According to Zero Trust principles, assume every surface is vulnerable and do not trust without verification. It allows specific traffic while denying all others.
When it comes to cloud, we can’t talk about zero trust without talking about Microsegmentation.
Microsegmentation is a network security technique where each application, device or workload is protected by granular security zones. Similar to VLANs but more granular. Microsegmentation is achieved using a combination of firewalls, security groups, VPCs (AWS), roles and other security services.
Great example is when you separate each department in an organization by creating dedicated VPC for each (alongside security groups, NACLs and routing).
Such techniques achieve the following:
- Reduced attack surface. (Prevents East-West attack movements)
- Protecting critical applications.
- Better regulatory compliance.
- Easier maintenance and management of each asset.
One of the biggest challenges of achieving Zero Trust is when there is a conflict between Zero Trust principles and business requirements including lifecycle policy management.