If you are a security or technology architect you may have heard of zero-trust by now.
A recent survey by Gartner found that 60% of organizations are planning to implement Zero Trust within the next two years. This is up from 40% in 2021.
There are a number of reasons for the growing popularity of Zero Trust. First, the traditional perimeter-based security model is no longer effective in the face of modern threats. Second, Zero Trust is a more flexible and scalable security model that can adapt to the changing threat landscape. Third, Zero Trust can help organizations to improve their compliance with security regulations.
If you are considering implementing Zero Trust, there are a few things to keep in mind.
- Zero Trust is not a silver bullet. It is a security framework that needs to be implemented in conjunction with other security measures
- Zero Trust can be complex and expensive to implement.
- Zero Trust requires a change in mindset from security teams. They need to move away from the traditional perimeter-based security model and adopt a more a fine grained needs based risk-based approach.
AWS Verified Access (VA) is a service that provides secure access to applications without requiring the use of a VPN. VA evaluates each application request in real time and helps ensure that users can access each application only when they meet the specified security requirements.
It is based on the Zero Trust security model, which assumes that no user or device can be trusted by default.
Since it is evaluating each request in real time , it is built on the principles of zero trust security, which means that it does not assume that any user or device is inherently trusted. Instead, VA evaluates each access request in real time and only grants access to users and devices that meet the specified security requirements.
How does it implement zero trust security , it uses a bunch of features as follows
Identity and access management (IAM)
VA uses IAM to authenticate users and to control their access to applications.
Device posture
Device posture is a measure of the security of a device, and it can be assessed based on a variety of factors, such as the operating system version, the presence of security software, and the security configuration of the device.
Location
VA can evaluate the location of a user’s device before granting access to an application.
Application behavior
VA can use a variety of techniques to evaluate application behavior, including:
- Traffic analysis: VA can analyze the traffic patterns of an application to look for signs of malicious activity. For example, VA can look for patterns that are consistent with known attack vectors.
- Machine learning: VA can use machine learning to identify anomalous behavior in application traffic. This can help to identify attacks that are not yet known to security researchers.AWS Verified Access (VA) uses SageMaker to train and deploy machine learning models. This helps to improve the accuracy and efficiency of VA’s detections.
- User behavior analytics: VA can use user behavior analytics to identify suspicious activity by users. For example, VA can look for users who are trying to access sensitive data or who are trying to perform unusual actions.
Authentication methods supported :
- SAML
- OpenID Connect
- Active Directory
- AWS Single Sign-On
- Web Identity Federation
- Client certificates
- MFA — AWS Verified Access also supports MFA(Multi-Factor Auth), which can help to further secure your AWS resources.
Since several of these methods are supported , choosing the right one is needs based. For example, if we already have an identity provider in our organization, we can use SAML or OpenID Connect to federate users to AWS Verified Access. If we need to authenticate users who do not have an existing identity in the organization, we can use Web Identity Federation or client certificates.
Similar to AWS Verified Access, GCP has Google Cloud Identity-Aware Proxy and Azure has Azure Active Directory Application Proxy.
Hope this gives a good high level overview of this new service .
Disclaimer
The views and opinions expressed in this post are solely my own and do not necessarily reflect the views and opinions of my employer. This post is for personal learning purposes only and should not be construed as professional advice.
