Implementing a Zero Trust strategy for today’s complex cloud environments is a significant undertaking fraught with some key hazards.

Zero Trust has gained popularity as a cybersecurity strategy because it proactively guards against threats – under the assumption that bad actors can come from anywhere, be they internal or external.

However, despite its convenience and benefits to cybersecurity, implementing a Zero Trust architecture for cloud environments is a significant undertaking that requires a detailed plan to overcome major roadblocks.

What are some of these roadblocks, and how can organization in Asia Pacific clear them out of the way in our cloud journeys?

CybersecAsia finds out from Denise Kee, Chief Executive Officer, Xtremax.

Why is it important for organizations to examine their cloud architectures to improve the effectiveness of their Zero Trust strategies?

Denise Kee (DK): We have seen Zero Trust gain popularity as a cybersecurity framework – today, almost half of APAC organizations have a Zero Trust strategy in place, a marked progress from 31% in 2021.

However, implementing a Zero Trust strategy for cloud environments is a significant undertaking that requires companies to have full visibility and understanding of their cloud architectures.  An unclear view of cloud resources and their interactions can leave vulnerabilities undetected. Without a complete inventory and understanding of these assets, implementing the Zero Trust model becomes virtually impossible. You cannot secure or verify what you don’t know exists – and this is why it is key for organizations to first examine their cloud architectures.

Some common issues that organizations should look out for within their cloud architectures include:

    • Insufficient access controls: Poor access management can lead to unauthorized access and potential data breaches. Not implementing the Principle of Least Privilege (PoLP) can result in excessive permissions that contradict the Zero Trust model.
    • Misconfigurations: Misconfigurations, often due to human error or negligence, can expose a company’s cloud resources. With the complexity of cloud configurations, security settings can be easily overlooked, creating gaps in the Zero Trust implementation.
    • Lack of continuous monitoring and logging: The Zero Trust model requires continuous monitoring and logging of all network activity. If these processes are not integrated into the cloud architecture, threats can go unnoticed, leaving the network vulnerable to breaches.

With the increase in popularity of multi-cloud setups, how can businesses ensure their architecture is built for a Zero Trust model? 

DK: Using multiple cloud services offers benefits like flexibility and resilience, but also introduces complexity. Each cloud provider has its own set of security controls and configurations, which can make it challenging to maintain a uniform Zero Trust approach across the different clouds.

When the Singapore government rolled out its Government Commercial Cloud (GCC), it required a robust identity and authentication framework that would allow its users to have secure access to not just the three different public clouds, but also its intranet system.

By working with GovTech and the different government agencies, Xtremax was able to design an identity and authentication solution that would allow users to have both secure access to the public cloud services, software-as-a-service applications, as well as the workloads from within the intranet environments.

How can organizations effectively manage access controls to ensure Zero Trust?

DK: Managing access controls to ensure Zero Trust requires long-term sustained effort – after all, the core principle behind this is to “never trust, always verify”. Organizations will need to employ a combination of advanced security technologies, best practices, and comprehensive policies to ensure a consistent Zero Trust approach.

Tools such as cloud identity management platforms, identity and access management solutions can help – but most importantly, it is having centralized, unified policies that the entire team is aligned with to ensure effective and sustained execution.

For larger organizations with complex setups, or for companies with smaller IT teams, a partner may be able to share industry best practices and provide guidance in developing these policies. 

Implementing Zero Trust requires proactive monitoring – how can companies ensure this is integrated into their cloud architecture?

DK: Many businesses attempt to strengthen their cybersecurity by implementing various security tools and establishing 24/7 detection and response capabilities. However, this approach only addresses a portion of the above challenges, leaving other critical aspects vulnerable.

It is important to remember that the Zero Trust approach requires continuous monitoring and logging of all network activity, with boundaries established between users and applications. As such, any security tools and processes need to be tightly integrated into the cloud architecture to be effective.

Instead of working only with security vendors to plug the gaps, it may be worthwhile to consider working with cloud solution providers with strong security credentials.

I would recommend looking for providers who have worked on complex and/or tightly regulated environments, and hence understand the integration between applications and infrastructure. These providers can then work with security partners to ensure a holistic view across both the architectural and security aspects.