By Aurora Chun, Product
Marketing, HashiCorp
Organizations are moving to the cloud to deliver new business and
customer value quickly and at scale, going from static data centers to dynamic
infrastructure in the cloud. This shift from physical on-premises data centers
to a hybrid mix of multiple public clouds and private infrastructure brings
many benefits, but has also created challenges for IT organizations.
Platform teams are charged with addressing cloud-based changes to
provisioning, security, networking, and application deployment. The transition
from legacy environments to the cloud introduces new challenges around securing
dynamic and ephemeral cloud infrastructure. How can organizations unlock the
full potential of the cloud without compromising security and compliance?
A zero trust security approach can
enable organizations to manage their transition to the cloud while maintaining
a high level of security, trusting nothing and authenticating and authorizing
everything. The result is an architecture designed to help secure all phases of
the modern cloud journey.
Shift to zero trust
security
As companies move to the cloud, the traditional perimeter-based
security measures used to secure their private data centers may no longer be
adequate to protect today's dynamic multi-cloud infrastructures. Dynamic workloads and a constantly changing
workforce with the need to remotely access shared resources mean that
traditional IP-based perimeters and access are being challenged by ephemeral IP
addresses. As organizations grow, managing ephemeral resources like containers,
access, and credentials at scale becomes more complex. Securing infrastructure,
data, and access becomes increasingly difficult across clouds and on-premises
data centers, adding complexity and overhead and requiring advanced expertise.
This shift calls for a more scalable, dynamic, and consistent security approach
based on identity.
The shift to zero trust security requires a model that is
identity-based, centrally managed, widely encrypted, and always authenticated
and authorized. To achieve these benefits, organizations should implement zero
trust security practices at all three phases of the cloud journey, from cloud
adoption to standardization to scaling.
Zero trust security
in the cloud adoption phase
In the first step of the cloud journey, individual application
development teams typically look for tools to help provision, secure, and
connect infrastructure so they can run applications and networks. This ad hoc
migration to dynamic cloud infrastructure increases the number of systems to
manage, endpoints to monitor, networks to connect, and people who need access.
The potential for a breach increases significantly due to the expansion into
multiple distributed environments and the complexity of trying to manage
ephemeral IP addresses at scale, while still allowing access to people and
services as needed. That's
why perimeter-based security should be replaced by identity-based access.
Because users and services may now come from multiple places,
inside and outside of the network perimeter, instead of setting access
parameters based on IP-addresses, machine and human users must constantly
authenticate who or what they are, and what they're allowed to do. This allows for the unhindered scaling
of teams and infrastructure without sacrificing security. Many organizations
rely on centralized identity and secrets management solutions that can secure
and streamline machine authentication (authN) and authorization (authZ)
workflows throughout their heterogeneous infrastructure assets.
Zero trust security
in the cloud standardization phase
In the second step of the cloud journey, organizations focus on
taking configurations shared among teams and converting them into standard
workflows and modules across the entire cloud platform. Platform teams are
instituted to bake in organizational standards using an automated, proactive
policy-enforcement approach.
This is also when organizations should seek a solution that
provides an automated and centralized credential management workflow for users
to connect and access all of their infrastructure resources, including
Kubernetes clusters and pods. Organizations that use Kubernetes should leverage
a solution where each application or pod can dynamically obtain unique
credentials (including lease and expiration times) in order to access the
correct systems. Automatically rotated credentials and dynamic secrets reduce
the attack surface and the potential blast radius by shrinking the window of
opportunity to use stolen secrets.
Some solutions leverage different methods for managing Kubernetes
credentials, such as CSI drivers or sidecar injection, which may require
developer configuration and consume system overhead. Other solutions work
natively with Kubernetes secrets, so it's
important to research what tools and methods will work best for your
environment.
Zero trust security
in the scaling phase
In the third step of the cloud journey, organizations seek to
scale these standardized, cloud-based principles and practices to their entire
digital estate, including private data centers. The end goal is to leverage the
workflows and guardrails put in place during the standardization phase to
enable self-service infrastructure provisioning for application teams across
the organization, speeding innovation without compromising security or
compliance. Organizations should leverage policies based on identity when it
comes to machine-to-machine access.
Planning ahead is crucial
It's
critical to plan ahead to ensure you have systems and processes in place that
support your organization's
security needs at each step of the cloud journey. Take inventory of what resources you run now,
which ones you won't
need as you modernize on new applications and services, and which ones you will
want to migrate and run differently in a cloud environment using containers and
tools, such as Kubernetes.
##
ABOUT THE AUTHOR
Aurora Chun, Product
Marketing Manager - Terraform Ecosystem
