A zero-trust cloud is only secure if it incorporates zero touch

Bilal Mujahid
Head of Information Security, iManage
Bilal is responsible for all aspects of information security, including the Zero Trust security architecture.
16 March 2021

Bilal Mujahid, chief information security officer at iManage, says cloud built with ‘zero trust’ security controls is essential to providing the highest level of protection for critical assets.

In recent years, the cloud has ascended with enterprises adopting it as a proven and trusted computing model – but not all clouds are created equal when it comes to security. Cloud built with ‘zero trust’ security controls is essential to providing the highest level of protection for critical assets.

For those who are unfamiliar, zero trust security, also known as zero trust network architecture, is all about eliminating implicit trust. It challenges the idea of trust in any form: trust of networks, trust between host and applications, and even trust of super users or administrators. In other words, the best way to secure a network is to assume absolutely no level of trust.

Zero trust goes beyond the old notion of focusing only on perimeter network security, it requires that all traffic within an organisation’s IT infrastructure is verified as well.

Zero trust only works, however, if ‘zero touch’ is at the center of it. This means ensuring that no one – not even a small number of trusted administrators, as most cloud vendors allow for – is allowed access to the customer data.

As long as there’s a human with access to the servers where the services are running and the customer’s data is located, there is the potential for security issues. Possible exposure or exploitation of the data can occur either purposely (via an internal bad actor or an external threat that has assumed an insider’s credentials) or unknowingly (via someone who accidentally leaves a setting unsecured or clicks on something they shouldn’t). In fact, according to a recent study, 98% of cyberattacks rely on social engineering.

New forms of automation, however, help remove the human from the equation so that there’s no way to access sensitive customer data, creating a hands-off, zero-touch environment.

This zero touch approach is actually something that’s built into the DNA of our own offering, iManage Cloud. It’s designed so that absolutely no person has any access to customer data or the services – ever.

It’s helpful to paint a bit of a picture here of what zero touch looks like in practice. If a customer of a typical cloud provider wanted that vendor to gather some information on their data, that cloud provider may have one of their trusted individuals access the servers, type away on a keyboard, and run some queries against the customer data.

Would this present a security threat? Likely not – but again, as long as a human is involved, there is a potential risk.

By contrast, the zero-touch approach central to iManage Cloud means we don’t have hands-on access to the data. If we were presented with the same information request from a customer, our engineering team would be required to deploy a secure forensic app via our continuous delivery framework into the production environment to collect the information from the servers in a secure way. There would be no human, nor hands-on involvement with the data; the forensic tool would go out and collect the information for the customer, without any human involvement.

The bottom line? In an environment designed according to the zero-trust model, no one person or account should be able to solely execute a change to the system that can affect the security of the system. Automating out human vulnerabilities and moving towards zero touch is a way to make that a reality. And as 2021 continues to unfold, increasingly savvy customers will not accept a zero-trust claim from cloud vendors unless they can verify that they’ve also made zero-touch a central pillar of their approach to securing cloud data.

This article originally appeared in LPM Magzine