Embedding zero trust using Google Cloud

With the ever-changing technological landscape and business demands, clients are migrating from on-premises IT infrastructure to either hybrid or cloud-based computing. Migration to the cloud changed significantly in 2020 when organizations faced the effects of the pandemic. Cloud computing helps organizations reduce IT costs, add scalability to their operations, improve business continuity, and improve efficiency through automation at a broader scale. With these seismic shifts, even in the cloud environment, cybersecurity teams are often faced with building strong controls and protection to prevent attackers. One such area is safeguarding logical access to an organization’s IT assets, infrastructure, and applications. Teams will need to provide safe and secure logical access irrespective of their physical location or device location. In this article, we will touch upon zero trust architecture and how it can be enabled on Google Cloud using BeyondCorp.

Redefining the security model

Traditional security models, also known as legacy security models, involve managing and maintaining physical and on-premises computing infrastructures by securing and monitoring an organization’s resources to prevent unauthorized access or malicious attacks on network and application resources. However, traditional security models have been proven to be fragile and can be easily compromised. This is especially true when attackers penetrate and own previously trusted applications or IT assets. Think about it. Cyberattacks aren’t identify immediately and can take up to a few months to identify it. Still, the average time it takes for attackers to gain access to an organization’s system is 3 seconds. Having these numbers in mind further emphasizes why an organization should limit and have tighter access to network resources. Traditional security models just do not cut it anymore because they are based on the premise that users can authenticate into a device and access applications and resources without reauthenticating. But doing so opens the doors to internal threats like compromised passwords or privilege escalation.

Zero trust

The traditional security model builds trust based on where the user is coming from based on the user’s location or IP address. Zero trust takes a different approach to trust. The Zero Trust model, also known as “never trust, always verify,” ensures that no user or device can access any systems or resources until the user’s identity and authorization have been repeatedly verified. In this model, a user can only gain access to company resources based on who the person is, the device the individual is logging in from, and whether that device is considered “safe.” If all these requirements correspond, access is granted to perform only the functions required and nothing more. In short, all three conditions must be met simultaneously to gain access. This applies to users’ personal devices, whether at the office, working remotely, or on their mobile devices while away from their desks.

Improving your security posture outside of Security Command Center

To further enhance your cloud infrastructure security, additional steps can be taken to reduce the risk of a cyberattack or data breach. One important method to improve security is educating your employees on cybersecurity. Many online courses will inform, and in some instances, incentivize employees on how to avoid data breaches and teach good protection practices.

Rapidly shifting to the cloud can be difficult when the time to research and plan is shortened. To establish a successful cloud environment, it’s important to understand which cloud service provider you are using, what workflow needs to be configured, and how your security is established. If you are already established in the cloud, researching is useful in determining if a third-party service fits your needs while meeting your security criteria.

Organizations need to shift to proactively address potential threats. Organizations should consider implementing frameworks that support Risk and Compliance as Code under policy-as-code along with processes that support recurring penetration testing. These proactive methods will improve your security posture and cover any vulnerable areas that may have been missed.

Building a robust, secure infrastructure is a continuous process that must be followed to avoid security breaches.

Enter BeyondCorp

With Google Cloud’s zero trust solution BeyondCorp, every user is authenticated into the device or system before they are given access to specific applications or resources based on their role and identity, which minimizes the possibility of a compromise. For instance, in Bring Your Own Device (BYOD), employees can use personal devices for work-related tasks like receiving emails, accessing business-critical applications, and in some cases, accessing sensitive data. In vulnerable situations where a user clicks on an untrusted web link received in the company’s inbox on their BYOD device, BeyondCorp will automatically reauthenticate the device to ensure that it meets security standards before allowing the user to move forward with their operation. If the device does not meet security standards or the device cannot reauthenticate, then the browser page will not load intended content, thus preventing any potential harm to the device or organization’s assets. Google Cloud’s BeyondCorp also provides simplicity and enhancement to a company by shielding users and workloads from the internet so they cannot be exploited or exposed.

Two key considerations before getting started

• What are you trying to protect? When getting started with BeyondCorp, you should focus on understanding your most vulnerable or critical assets. Once that is established, the next step would be to run a pilot using a sample size to test out the effectiveness, efficiency, and operational implications of using BeyondCorp.
• What access controls do you have in place? Since zero trust is about giving minimal access to users, understanding your cloud inventory and their relationships across all network resources and who has access is particularly important.

Investing time and effort into these two foundational steps will go a long way in your Zero Trust journey.  Taking a measured and phased approach, which starts with implementing BeyondCorp on a defined set of assets and users with clear use cases, will help realize the benefits and expand the footprint further.

How KPMG can help

KPMG has helped several clients implement zero trust into their cloud security. KPMG Cyber Security professionals offer a multifaceted view of embedding zero trust into cloud security for organizational platforms. This helps organizations carry security throughout their cloud platform, which will allow organizations to be prepared for the future and be on the front line with secure and trusted technology. KPMG also plays an essential role in helping organizations secure their cloud platforms. This is done by bringing a distinct combination of deep technical know-how, as well as strong business insights with creative professionals that can help organizations envision, build, and configure the next- level cloud security that will guide the cloud platform to be protected. Together, we can be one step closer to ensuring a trusted digital world.

Conclusion

Zero trust in the Google Cloud environment will ensure that endpoints are authenticated before being granted access to company resources. This in return will help organizations integrate data centers, offices, and even other Google Cloud computing resources while ensuring access policies are being enforced for all authorized users. It is important to implement zero trust into your cloud environment to minimize the occurrence of cyberattacks and compromises from your company resources, hence limiting access to only those who are explicitly granted access.