The concept of Zero Trust has gained widespread recognition as a robust approach to safeguarding access to digital assets. Initially designed for user access, Zero Trust has now extended its reach to the intricate world of workload-to-workload interactions.
While Zero Trust for user access is well established, it’s crucial to understand why a distinct approach is essential for securing the communication between workloads. Let’s cover a four-principle primer to Zero Trust for Workloads: identity, policy, credentials, and conditional access.
Zero Trust for User Access: A Recap
The easiest way to understand Zero Trust for workloads is to understand the more established view on Zero Trust for user access (often referred to as ZTNA or Zero Trust network access).
Zero Trust for user access operates on the fundamental principle of “never trust, always verify.” In this model, an organization moves away from assuming that users are “in the building.” Trust is never assumed based solely on a user’s location, and continuous verification is required for every user, device, and application attempting to access the network. This approach acknowledges the reality that:
- Users are now everywhere.
- They may be continually moving.
- Threats may originate both externally and internally.
All these variables challenge the traditional security model that relied heavily on perimeter defenses.
By implementing stringent identity verification, least privilege access, and continuous monitoring, Zero Trust for user access significantly enhances an organization’s security posture. However, as digital ecosystems grow in complexity, the need to secure interactions between workloads has become a distinct and critical concern.
Workloads Aren’t Humans: Adapting Zero Trust
Unlike user access, workload-to-workload communication involves machine-to-machine interactions. As we’ve covered before, many of the traditional mechanisms that help secure users don’t apply for workloads. Workloads can be applications, services, or any computing process, and securing their communication is vital to preventing lateral movement and sensitive data theft by potential attackers.
Traditional security models, focused on user access, do not adequately address the specific challenges posed by the dynamic, distributed, and technical nature of workload interaction.
Breaking Down Zero Trust for Workload-to-Workload Access
Implementing Zero Trust for workload-to-workload access requires a tailored approach, focusing on identity verification, policy enforcement, credentials, and conditional access controls.
1) Identity: Authenticating the Unseen
When it comes to workload-to-workload access, establishing and verifying identity becomes a unique challenge. Each workload must have a distinct and verifiable identity, ensuring that communication is only permitted between authenticated entities. This typically involves the use of stored secrets, such as certificates or keys.
Identity becomes more challenging as you cross boundaries, say from your custom application running in AWS to an application running in GCP. Or to a SaaS application you depend on, or even an API provided by one of your business partners.
Today there is no standard identity across this broad range of environments, and native methods to use identities across environments can be extremely complex. For example, this blog post from Uber shows the effort it took to implement the open-source framework SPIFFE at scale, which is something most enterprises simply cannot do. Moreover, this also assumes that the Enterprise has control over every environment where their resources are connecting.
A more recent approach to this problem is to instead leverage a wide range of native identity “documents” and use a centralized identity and access management system to cryptographically attest to the identity asserted by a machine upon request for access.
2) Policy: Defining the Rules of Engagement
Crafting meticulous security policies is a cornerstone of Zero Trust for workload access. These policies dictate the acceptable behavior and communication patterns between workloads. Least-privilege principles may also be applied, limiting access to the bare essentials required for functionality.
In a Zero Trust world, the challenge is moving these policies from a spreadsheet into enforceable, automatable infrastructure. While it’s possible to do this at the network layer through tools such as microsegmentation, that approach is limited in complex environments or environments that cross boundaries (similar to the identity discussion above).
In those situations, a broader, layer 7 approach is needed to define policies across the scope of the environments in which your workloads operate. Focusing on this layer allows for policies that are finely tuned to individual applications, transcending mere network-level access. This method ensures adaptable, consistent security across diverse environments, whether cloud-based, on-premises, or hybrid
3) Going Secretless: Reducing Credential Lifetime and Privileges
One of the crucial principles of Zero Trust is continuous verification. Workload access today typically involves a long-lived secret, such as an API key or username/password, that is hard-coded into an application. This creates two weaknesses:
- Key sprawl increases the attack surface by which a bad actor can penetrate your organization.
- Long-lasting credentials increase the potential for dwell time and opportunity for malicious hackers to move laterally within your environment.
Instead, replacing secrets with short-lived credentials forces continuous verification and can virtually eliminate dwell time. Building on the least-privilege concept, if the credentials also represent claims that define access, access can be limited to only the required resources based on a number of criteria.
Finally, depending on how your application requests credentials, it could avoid sprawl all together by injecting credentials into the access request without ever letting the application see or store them.
4) Conditional Access: Adapting to the Context
Having explored the foundational elements of Zero Trust for workloads, such as identity verification and policy enforcement, we now turn to the dynamic aspect of conditional access, a key component that adapts to the varying contexts of workload-to-workload interactions.
Workload-to-workload interactions are dynamic, and the context of communication matters. Conditional access controls consider variables such as time, location, device health, and security posture to determine the appropriateness of communication. For example, access may be restricted during non-business hours or granted only if the workloads involved meet specific security health criteria.
Zero Trust tooling can interact with other security tooling to get a real-time picture of health (e.g., the application is being actively managed by an EDR tool and has met a minimum bar). This real-time information can help security operations teams prioritize infrastructure or applications that require hardening based on both the severity of context and how sensitive the workload’s access is.
5) Conclusion: Securing the Unseen Interactions
As organizations embrace the complexities of modern application design to take advantage of the vast array of cloud and SaaS services, the need for a dedicated Zero Trust approach for workload-to-workload access is quickly becoming a necessity.
Much like its application in user network access, Zero Trust for workloads extends rigorous controls to machine-to-machine communications, namely identity, policy enforcement, continuous verification, and conditional access controls.
For more information how Aembit can help, visit aembit.io.