August 10, 2021
Never Trust, Always Verify: Zero Trust Architecture
What is zero trust?
Over the last decade, companies have started to decentralize their data, assets, applications, and services, or DAAS, across multiple environments and cloud infrastructure providers. This decentralization has made the traditional castle-and-moat security strategy ineffective, as network security can no longer be confined to a single location, set of devices, or users. The zero trust framework was developed to help modern companies secure their most valuable assets in this distributed cloud-native environment.
Zero trust is based on the idea that there is no traditional network edge, requiring you to design a system that assumes that all users and services are a potential threat, even if they’re within your network. Your system would require access requests to be continuously evaluated before connecting to any of your applications and services. Logins, connections, and API tokens would be short-lived and users and devices would continuously authenticate their identities and privileges.
This “never trust, always verify” approach allows you to closely monitor access to your DAAS. In a cloud-native world where users may be physically distributed, using multiple devices, or attempting to access DAAS from secured and unsecured networks, your organization needs to have strict access control, continuous evaluation, and maximum observability.
What are the zero trust principles?
The zero trust framework is based on four fundamental principles:
Never trust, always verify
Your system should continually ask users and services to verify their identities, devices, locations, and other data attributes to ensure that only privileged users and services are accessing a sensitive resource. Tokens, sessions, and connections should be short-lived and users and services should be prompted to re-authenticate in order to continue accessing your sensitive resources.
Continuous monitoring and observability
Continuous monitoring and observability enables you to have a real-time understanding of which users are attempting to access which resources and the outcome of that evaluation. Additionally, it provides your network and security teams with real-time information about potential threats, anomalous behaviors, and active security incidents. This enables them to act quickly to resolve any incidents and limit the blast radius of a potential breach.
Ensuring that your users only have access to the bare minimum of necessary resources is a core tenet of the zero trust framework. It’s important for you to understand exactly which of your users need access to which resources and what they need to do with those resources in order to limit unauthorized access. This is a key component of the microsegmentation principle discussed below.
You can minimize the scope and blast radius of a breach or security incident by segmenting your DAAS into smaller, more focused segments within your network. These network segments are independent of each other and are designed to prevent attackers from moving laterally within your network. Each segment has its own set of users, roles, and access policies that are continuously evaluated and monitored.
Zero trust at Skyflow
At Skyflow, we’ve built our data privacy vault using zero trust principles. Our vault allows you to create granular access policies that are continuously evaluated and monitored. We also provide control over your data and insight into how users and services access it and in which form. We combine this polymorphic encryption with vault technology to keep all your sensitive data centralized. Our API allows you to use the data without ever having direct access to it, taking zero trust to another level. If you’d like to know more about how Skyflow approaches zero trust, reach out to us and schedule a demo. We’ll be publishing a series of blog posts which go into detail about how we approach zero trust, so stay tuned!