Our company is migrating to a hybrid multi-cloud setup using AWS and Azure. The perimeter is effectively gone, and I’m looking for advice on implementing a "Never Trust, Always Verify" model. What are the specific challenges of managing identity and access across different cloud providers without creating a nightmare for the end-users?
3 answers
In a multi-cloud environment, the most critical step is centralized Identity and Access Management (IAM). You shouldn't manage users separately in AWS and Azure. Use an external Identity Provider (IdP) like Okta or Azure AD to federate identities. Implement "Least Privilege" access by default and use Just-In-Time (JIT) provisioning so users only have permissions when they actually need them. Micro-segmentation is also vital; treat every workload as its own tiny network. This prevents "lateral movement" if one part of your cloud is compromised. We implemented this last year and it significantly reduced our attack surface while streamlining the login experience for our remote developers.
Are you finding that your legacy applications are the biggest hurdle for Zero Trust? Many older apps don't support modern authentication protocols like SAML or OIDC. How are you handling those "un-protectable" assets in your migration?
Don't forget about device health checks! Zero Trust isn't just about the user's password; it’s about ensuring the laptop they are using is encrypted and has updated antivirus.
Great point, David. If a user is on an unpatched personal device, it doesn't matter how strong their password is; the whole session is a risk to the cloud infrastructure. POSTED BY: Sarah Collins DATE: 23-03-2024
Robert, we use an Identity-Aware Proxy (IAP) for our legacy apps. It puts a modern security layer in front of the old application. Users have to authenticate through our Zero Trust gateway first, and then the proxy handles the legacy login in the background. This allows us to keep the old apps secure without having to rewrite millions of lines of code immediately.