Table of contents
- The Zero Trust Model: An Overview
- What is the Primary Security Perimeter?
- Zero Trust on AWS
- Directory Services
- Identity Providers (IdPs)
- Single Sign-On (SSO)
- LDAP vs. SSO
- Multi-Factor Authentication (MFA)
- AWS Identity and Access Management (IAM)
- Principle of Least Privilege (PoLP)
- AWS Account Root User
- AWS Single Sign-On (AWS SSO)
The Zero Trust Model: An Overview
The Zero Trust Model operates on the fundamental principle of "trust no one, verify everything." This approach acknowledges that traditional security measures, such as firewalls and VPNs, are insufficient in a landscape where malicious actors can bypass conventional access controls. Instead, Zero Trust shifts the focus to a new security perimeter: Identity.
What is the Primary Security Perimeter?
The primary security perimeter is the first line of defense and its controls that protect a company's cloud resources and assets.
Network-Centric (Old Way): Traditional security focused on firewalls and VPNs, given that most employees and workstations were within or connected through specific remote offices.
Identity-Centric (New Way): With the rise of bring-your-own-device and remote workstations, the security landscape has changed. Identity-based controls, such as Multi-Factor Authentication (MFA), become crucial since we cannot always trust if an employee is in a secure location.
While Identity-Centric security does not replace Network-Centric security, it complements and enhances it.
Zero Trust on AWS
AWS implements the Zero Trust Model using various tools and services. Here’s how:
IAM Policies
IAM Policies: JSON documents that grant permissions for specific actions by users, groups, or roles.
IAM Policy Conditions: Define restrictions based on factors like IP address (
aws:SourceIp
), region (aws:RequestedRegion
), MFA status (aws:MultiFactorAuthPresent
), and time of day (aws:CurrentTime
).
AWS offers foundational tools for implementing Zero Trust but lacks built-in, intelligent identity controls. For advanced identity security, third-party services are often required.
AWS Services
AWS CloudTrail: Tracks all API calls, providing a log of user activities.
Amazon GuardDuty: Detects suspicious or malicious activity based on CloudTrail and other logs.
Amazon Detective: Analyzes, investigates, and identifies security issues using findings from GuardDuty.
Third-Party Identity Solutions
For more sophisticated and intelligent identity controls, consider third-party solutions like:
Azure Active Directory (Azure AD): Provides real-time risk detection with data points such as device, application, time of day, location, and MFA status.
Google BeyondCorp
JumpCloud
These services offer more advanced security controls for real-time detection compared to AWS's native offerings.
Directory Services
A directory service maps network resource names to their addresses, organizing and managing resources such as files, printers, users, and devices. Notable directory services include:
Domain Name Service (DNS)
Microsoft Active Directory
Azure Active Directory
Apache Directory Server
Oracle Internet Directory (OID)
OpenLDAP
Cloud Identity
JumpCloud
Identity Providers (IdPs)
Identity Providers (IdPs) manage user identity information and provide authentication services across federated networks. Examples include:
Facebook
Google
Twitter
LinkedIn
Key protocols include:
OpenID: A decentralized authentication protocol.
OAuth 2.0: An authorization framework that uses tokens instead of passwords.
SAML (Security Assertion Markup Language): An open standard for exchanging authentication and authorization data.
Single Sign-On (SSO)
SSO allows users to log in once and gain access to multiple systems without re-entering credentials. It simplifies IT management by centralizing user access across various applications and services.
LDAP vs. SSO
LDAP (Lightweight Directory Access Protocol) provides a central place to store usernames and passwords but requires users to log in multiple times. Most SSO systems use LDAP for backend authentication, though LDAP was not originally designed for web applications.
Multi-Factor Authentication (MFA)
MFA adds an extra layer of security by requiring additional verification methods beyond a password. Security keys, such as YubiKey, are a common MFA option.
AWS Identity and Access Management (IAM)
AWS IAM allows you to manage users, groups, and permissions to control access to AWS resources. Key components include:
IAM Policies: Define permissions in JSON format.
IAM Users: Individual accounts that log into AWS resources.
IAM Groups: Collections of users with shared permissions.
IAM Roles: Grant permissions to AWS resources for specific actions.
Principle of Least Privilege (PoLP)
PoLP dictates that users and applications should have only the permissions necessary to perform their tasks. This approach includes:
Just-Enough-Access (JEA): Providing the minimum permissions required.
Just-In-Time (JIT): Allowing temporary permissions for a limited duration.
Console Me is an open-source project that facilitates short-lived IAM policies to enforce JEA and JIT.
AWS Account Root User
The AWS Account Root User has full access to all resources and permissions. This account should only be used for specific tasks, and its use is generally discouraged for daily operations. Always enable MFA for the Root User and avoid using its access keys.
AWS Single Sign-On (AWS SSO)
AWS SSO allows you to manage access centrally across your AWS organization, supporting integration with identity sources like AWS SSO, Active Directory, and SAML 2.0 IdP.