Bringing Zero Trust Maturity to Cloud-Native Applications

It’s a particularly rare occurrence that I bounce up and down with excitement reading a government document at all, let alone a document written by an agency for other agencies, and yet, that’s what happened this week when I got my hands on the new updates to CISA’s Zero Trust Maturity Model.

CISA, the US government agency tasked with cybersecurity for government agencies, has set out a very detailed framework around why Zero Trust tactics are imperative for securing the nation’s cyber landscape, and how “Optimal Zero Trust” can be achieved. The focus is on government agencies, but there are a lot of parallels to the challenges faced by large enterprises that are still transitioning from manual, physical, monolithic security approaches to modern ones, cloud and cloud-native included.

Since we’re big fans of Zero Trust, especially what our own product can do in a novel way that leaps forward cloud-native Zero Trust initiatives like no other technology available today, we dug deep into the report for tidbits that are relevant beyond the government context, to security engineering teams everywhere.

Here are a few things that we found interesting and useful:

“‘Business as usual’ approaches are no longer sufficient to defend the nation from cyber threats.”

Thank you, CISA for just coming out and saying it! We are so glad that a group with such authority and exposure to the real world is willing to admit the urgency of the problem.

The immediate follow-up question that pops up for us is: what does “business as usual” even mean in an era when the entirety of the underlying infrastructure of our technology has shifted in less than five years? But the truth is that many people, business leaders and government agencies included, are just too overwhelmed with the scope of the project to redefine what “business as usual” means for cybersecurity.

The good news is that digital transformation, cloud migration, and all of the steps that come after the “lift and shift” enable scale and automation in all sorts of ways that wouldn’t have been possible in the monolithic world. So, at least along with the new open gaps, we are also primed for some uniquely scalable solutions. That is, after all, the promise of cloud-based architecture, right?

“Successful zero trust adoption can produce numerous benefits such as improved productivity, enhanced end-user experiences, reduced IT costs, flexible access, and bolstered security.”

They’re preaching to the choir here, but perhaps the notable understatement is the placement of ‘bolstered security’ as the last of many positives. While there are indeed many positives, by far the most important outcome of Zero Trust tactics is a hardening of applications so that nefarious attackers no longer have easy access to critical data, including personal data, that is sitting unprotected in cloud stacks now that the networking-layer IP-based Zero Trust tactics of the old world no longer work to protect application internals. This problem is more urgent than ever now that generative AI has quickly exploded and attackers are becoming exponentially better at breaching application perimeters. Bolstering security is our reason for being, and while productivity and cost etc. are also important to businesses, we shouldn’t understate how important security is to business success and protecting the precious data of end-users. The real question is, how awesome would it be to address all of these desired outcomes at once?

Being able to implement Zero Trust in a way that also increases productivity without bogging down the team or the infra with instrumentation-heavy tooling or manual rulesets, followed by the ultimate end-user experience of getting what one needs from one’s applications without the risk of personal data being compromised is really an aspirational state. Reduced IT costs and flexible access are both fully achievable goals in a cloud-native setting when one treats Zero Trust access models as a data problem and institutes appropriate automation that still keeps the reins of ultimate control in the hands of expert engineers when they need it, and that is what we are proud to be able to do here at Operant.

“The National Security Telecommunications Advisory Committee (NSTAC) describes Zero Trust as ‘a cybersecurity strategy premised on the idea that no user or asset is to be implicitly trusted. It assumes that a breach has already occurred or will occur, and therefore, a user should not be granted access to sensitive information by a single verification done at the enterprise perimeter.”

This is where machine identities, flippant Kubernetes pod setups, and many of the other common sloppy tactics involved in whipping out new clusters to meet deployment speed goals really come to matter. Basically every Kubernetes cluster is implicitly trusted, and this is a big problem. But setting up least privilege rules manually is also an impossible task as Kubernetes deployments grow in volume and complexity. Many lateral attacks have happened in the last few years through Kubernetes for precisely this reason - true Zero Trust tactics that scale across all clusters, services, and API endpoints (including internal and external) have not been technologically possible. Until now….

“The goal of ZT is to prevent unauthorized access to data and services coupled with making the access control enforcement as granular as possible.”

Ahhh, granularity– one of our favorite concepts. The trouble with granularity is that it’s hard. It’s nitpicky. It often requires mind-numbing drudgery. It’s often so much easier and faster to oversimplify and use heuristics, which works in many contexts. But, what do you do when it doesn’t work? What if the rules of who gets access to your assets need to be very specific and situational? What if edge cases matter?

How can granularity be achieved in a scalable way as teams are already struggling to keep up with the exploding data in their systems? And what about achieving that granularity in a cloud-native environment when the number of APIs and Services and their interactions are constantly changing, yet ‘least privileged’ access still needs to be managed? That is something that we are particularly passionate about, and something that Operant does as part of its runtime microsegmentation capabilities.

“Each user, device, application, and transaction must be continually verified.”

Hmm, continual verification… now that sounds very much like a runtime problem!

How could one possibly execute continual verification using static rules and tools alone? And on top of the need for us to see our entire live environment and enforce verification across every layer of an application (not just the networking or infra layers), we will also need a solution to the data problem of how we possibly process and analyze live network traffic without bogging down the system with expensive and heavy-weight logging or tracing.

“Zero trust presents a shift from a location-centric model to an identity, context, and data-centric approach with fine-grained security controls between users, systems, applications, data, and assets that change over time; for these reasons, adopting a ZTA is a non-trivial effort. This shift provides the visibility needed to support the development, implementation, enforcement, and evolution of security policies. Fundamentally, zero trust may require a change in an organization’s cybersecurity philosophy and culture.”

This is the one we love the most. It is non-trivial to implement Zero Trust, and yet, it is so important. Approaching it with a data-centric mindset filled with valuable context that gives teams the information that they need to make the right decisions around identity and access privileges within their complex environments is the game-changer that moves Zero Trust from a “pie in the sky” “we might never actually get there” ideal to something that is not only achievable and strategic, but that is achievable *today* with the team that is already in place.

One of the understated challenges to meeting those goals, though, is actually organizational, which is why it’s so great that philosophy and culture are called out. Organizations where cloud-native security sits separately from traditional Infosec are currently in flux, and the fact that security engineers used to have control over firewalls and configurations but are now reliant on asking for favors from developers and platform teams creates new power dynamics around prioritization that put security goals at risk. The need for alignment and cross-functional collaboration has therefore never been greater, and yet it is extremely hard to achieve, especially when there is a skills gap and a tooling gap between the visualization, risk analysis, and application security enforcement tactics in monolithic and hybrid environments and cloud-native environments, which is true most of the time in today’s world.

However, the way we see it, DevSecOps philosophy and culture is a huge step in the right direction for cloud-native teams. Zero Trust, in the end, has “Shift Left” and Runtime components that should be addressed simultaneously rather than as separate initiatives owned and run by separate teams with separate tooling. Being able to set up granular least privilege policy rulesets during dev and staging (“Left”) and then enforcing those in production (“Runtime”), gives all of the teams the best of both worlds - a low effort, frictionless and low risk environment for defining rules, and the automation and runtime extensibility necessary to scale the enforcement of those rules across the entire cloud-native environment, no matter how complex and extensive.

“The path to zero trust is an incremental process that may take years to implement.”

While it is certainly true that finalizing and executing a holistic approach to Zero Trust across an entire organization and all five pillars that CISA calls out should take some time, we are excited about some of the leaps Operant enables on the cloud-native side.

We take an application-centric approach to cloud-native Zero Trust that enables us to enforce security policies at runtime across every layer of the live application. You can’t secure what you don’t know, which is why we offer instant visibility of the entire cloud-native application environment, from APIs and Microservices all the way to data stores. We provide completely new insights into your live traffic application security posture, and enable engineers to create and execute segmentation and other access policies directly in our interface. It brings a level of automation and control to cloud-native application security that hasn’t existed before, and does so with a one-click installation. So, instead of years, it literally takes minutes.

While it may sound too good to be true, the reality is that true innovation in cloud technology can enable such instant scale and ease - that is the promise of the cloud in the first place - and we believe it is high time that application security catches up with the promises of the architectures that have made it what it is today.

Want to learn more about how Operant can bring cloud-native Zero Trust to your stack? Want to see what level of security your applications can get to with less than five minutes of effort? Schedule a demo and see Operant for yourself.

Want to learn more about cloud-native microsegmentation and how it can be used to secure your applications against lateral attacks and data breaches? Read our new book Redefining Application Security for the Modern World.

Want to read a government document by an agency for agencies? It’s the best one we’ve read in a while! Read CISA’s Zero Trust Maturity Model for yourself.

*Please note that the headline image is inspired by the chart provided in the CISA Zero Trust Maturity Model paper.