cloud infrastructure and applications in order to better protect their cloud workloads.
The concept of Zero Trust isn’t new, and in fact, has been around the cyber security space for a long time. Before the cloud, the need for automation, micro-segmentation of networks, and granular policy management made Zero Trust too difficult to implement. But in the cloud, things are easier and can be fully orchestrated with code. Very simply, for Zero Trust, you must be able to continuously measure trust and risk across your cloud estate.
This brings us back to cloud drift. To measure trust and risk, the Zero Trust architecture, as defined in NIST Special Publication 800-207, is comprehensive and includes recommendations such as maintaining an inventory of cloud assets and their associated configurations, as well as identifying changes to policy and IAM, which all needs to be monitored throughout the security lifecycle. You can’t begin to do any of this however, without deep visibility into the state of your configurations and how they’re drifting.
Zero Trust, as a cyber security paradigm, means that there is no implicit trust granted to any entity, user or service, and instead that trust is continuously evaluated. Having a handle on your cloud drift gives you the ability to automate the continuous monitoring of security controls and evaluation of your overall configuration state, at scale and across clouds. Thus, truly understanding your cloud drift is an important element of accelerating a Zero Trust security architecture in the cloud.