Building a Zero Trust Architecture in the Amazon Cloud
This is a guest article by Gilad David Maayan from AgileSEO
Zero trust is a new paradigm taking the security community by storm. It has been adopted by the world’s biggest and most technologically advanced organizations, from Google, Amazon, and Microsoft to the US Government and has been standardized by leading institutions such as NIST.
Amazon Web Services (AWS) provides capabilities that let your organization adopt zero trust security. In this article we’ll introduce zero trust and provide some guidelines for adopting it in the Amazon cloud.
Access Challenges in Modern DevOps Environments
DevOps has taken to the cloud over the past decade, and the COVID-19 pandemic made remote work the standard. Whether DevOps engineers are accessing a cloud server or an on-premises build machine, chances are they are doing it remotely. This makes secure access a prime concern.
In cloud environments like Amazon, traditionally organizations used the following measures to secure access. But they are no longer enough to protect valuable DevOps environments:
- Security groups/firewalls – Amazon provides several mechanisms that let you limit access to a cloud resource to an allowlist of IP addresses. However, allowlists quickly get out of date and become difficult to manage.
- Virtual Private Network (VPN) – a VPN provides an encrypted channel for remote access, but at the same time, it grants broad access to an entire environment with full network connectivity. If an attacker compromises a privileged account, they can use VPN to access multiple sensitive resources.
- Network segmentation – you can achieve manual network segmentation through VLANs or security groups. Segmentation is very effective against lateral movement, but it is complex to set up and maintain and doesn’t provide granular control over access.
- Key management – Amazon provides the Key Management Service (KMS) to manage encryption keys. But without holistic integration into the entire environment, keys and passwords can fall into the wrong hands.
This is a case in point showing how critical access control has become in the modern IT environment.
What is Zero Trust?
Zero Trust security is a new security paradigm in which entities both outside and inside a corporate network are considered untrusted. A zero trust approach means not trusting the underlying network infrastructure, software components within an organization’s IT environment, user accounts, and devices connecting to the network. Any connection request must be authenticated and continuously verified due to the risk that it may be compromised.
Zero trust breaks the concept of the secure network perimeter. Traditionally, network security was based on defending the perimeter, preventing attackers from penetrating, and assuming that everything inside the perimeter was safe.
This naive approach no longer holds in a distributed IT environment with cloud systems, mobile devices, and internet of things (IoT) devices, many of which are outside an organization’s control. A zero trust network can secure all these components by evaluating their activity in real time, detecting unauthorized access, and blocking it.
Why is Zero Trust Security Important?
The zero trust model provides much stronger protection against attacks like credential and identity theft, which are the Achilles heel of modern IT environments. Zero trust aims to create a perimeter around every valuable asset (known as the protect surface), allowing companies to protect valuable data, improve the ability to perform compliance auditing in cloud environments, and improve visibility into what is running in the cloud and who is accessing it.
A key tenet of zero trust is microsegmentation. This refers to the ability to create network segments dynamically and automatically around sensitive resources or groups or resources. This ensures that even if an account is compromised, the attacker can only access the specific system the user was allowed to access and cannot move laterally across the environment.
Implementing Zero Trust in the Cloud
There are numerous ways to implement zero trust, but in many cases, an initial milestone is implementing a Zero Trust Network Access (ZTNA) solution. ZTNA is provided as a SaaS solution, which can enable flexible, granular access control and automatically performs microsegmentation according to access rules.
ZTNA can work in parallel to existing remote access technologies, making it possible to put in place zero trust access for new or mission critical applications without “ripping and replacing” access control for lower priority legacy applications.
These factors also mean that the contribution of ZTNA to your cloud costs is predictable. There are no large upfront costs and gradual migration provides low risk. Because it is a fully managed service, the organization can save time previously spent on managing VPNs, security groups, and other access solutions.
Use the following general process to start implementing zero trust on AWS:
- Start by mapping your environment. Use network traffic monitoring to understand what is running in your environment and see traffic patterns over at least a few weeks. Create a relationship with stakeholders who can help you understand the normal traffic patterns and business needs. This will be very valuable in planning your zero trust approach.
- Adapt the architecture to data flows. Design a zero trust architecture based on how data is transmitted across the network and how users and applications access sensitive information. This will help you define how to partition your network. It can also help security teams deploy access control mechanisms between network segments and decide whether they should use virtual mechanisms or physical devices.
- Use asset and device identities. Advanced zero trust implementation requires a robust system for establishing the identity of cloud resources and the devices accessing them. Take the time to categorize your systems and applications to establish baselines and behaviors for application traffic.
Guiding Principles for Building Zero Trust on AWS
Here are a few principles you can use to achieve zero trust security in the Amazon cloud:
Use identity and network services together. It is possible to implement networks in AWS independently from identity and access management (IAM). However, establishing networks with strong identity-centric controls provides fine-grained access management that is highly compatible with zero trust. You can establish clear micro-perimeters using Amazon virtual private networks and security groups, and define access via IAM roles and policies.
Start from your use cases. Establish the main reason you are transitioning to zero trust and use it to build your zero trust implementation. For example, if you are trying to support workforce mobility, you will leverage different capabilities than if you are adopting zero trust to improve security for system-to-system communications.
Prioritize zero trust systems by value. Do not rip and replace existing security controls. Instead, think of the value zero trust can add to your existing implementation, and gradually replace existing systems with ones compatible with zero trust concepts. Start from the places where zero trust will add most value – for example, the most sensitive systems exposed to severe internal or external threats.
Leverage encryption for AWS API requests. When your systems interact with the Amazon API, every request is authenticated, authorized, and secured using Transport Layer Security (TLS). Amazon uses its advanced AWS Signature v4 signing process to secure all API requests without trusting the network protocol or transport.
AWS services use zero trust access. Whenever Amazon services talk to each other, they are authenticated and authorized by IAM, with strong identity-based controls. For example, when an Amazon service calls the Amazon EC2 API, the same zero trust principles are applied as when your systems call the API.
Zero Trust for IoT. Amazon provides advanced tools for securing communication with IoT components. All communication with Amazon IoT services occurs over an encrypted LS channel and devices are authenticated using certificate-based mutual TLS. Amazon also offers TLS support to the FreeRTOS protocol to support secure access by embedded systems.
In this article, we explained the basics of zero trust, the need for zero trust in a cloud environment, and key steps for implementing zero trust in AWS.
- Map your environment to understand current traffic flows.
- Adapt the architecture to data flows to ensure that zero trust implementation matches current needs and actual usage of cloud resources.
- Use asset and device identities to create a robust basis for granular access control across your cloud environment.
We hope this will be useful as you take your first steps to implementing zero trust in the Amazon cloud.
Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Samsung NEXT, NetApp and Imperva, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership.
Want to write an article for our blog? Read our requirements and guidelines to become a contributor.