researchHQ’s Key Takeaways:
- Zero trust execution applies the ‘default-deny’ principle to applications, allowing only authorized code and applications to run in an organisation’s cloud environments.
- Almost all cyberattacks require hackers to run unauthorised code or commands in a system’s runtime environment.
- Zero trust execution is not a magic fix, if implemented poorly it can cause high-overhead and limited coverage and visibility.
- Genetic-based zero trust execution helps overcome these obstacles by creating a baseline for every piece of code and monitoring for anomalies.
Zero Trust Execution is the industry recommended practice for securing workloads in the cloud. It provides a tight grip on your workloads by allowing only pre-approved code to run and nothing else. It’s considered by market analysts to be the most effective Cloud Workload Protection method for reasons we will explain in this article, namely due to the high predictability of cloud servers and the nature of cloud cyber attacks.
A Definition of Zero Trust Execution
Zero Trust Execution is a security approach that allows only pre-approved code to run in your cloud servers. Similar to Application Control or immutability (data that can only be written, not modified or deleted), Zero Trust Execution prevents any unauthorized code or applications from running on your cloud infrastructure. This allows you to retain a trusted state by stopping any changes or deviations in runtime from the pre-approved baseline.
Instead of searching for anomalies, which is what most solutions are doing today and which can provide a false sense of security as attackers can mimic normal behavior, Zero Trust Execution focuses on the actual code and applications themselves, which is the root cause of cyber attacks as we will explain below.
Relation to Zero Trust
The security industry has already been adopting the Zero Trust principle, mostly for network traffic. Zero Trust Execution takes the same “default-deny” approach and applies it to the execution of applications. Allow only authorized code, that you will classify as such, to run in your systems.
What Does a Cloud Cyber Attack Look Like?
To truly see the value of Zero Trust Execution, it’s important to understand how a cloud cyber attack is conducted.
On the surface, every cloud cyber attack looks different. Attackers can utilize many attack vectors, or they can exploit vulnerabilities in Docker, Kubernetes, and Linux applications, to name some examples.
One element that stands out is these attacks require the attacker to run unauthorized code or commands somewhere in the victim’s runtime environment. In the illustration below, you can see that regardless of the type of attack, almost every cyber attack eventually requires code to be executed in runtime. Learn about the advantages of runtime vs. pre-runtime protection in this SANS webcast.
In the 2018 Tesla breach, attackers gained access to an unprotected Kubernetes console. One of the console’s storage containers contained credentials for a broader Tesla AWS cloud environment, which the attackers then used to run cryptocurrency mining malware on the company’s Linux servers. Zero Trust Execution would have prevented this attack by alerting on the unrecognized code that was executed after the attacker gained access to the system.
This is one reason why the industry is shifting to a Zero Trust Execution approach.
Advantages of Zero Trust Execution for Cloud Environments
Unlike endpoints, where it’s difficult to predict what software will be installed onto the device at any given time, cloud environments are fairly predictable. That is, servers and cloud-native applications (Virtual Machines, Kubernetes and Docker instances, etc.) should run only pre-approved software and the operating system itself. Therefore, it’s much easier to maintain a clear baseline in the cloud than it is on an endpoint.
That is another reason why the industry is adopting Zero Trust Execution for cloud workloads. For companies migrating their infrastructure to the cloud, it’s recommended they replace their Antivirus software and Endpoint Detection and Response (EDR) platforms with Cloud Workload Protection Platforms (CWPP) that utilize Zero Trust Execution. Not to mention, Linux threat detection is below average in most antivirus products and organizations require a solution designed to protect their Linux systems, instead of a migration from a Windows endpoint detection platform.
Here are the advantages of adopting Zero Trust Execution for the cloud:
- By preventing unauthorized code from running in your servers you are protected against most cyber attacks.
- Detect and prevent attacks even if they exploit unknown vulnerabilities.
- Provides a last layer of defense as sometimes you don’t always have time to patch vulnerabilities in a timely fashion.
- Greater peace of mind knowing your workloads are constantly running in a trusted state, without allowing any drifts from the pre-approved baseline.