Zero Trust in the Cloud take serious planning!

DarkReading.com reported that “Zero trust is a high-level strategy that assumes that individuals, devices, and services attempting to access company resources, both externally and internally, can't automatically be trusted. The approach has become popular because it addresses the risk associated with the modern attack surface. However, tying together various data sources and creating context to reduce risk is not a simple proposition.”  The January 8, 2024 report entitled “Executing Zero Trust in the Cloud Takes Strategy” (https://www.darkreading.com/cloud-security/executing-zero-trust-in-the-cloud-takes-strategy) included these comments:

Enterprises starting down this path often struggle with a few key areas, including lack of visibility of the overall infrastructure and services the organization uses. There is no such thing as a simple infrastructure anymore. Digital transformation, embracing of SaaS, remote work, operational technology, third-party services, and data exchange have all led to a far more complex attack surface.

Organizations often focus their zero trust program on authentication, but entitlement and environment are also critical to understanding. Deploying two-factor authentication is just scratching the surface. What about a DevOps engineer being authenticated via 2FA on an unknown device in an untrusted environment with privileges on applications and platforms far more than they require?

Overentitlement is especially problematic in the cloud due to the complexity of provisioning engineers for the correct level of access and continuously validating their permissions on a constantly changing environment. The core concept of "never trust, always verify" holds true not just of the user, but the assets they use and the access they have once authenticated.

What do you think about Zero Trust?