Step into the world of Zero Trust and cloud-native security at the 4th Annual Multi-Cloud Conference and Workshop. This event brings together top experts, government agencies, and industry pioneers to explore cutting-edge insights, collaboration opportunities, and the transformative power of automation in cybersecurity, says Zack Butcher, founding engineer at Tetrate.
A gathering of industry leaders, government officials, and practitioners was held in Washington, DC, on May 24-25, 2023, to share knowledge and shape the future of Zero Trust.
As the threat landscape intensifies, Zero Trust has come to define today’s cybersecurity agenda. To explore current thinking around Zero Trust and high availability for cloud-native applications, the 4th Annual Multi-Cloud Conference and WorkshopOpens a new window , co-hosted by NIST (National Institute of Standards and Technology), Tetrate, and the US Dept of Commerce, highlighted the significance of collaboration and adherence to standards for implementing and staying up to date with a government agency’s Zero Trust initiatives.Â
The conference program featured thought leadership and actionable insights from experts in service mesh, Zero Trust Architecture, identity-centric security, open-source software development, and emerging NIST special publications.Â
This year’s conference shed light on NIST’s 800-204 series of standards and the significance of a service mesh in establishing a reference platform for microservices applications. The standards address security features, including service identities, traffic routing, application integrity, and integration with external authorization engines.
Zero Trust is a strategic approach to cybersecurity that secures an organization by eliminating implicit trust and continuously validating every stage of digital interaction. The adoption of Zero Trust security is gaining momentum in federal agencies, driven by the impending deadline set by the Office of Management and Budget Memorandum M-22-09. This memorandum requires federal agencies to meet specific cybersecurity standardsOpens a new window and objectives by the end of fiscal year 2024.
The big highlights of this year’s conference centered around the new standards publications:Â
Zero Trust Access Control for Cloud-Native Applications
800-207A: A zero trust architecture model for access control in cloud-native applications in multi-cloud environments given by Ramaswamy Chandramouli, Senior Computer Scientist, NIST, and Zack Butcher, Founding Engineer, Tetrate
At the heart of the new standards is Special Publication (SP) 800-207, a foundational paper on Zero Trust by the National Institute of Standards and Technology (NIST) which establishes the groundwork for Zero Trust Architecture. NIST recently released a draft of a companion publication, SP 800-207AOpens a new window â€”co-authored by Tetrate founding engineer and Istio steering committee alum Zack Butcher. This publication defines Zero Trust access control standards for cloud-native applications in multi-cloud environments at runtime. One of the key topics is identity-based segmentation, which involves conducting five policy checks for every request in the system:Â
- encrypted connection between service endpoints
- service authentication
- service-to-service authorization
- end-user authenticationÂ
- end-user-to resource authorizationÂ
Doing all five activities at runtime limits who can do what inside a network. However, it can be challenging to implement that approach for every app, and that is where a service mesh comes into play. A service mesh provides a secure communication layer for microservices. It facilitates encryption, mutual TLS (mTLS) authentication, and fine-grained access controls ensuring secure communication between services.Â
Building Secure Microservices
A guide to software supply chain security assurance â€“ processes and frameworks (SP 800-204D) given by Ramaswamy Chandramouli (Mouli), Senior Computer Scientist, NIST and Frederick Kautz, Senior VP of Engineering, TestifySec.
NIST’s 800-207A and the 800-204 series discuss why a service mesh effectively achieves a strong security posture. In its SP 800-204 series of security standards for microservices applications, NIST establishes a reference platform consisting of Kubernetes for orchestration and resource management, with the Istio service mesh providing core security features, including:
- Service identities and service discovery
- Traffic routing and resiliency functions such as retries, timeouts, blue-green deployments, and circuit breaking
- Ensuring application integrity and confidentiality through service-to-service and user-to-resource authentication and authorization
- Integration with external policy-based authorization engines (e.g., Next Generation Access Control (NGAC), Attribute-Based Access Control (ABAC), and Open Policy Agent (OPA) Automation) is critical to a robust and sustainable security programÂ
Other talks featured the impact of open-source software on cybersecurity, software supply chain security assurance, Kubernetes security assurance, and more. Best practices were shared, and participants attended demos on infrastructure for secure data sharing and policy-as-code for enterprise-wide authorization.Â
Key Takeaway for Zero Trust Deployments
The key takeaway for attendees was that automation is the key to the best Zero Trust deployments. Given the inundation of threat notifications and alerts hitting the security operations center (SOC) today, automation is critical to managing the digital environment at the speed and scale needed to keep up with today’s attacks. By automating most networking and security tasks, CISOs can enable security professionals to focus on the highest fidelity alerts, making it possible to balance speed and security.Â
Did you attend the 4th Multi-Cloud Conference US? What were your key takeaways? Share with us on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window . We’d love to hear from you!
Image Source: Shutterstock