IT security is not just about implementing technology, it's about changing the mindset of what effective security is and how it should be designed across the enterprise. With this in mind, Palo Alto Networks explains how a Zero Trust approach can be effectively implemented in Google Cloud environments.
The traditional perimeter model for network security was based on strict demarcation between trusted and untrusted areas. This approach assumed that users and applications reside in the trusted domains, and potential threats may reside in the untrusted domains, particularly the Internet.
Today, however, according to Palo Alto Networks, the basic conditions are fundamentally different. Mobile workers and cloud applications are located in the untrusted part of the network. The old model is also inadequate because it cannot stop a threat actor operating within the trusted network. In addition, despite the separation between network boundaries, conventional port and protocol security lacks granularity to allow legitimate applications to be deployed but stop attack activity.
A contemporary mindset should challenge the notion of trust from the outset and implement the necessary controls to enforce the least privileged access, also known as the zero trust model. This means generally never assuming anything is trusted. Enabling policies should be created based on user and application context, rather than trying to block everything. It is not advisable to assume that a file is safe just because it is not known to be malicious. With Zero Trust, organizations rely on policies to enable what is allowed, rather than trying to identify every possible permutation of what is not allowed.
In recent years, a variety of important technologies have been developed to provide complete visibility, reduce the attack surface, prevent known attacks, and detect and stop unknown attacks. There are four real-time functions that are at the heart of a contemporary security operating platform: App-ID classifies and identifies applications and functions. User-ID automatically makes identity assignments to otherwise anonymous network flows. Host Protection provides device state detection and exploit detection as well as malware prevention. Content-ID performs content inspection to detect and prevent malicious activity. This provides organizations with a rich context that they can use for security policies and in the decision-making process.
As part of the journey to the cloud, the same zero-trust approach to security is imperative. This applies to building your own applications in the cloud with IaaS and PaaS services, as well as using pre-built cloud applications via SaaS. Google shares many of the same beliefs as implemented in BeyondCorp , a framework for securing apps and infrastructure based on the principles of Zero Trust.
How to protect Google Cloud APIs?
The various DevOps teams in the enterprise build Google Cloud applications and interact with a range of Google Cloud APIs. Organizations today need the granularity to ensure that every team member has access to the APIs they need without having to provide unnecessary layers of access to the most sensitive APIs. Contextual information helps enforce policies because the access permission a person needs can be determined by their individual responsibilities, their role in the organization, or even the device they are using. This is the classic lowest priority problem, as the attack surface can be reduced by restricting access based on context, to the extent that this contextual information is available.
The intersection of identity (based on user/device properties) and access control policy enforcement has traditionally been done at the point of authentication. If access can be restricted so that unauthorized users never have the chance to make an unauthorized API request in the first place, the attack surface can be reduced. It also minimizes the risk of credential misuse and reduces security alerts for failed authentication.
How to make the use of G Suite secure?
Productivity applications like G Suite are used by almost everyone within the enterprise, from an extremely diverse range of users and on-premises or off-premises devices. Integrating Palo Alto Networks' protections for SaaS applications with G Suite allows the user/device context to be built that drives BeyondCorp's policy decisions for access. Employees with managed devices get immediate, full access to their applications, while contractors with non-compliant devices are assigned different levels of access. This enables organizations to securely deploy G Suite to all employees by sharing contextual information while integrating Palo Alto Networks' threat and privacy capabilities.
How to protect applications on GCP?
The principles of contextual access sharing and threat defense should be consistently applied from the data center to the cloud. It's well known that different application developers and software vendors have different ideas about how they handle security, and that consistent, contextual protection is often difficult to achieve. By working with Google, Palo Alto Networks wants to ensure that when applications are moved from the data center to the cloud, the user experience remains the same and is consistently secure, regardless of where the user is located. In the case of users on managed devices, only the authorized user with a compliant device can access the application, whether in the data center, cloud or SaaS environment. For users on unmanaged devices, access to the application is enabled without bringing the device onto the network. This maintains the least-privileged architecture without disrupting business operations.