Zero trust: The forward-compatible security architecture in a cloud-first world

By Vijay Verma, Chief Revenue Officer – Services Lines, Persistent Systems

As enterprises embed AI and Generative AI (GenAI) into their systems and workloads, the cloud will become the de facto operating model to meet a projected 122% rise in computing and data storage. Moving to the cloud can bring about an explosion of change, which can catch enterprises off guard and offer bad actors a foothold. There are risks borne out of misconfiguration, open-source vulnerabilities, or supply-chain attacks that did not have to be accounted for in the on-premises world. While cloud service providers maintain acceptable service levels, including a security threshold, they can only report and remediate incidents that occur. Enterprises still must proactively prevent security threats in the cloud.

How should an enterprise approach cybersecurity while operating in the cloud, where control is significantly reduced, and large volumes of data are constantly at rest, in transit, or in use? With a hybrid workforce accessing cloud-hosted data and applications from different locations and devices, how can enterprises ensure a breach will not occur? With so much in flux, what is the best way to determine who is a good actor or gauge malicious intent?

The only way is to trust no one, or in other words, zero trust. Moving to the cloud calls for a mindset shift to cybersecurity – a shift diametrically opposite to the perimeter-led defence that worked on-premises. Zero trust is an evolving set of cybersecurity practices that assumes a breach has already occurred and does not trust any entity by default – regardless of its location, identity, or nature. It explicitly verifies each device and user attempting to gain access – regardless of their physical location or network position. It operates on the principle of least privilege, where users and automated workflows are granted access to only the minimum data necessary to perform tasks. Even if a bad actor breaches the network, the lateral impact is minimised and easily contained since user identity must be re-established to access a different application or database.

This is what we did at Persistent, enhancing our security posture by 85% with reduced threats while providing secure access to over 23,500-strong global workforce.

How to adopt zero-trust architecture while moving to the cloud

Since GenAI broke into the scene in late 2022, the number of cloud security incidents has increased, rising 154% from 2023 to 2024 globally. We have seen with our clients’ GenAI implementations that these incidents make a case for zero trust, overriding the traditional security protocols of a perimeter-centric approach to implementing dynamic, context-rich access controls through:

• Identity and Access Management (IAM): The principle of least privilege ensures that only the right users can access the right applications. IAM combines the implementation of multi-factor authentication and role-based access policies to validate identities continuously. Furthermore, conditional access policies are employed, considering user behaviour, geographic location, and devices’ security posture to dynamically determine access rights, enhancing security based on real-time context.
• Continuous verification & monitoring: A zero-trust mindset suspects every entity—whether a user, device, or application—even if they are inside the cloud network perimeter. User activities are continuously monitored to ensure compliance with security policies and detect unusual behaviours that may indicate a security threat. Risk-based authentication strategies are employed to adjust security requirements based on observed behaviours and potential risks. Advanced AI-driven behavioural analytics tools identify deviations from normal patterns, creating alerts for suspicious activities.
• Micro-segmentation: By implementing granular access policies between various workloads and applications, enterprises prevent lateral movement within the network. Should a breach occur, micro-segmentation limits the exposure and impact, allowing for quicker threat containment and remediation.
• Data-centric security: Robust encryption techniques can ensure that data is unreadable even if intercepted or accessed unlawfully. Data classification schemes help identify the sensitivity of the information, while rights management tools control access to ensure that only authorised individuals can view or manipulate this data. Data Loss Prevention (DLP) tools are also deployed to actively monitor data transfers and prevent unauthorised data exfiltration, protecting data integrity and confidentiality.
• Secure workload & API protection: Secure communication between applications is critical. Thus, strong authentication measures are enforced for application-to-application interactions. Enterprises can enhance security by implementing cloud-native security controls, such as secure service meshes and API gateways. Furthermore, workload identity verification can authenticate and authorise cloud and hybrid workloads, ensuring that only legitimate workloads can interact with one another.
• Endpoint & Device Security: To maintain strict security, device compliance policies are enforced before granting access to network resources. This involves checking security configurations and ensuring devices are free of vulnerabilities. Endpoint Detection and Response (EDR) tools can detect, isolate, and remediate compromised devices promptly. Zero-Trust Network Access (ZTNA) replaces traditional VPN solutions, offering more secure, identity-based access.
• Automation & threat intelligence: Security Information and Event Management (SIEM) and Extended Detection and Response (XDR) systems correlate security events from diverse sources, generating a comprehensive view of an enterprise’s security posture. Automation plays a crucial role in transforming analysed intelligence into actionable insights, with Security Orchestration, Automation, and Response (SOAR) solutions streamlining policy enforcement and incident response. Real-time threat intelligence can dynamically counteract evolving threats and tactics employed by cybercriminals.

Why enterprise zero-trust missions fail and the success cheat code

While 60% of organisations are expected to have implemented zero trust by 2025, more than half will fail to realise its full benefits.  Zero trust is not old wine in a new bottle. It is a top-to-bottom reimagining of cybersecurity protocols, policies, and posture. Bringing an old mindset to the table will likely backfire since the cloud is a paradigm shift from on-premises infrastructure. Here is what enterprises should consider before a zero-trust pivot:

• All-In-One Zero Trust Products Don’t Exist: Zero trust is not just a single product or approach; instead, it is a comprehensive philosophy and framework that encompasses policies, technologies, and people. This framework should be applied across the seven pillars of zero trust: workforce security, device security, workload security, network security, data security, visibility and analytics, and automation and orchestration.
• Legacy systems may not adapt to zero trust: Not all existing assets are configured to operate under the principles of least privilege and micro-segmentation. Surveys indicate that many companies claim to be implementing zero-trust principles, yet they face challenges in authenticating and monitoring users effectively. It is crucial to evaluate legacy applications and platforms to ensure that existing assets are compatible with Single Sign-On (SSO), IAM, and other ZTNA tools.
• Zero trust is not a productivity drain: As enterprises pivot to zero-trust security, they could experience a productivity hit with users having to establish trust at each access request. However, this does not mean zero trust hinders innovation or business goals. On the contrary, it is an enabler that secures the business from an ever-sophisticated threat landscape and allows it to focus on business goals that could get derailed if threats become incidents.

Just like digitisation, implementing a zero-trust security architecture is a journey. It requires stakeholder coordination, management buy-ins, and a strategic outlook toward tooling, access policies, security guardrails, and the overall corporate security mindset. It democratises enterprise security and holds all employees, third-party agencies, guest users, and executive leadership accountable.