Zero Trust (ZT) in the cloud is becoming a mandate for organizations wanting to build out and sustain their cloud infrastructure and data storage. But there’s a lot that goes into doing it correctly. Cloud workload security (CWS, also known as cloud-native application protection platforms) consists of, among other domains, cloud workload protection (CWP) and cloud security posture management (CSPM), which are critically important to maintain defense posture at the workload and cloud infrastructure configuration levels.

At the upcoming Security & Risk Forum in Washington, D.C., November 14–15, I’ll be presenting a session to help participants build internal support and a governance framework for ZT in CWP and CSPM; define and implement key concepts of ZT in CWP and CSPM in their own cloud environments; and identify the most important configuration artifacts to monitor and defend. Here’s a preview of some of the information I’ll cover in the session.

Why Zero Trust In Cloud Matters

Losing data is bad for many reasons, including reputational damage, remediation costs, and lost business. The cloud is not a virtual data center with virtual rack-mounted blades running databases and app servers.

A typical cloud configuration is more complex than an on-prem configuration and in many cases more complex in general than it needs to be (designed for the generic use cases). It can be plagued by interconnected resources and identities that usually have too much access to compute, storage, and network resources. Cloud configurations can be hard to gain complete visibility into due to many layers of abstraction, including cloud platform, hypervisor, OS vulnerability scans, API security, and container security (image scanning and configuration management).

Put simply, you cannot migrate and store your apps and data in the cloud unless you are able to secure it adequately, and Zero Trust is the simplest and most robust approach. One key point to keep in mind: Think of Zero Trust in the cloud as an approach and governance style, rather than a myopic view on configurations. You cannot do this in an Excel spreadsheet.

In my session at the Forum, I’m planning to address a number of key points, including:

  • How to codify and cement Zero Trust into your cloud governance processes to ensure stakeholders’ buy-in.
  • How to rely on NIST, ISO, PCI, SOX, and SOC2 compliance controls to establish Zero Trust in the cloud, even if your organization is not mandated to do so.
  • Moving beyond “We’ll secure it when it goes to production” promises. You can always lose data in lower, nonproduction environments, as well. Any environment that is moved to the cloud needs to be part of your Zero Trust cloud security.
  • Ensuring that nothing gets created in the public cloud (cloud infrastructure, containers, serverless, SaaS, etc.) without securing it first.
  • Using multifactor authentication everywhere possible.

To learn more about the other tracks and sessions at the Security & Risk Forum, check out the agenda here — look forward to seeing you in Washington!