With the rapid adoption of cloud, IoT, and DevOps automation, the traditional approach of trusting devices within a network perimeter is no longer applicable. There is a growing need for a new model capable of delivering enhanced security to modern businesses. Therefore, the zero trust model has emerged as a possible solution which is widely adopted.
At a high level, the zero trust model assumes a trustless approach to users, systems, and internal and external services. It is a set of concepts and ideas designed to reduce uncertainties in the application of precise and per-demand access decisions in information systems and services in the face of a network considered to be compromised.
Check your certificates before they become malicious!
The Zero Trust model states that devices cannot be trusted by default, even if they belong to a managed corporate network or have been previously verified. Access is limited (not assumed) by micro-segmentation or small security zones at the host, application, and data layers.
For example, at AppViewX, the product architecture supports a zero trust model where traffic between services in the mesh is encrypted, connections within our mesh are explicitly allowed, and so on. Since the product was designed with a microservice and cloud-first design, this was a possibility, unlike legacy, monolithic architectures where everything is connected and a single compromise can reach all resources.
Organizations embracing the zero trust model begin with segmentation, implementation of privilege access management, multi-factor authentication, vulnerability and patch management, and security analysis. But they are missing a key area, namely the management of machine identities through certificates and digital keys. This is the missing piece of this model. It ignores the risk of compromised crypto tunnels while focusing heavily on access controls.
The number of machines, cloud workloads, containers, IoT and mobile devices accessing resources is very high and growing at a rapid rate. At the same time, errors in managing machine identities, such as certificate expiration, weak cipher suites, compromised or fake certificates and keys, pose significant risks to businesses around the world.
Therefore, implementing a next generation certificate lifecycle automation solution is a key initiative to achieve a fully functional zero trust model. This will bring a policy-driven approach to machine identity management and mature process automation for BAU (business as usual) as well as incident response scenarios. It also enables organizations to digitally transform by supporting DevOps and multi-cloud architectures.
With rapid and gradual adoption of machines in cloud networks, certificate lifecycle automation solutions have become an integral part of the zero trust network crucial for an organization to achieve cybersecurity resiliency.
The Missing Piece in the Zero Trust Model post first appeared on AppViewX.
*** This is a syndicated Security Bloggers Network blog from Blogs – AppViewX written by Anand Purusothaman. Read the original post at: https://www.appviewx.com/blogs/the-missing-piece-in-the-zero-trust-model/