Zero trust is not a new concept by any means; it has been around for more than a decade, first being coined back in 2010 by Forrester. Since its origin, this security approach has been recognised as an ideal approach to cybersecurity. But, with the core nature of DevOps residing in agility and speed, how can zero trust be implemented without hindering the time to deployment?
When implemented correctly, zero trust helps integrate security into the DevOps lifecycle without impacting the time or quality of the build, enabling the application to meet compliance requirements. Its superiority as a cybersecurity approach was highlighted by the executive order president Biden signed requiring the use of zero trust security by all federal agencies.
The security community recently saw how vital leveraging zero trust security practices are with the Log4Shell attack, which highlighted the risk of uncontrolled and unnecessary public exposure, as the exploited attack surface was often widely available pre-authentication. This article explores the importance of zero trust to building secure apps and how to implement the approach without disrupting developer workflows.
Zero trust is a cybersecurity model built on the idea of continuous verification, treating trust as a vulnerability, and mitigating this by eliminating the concept of implicit trust. It has evolved the traditional view of “trust, then verify” where trust was assigned by category groups, to “verify, then trust” where access is only granted once each user, device, application, etc., is independently validated. An essential distinction of this model is that the trust is continuously being re-assed at every connection request and risk level change. The result of zero trust security is the reduction of a successful breach and limitation of the scope of an attack.
Five key pillars of zero trust
A zero trust security approach across can be broken down into five distinct pillars: device trust, user trust, transport/session trust, application trust, and data trust. To efficiently coordinate the security of each pillar consider leveraging a cybersecurity platform that gives you visibility into your entire IT infrastructure, with the access to security automation tools, customisable APIs, and a broad set of third-party integrations.
1. Device trust
The number of devices or endpoints accessing internal resources has grown not only in quantity per user but also in variety. Additionally, new workforce trends add further levels of complexity with policies like bring your own device (BYOD) and remote work. It is critical to navigate, manage, and control all these devices and determine whether they can be trusted. For best device security posture practices, extended detection and response (XDR) capabilities enable the detection of malicious activity on an endpoint better, as it has increased visibility to correlate activity across the enterprise environment, improving the overall zero trust health.
2. User trust
With 57% of organisations suffering a security incident related to exposed secrets in DevOps, authenticating users’ credentials is critical to fending off malicious actors. History has proven that password-based user authentication is just not good enough, giving rise to more secure user authentication methods such as password-less authentication, multi-factor authentication (MFA), conditional access policies, and dynamic risk scoring.
A standard password-less authentication method leverages biometrics and digital certification. The user’s mobile device is leveraged to authenticate the user’s biometrics (fingerprint, facial recognition, etc.) and then authorise secure access based on proximity of the certified device, turning their mobile into their digital certificate.
MFA is a method of access control requiring more than just a username and password and is recommended as a simple best practice by AWS. It leverages a virtual MFA to provide an additional level of authentication, such as a code sent to a user’s phone, before giving access.
Conditional access follows a policy based on the logic of “if __, then___” rules that govern authentication decisions. For example, if the user is logging in from a high-risk geographical region, then block access.
Risk scoring is looking at the context of the login attempt and assigning risks values/levels to different variables. For example, an unmanaged device or one with high travel velocity (device logged in from 2 locations on different sides of the world within 1 hour of each other) will receive a higher risk score.
3. Transport/session trust
The concept of least privilege is key to effective zero trust security. Users, devices, and applications should only have access to the necessary systems to perform their specific job at hand, nothing more. There are three components to implementing least privilege in a zero trust approach: microsegmentation, transport encryption, and session protection.
Microsegmentation is the process of identifying, segmenting, and locking down communication pathways so that only authorised connections are permitted, limiting the scope of a successful breach.
Transport encryption is often completed with a transport layer security (TLS) protocol which cryptographically encrypts sensitive information as it moves between networks. This ensures that malicious actors cannot see what is being communicated, or, in the case that it is captured, it’s not publicly readable.
Session protection ensures that the application is secure during each unique session interaction and that browser traffic is not hijacked and used to expose the application to other unauthorised users on the network. A common method used for this is for the application to force communication to be done over encrypted HTTPS.
Your cybersecurity platform of choice should continuously scan your cloud infrastructure and service to ensure they’re properly configured to leverage HTTPS.
4. Application trust
The remote or hybrid workforce requires users to be able to access any application securely and seamlessly from any device or location. The great news is that modern applications are being designed to support zero trust practices with the integration of single sign-on (SSO) capabilities.
However, traditional applications require a security upgrade to isolate them from visibility by the public internet. This can be done by utilising a cybersecurity platform that places a zero trust network access (ZTNA) broker between the application and the internet to act as an identity-based barrier. A platform can take isolation a step further (and streamline the process) by allowing security teams to classify different groups of cloud workloads and then auto-apply individual security policies across the segmented identities.
5. Data Trust
Ensuring the integrity of data is a fundamental goal of cybersecurity to prevent it from being breached, exposed, or altered. A commonly used protection method against breaches targeting the exfiltration and/or destruction of important, sensitive data is a data loss prevention (DLP). There are plenty of DLP solutions on the market but leveraging a DLP through a cybersecurity platform allows you to have consolidated protection across your environment. This maximises data protection by extending visibility across the enterprise to better identify sensitive data and coordinate a response to prevent potential incidents.
When integrating zero trust security measures, attention should be placed on enhancing data trust practices such as data classification and integrity practices where possible as well. This would ensure the data is properly classified for its confidentiality and integrity level, and the necessary security measures are implemented.
DevOps and zero trust
By their very nature, DevOps teams, require access to a wide variety of systems and services that make up workflows and toolchains. And as malicious actors ramp up their attacks against developers’ pipelines and services, validating access is crucial to preventing an attack.
Knowledge of the posture of all devices’ and/or users’ connections to applications on a continuous basis is needed to effectively trust or block the activity. This requires pieces of context feeding in from the visibility/analytics layer overseeing the automated development environment to determine the trustworthiness of the five pillars to make a security decision.
Leveraging a zero trust approach ensures the proverbial keys to the castle are kept safe and implementing this methodology with a unified cybersecurity platform limits any interruptions to the fast-moving build process.
Next Steps
There are five pillars to address when implementing a zero trust security model—Device, User, Transport/Session, Application and Data—and they all need to be secure so they can be trustworthy. In order to have a robust zero-trust security approach across the growing attack surface, a cybersecurity platform with capabilities to secure all five pillars should be integrated into both the application being built and the CI/CD pipeline, making zero trust a core component of the DevOps process itself.
Not all cybersecurity platforms are built the same. Some key capabilities to look at when choosing a vendor are:
- Zero Trust Network Access (ZTNA) tools to establish secure connections between the developer and the SaaS applications that make up their DevOps toolchain during each established session.
- Secure Access Service Edge (SASE) solutions to expand upon the capabilities of ZTNA and go on to verify the integrity of all connections throughout the environment via a cloud-delivered security stack. This continuously assesses the risk of connections in both external and internal applications, as well as branch to branch communications, ensuring all traffic is trustworthy, and if not, various response actions are available, including terminating the connection. Developers are now enabled to work securely and easily connect to wherever resources are located.
Learn how to bake security into your DevOps processes via APIs to improve development cycles and reduce human touch points and risk with Trend Micro Cloud One™, part of Trend Micro’s unified cybersecurity platform.