COSAC 2021 presentation - AWS Zero Trust
Download as PPTX, PDF0 likes158 views
The document discusses the application of zero trust security architecture on Amazon Web Services (AWS) amidst the evolving landscape of cloud adoption and remote work. It outlines the principles of zero trust architecture, its necessity due to the migration of IT to cloud services, and how AWS services can be leveraged to implement this model. The paper concludes that aligning AWS services with the zero trust principles is essential for maintaining security in decentralized environments.
COSAC 2021 presentation - AWS Zero Trust
- 1. Application of zero trust security architecture on Amazon Web Services Frans Sauermann & Ernest Ketcha
- 2. Agenda • Introduction • Problem Statement • Zero Trust Architecture • Analysis • Results • Conclusion and Outlook
- 3. Introduction & Motivation • Perimeter is Disappearing • Enterprise users are no longer in office • Work from home is the norm for organizations post COVID • Cloud adoption is on the rise • Moving data to Edge through Edge computing is becoming crucial • Enterprises are now adopting a multi-cloud strategy to support their digital transformation strategy • On-premise data centers are also accessed by third parties • Cloud Migration • Workload migration to the cloud to reduce operational cost • Requirement to ensure the same level of security pre and post migration should be maintained
- 4. The Problem • Two main drivers motivate for the application of zero trust security on Amazon web services: Migration of traditional IT to cloud services; and the inversion of security architecture approaches towards zero-trust security architecture and Continuous Adaptive Risk and Trust Assessment (CARTA). • An architecture in this space will assist Solution architects and developers to realize zero-trust on customer AWS tenants. • This paper discusses the Zero Trust reference model and indicates how it can be achieved using AWS services.
- 5. Zero Trust Architecture • Zero trust (ZT) provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. • Zero trust architecture (ZTA) is an enterprise’s cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies. • A zero-trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero-trust architecture plan. Untrusted zone Contextual trust zone Policy Decision/ Enforcement Point Target Resource/ System/ Data/Application
- 6. Zero Trust Architecture – Principles • All data sources and computing services are considered resources. • All communication is secured regardless of network location. • Access to individual enterprise resources is granted on a per-session basis. • Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes. • The enterprise monitors and measures the integrity and security posture of all owned and associated assets. • All resource authentication and authorization is dynamic and strictly enforced before access is allowed. • The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture. Untrusted zone Contextual trust zone Policy Decision/ Enforcement Point Target Resource/ System/ Data/Application
- 7. Logical Components of a ZTA (NIST model) Untrusted zone Contextual trust zone Policy Enforcement Point Enterprise Resources Policy decision point Policy Engine Policy Administrator 3rd parties capabilities Internal capabilities and policies Control pane Data pane ZTA Variations: • ZTA Using Enhanced Identity Governance • ZTA Using Micro-Segmentation • ZTA Using Network Infrastructure and Software Defined Perimeters Zero Trust: Network View • The entire enterprise private network is not considered an implicit trust zone. • Devices on the network may not be owned or configurable by the enterprise. • No resource is inherently trusted. • Not all enterprise resources are on enterprise-owned infrastructure. • Remote enterprise subjects and assets cannot fully trust their local network connection. • Assets and workflows moving between enterprise and non-enterprise infrastructure should have a consistent security policy and posture.
- 8. Analysis – Business & Application Layers
- 9. Analysis – Application and Network Layers
- 10. Results and Findings AWS Model AWS GuardDuty AWS IAM AWS Inspector
- 11. Logical Overview
- 12. Conclusion and outlook • NIST Zero Trust model outlines components to be considered for alignment in a ZTA. • ZTA model and principles need to be mapped to its realization. • Services need to be aligned to match overall ZTA overlay • AWS services can support the realization of ZTA.