Apply Security Controls to Network Traffic Within the Perimeter With Zero Trust

Zero Trust is an approach to network security which assumes that just because something is on your network, doesn’t necessarily mean it is trustworthy. Zero Trust allows organizations to apply security controls to network traffic within the perimeter, not just at the edge.

As cloud computing proliferates, you might be wondering how would you implement Zero Trust in a cloud environment? The resources you're looking to protect are no longer on your hardware in your data center, so what controls exist to implement Zero Trust on a cloud deployment? This blog post explains which services to leverage to implement Zero Trust on AWS.

At DLT, we've assigned each aspect of information security to one of seven Zero Trust categories. Each category has multiple AWS services which address that component of a Zero Trust architecture.

  1. Network Architecture, Monitoring, Access Control
  2. Automated Response
  3. Threat Intelligence
  4. Visibility
  5. Data Protection
  6. Application Security
  7. Identity and Access Management

Network Architecture, Monitoring, and Access Control provide connectivity to/from your AWS resources or monitor and protect your infrastructure. Examples include AWS Direct Connect, which provides a dedicated connection directly to the AWS network, and AWS firewall options AWS such as AWS WAF (Web Application Firewall), and AWS Firewall Manager.

Automated Response services detect and respond to threats without manual intervention from your IT staff. AWS GuardDuty, for example, is a threat detection service which monitors AWS accounts for suspicious activities and can automatically respond to threats.

Threat Intelligence refers to information about malicious actors, and how they attack a network infrastructure. Amazon Detective, and CloudWatch Anomaly Detection are can analyze log data and identify security vulnerabilities within your environment.

Visibility is knowing what traffic flows through your network. In an AWS environment, VPC flow logs show the east/west traffic within the network perimeter, and Athena can analyze those logs using SQL queries.

Data protection ensures the confidentiality of sensitive data. Amazon’s Macie discovers potentially sensitive data at scale, and can identify S3 buckets where that data may be at risk.

Application Security involves controlling who has access to applications and validating that users are who they say they are. The Amazon Cognito service allows seamless identity federation with third party identity providers such as Google and Facebook, and other providers through SAML, Open ID Connect, and other identity pools.

Identity and Access Management is a foundational AWS service and is a key component of cloud governance tools such as AWS Organizations and AWS Control Tower. Additional examples include AWS Single Sign-On (AWS SSO), and managed Active Directory deployments on AWS through Directory Service.

This article just scratches the surface Zero Trust implantation on AWS. The DLT team, together with our vendor clients, are ready to help you find your way along the path to Zero Trust security. For a detailed look at which AWS services fit within the seven categories of Zero Trust, please download our AWS Zero Trust Datasheet.