Enterprise use of the cloud is growing. According to IDG, 90% of companies will have part of their applications or infrastructure in the cloud by 2019, and the remaining 10% by 2021. In a Zero Trust Organization, cloud security is given the same level of importance as network security.
In the cloud, the only thing between you and the bad guys is a login screen. Consequently, access control has heightened importance.
Despite strong protections offered by the major cloud providers, users of cloud services can make costly mistakes when they fail to fully secure their cloud presence. That risk is compounded by the ease with which business units can purchase cloud services without proper approval processes. This makes it difficult for enterprises to know what data is being stored in the cloud and who has access to it.
A Zero Trust Organization knows what it has in the cloud: its applications, the data that resides in them, the relative sensitivity of that data, and the users who are accessing it.
To improve cloud security, the Zero Trust Organization creates a map of what it has in the cloud and implements strong access control. That includes multi-factor authentication to access sensitive cloud applications. For example, cloud-hosted email, such as Office 365, should require multi-factor authentication before a user can log in. Conversely, an application that does not have a lot of critical information may not need that degree of friction-producing authentication.
Adaptive access control and risk-based adaptive authentication increases authorization requirements depending on geography and/or time of day. In other words, a request for access made from the home office may be okay while a request received from a rogue state may not be.
This level of control requires monitoring cloud actors. In late 2016, hackers stole Uber’s AWS account credentials, logged into Uber’s account, and downloaded the PII of millions of its customers. Consequently, a Zero Trust Organization observes login attempts to see who is accessing what in the cloud, and when, and looks for anomalies, just as one would in an on-premise network.
Access control has heightened importance in cloud security. Cloud security policies must be dynamic and reliably enforced. This in turn requires visibility into the data and applications that are in the cloud. These complement the security measures applied by the cloud provider and lead to a more secure cloud environment.
On-premise network security also benefits from a Zero Trust approach, read more here.