A Zero-Trust Architecture Focuses on the Protection of Data Resources Using Dynamically-Assessed Security Policies During Process OperationsGet Started
A zero-trust architecture implements security principles that protects data throughout the business operations of a global company. In many business scenarios around code development and Data Science activities, a nagging challenge for companies of any size -and often a significant cost for companies with outsourcing experience- is securing the business processes against data leaks.
The security challenge at stake here is mainly the control and protection of company IP assets such as source code and data throughout the process. This is ideally done via the implementation of an IT infrastructure that securely enables remote work locations, accommodates temporary workers cost-efficiently, and prevents data leaks during ephemeral collaborations, whether between companies or even during innovation tournaments.
The zero-trust approach prescribes design principles to create an infrastructure that focuses on resource protection by narrowing its scope in terms of access control (using micro-segmentation) and enabling continuous security assessment. In effect, the key benefit of a Zero-Trust approach is the ability for a company to implement granular and dynamic security policies acting on a set of entities such as users, resources and applications. The secure Cloud Development Environment (CDE) implements the design principles of the Zero-Trust Architecture by focusing on resource protection (see Screenshot below).
Screenshot: The secure CDE's resource management approach enables the control of all resource types (Workspaces dashboard.)
With globalization, changes in business processes' reach are forcing companies to cater data access to hosts both inside and outside the IT perimeter. A zero-trust architecture is built on the premise that no host is allotted any default amount of trust and all hosts incur thorough verification. This removes the distinction between being "inside or outside" the network. Furthermore it assumes the network is compromised and that insider threats are looming. As a result, the Zero-Trust approach implements a strategy which focuses on protecting resources, i.e. the company’s IP assets, as opposed to the network perimeter.
The focus on information security rather than network security is actually embraced by best practices and guidelines such as the ones described in information security standards such as ISO 27001 and others in the ISO 27k series. Guidelines span from management practices to security policies towards core business process entities such as users, resources and applications. This standard is a great source of information security policies and compliance is now required across many industries. The secure CDE platform implements many of the ISO 27001 requirements that are relevant to the scope of a coding and Data Science development process.
Basic elements of a Zero-Trust architecture's implementation can be explained simply. A thorough explanation is available in the NIST Special Publication 800–207 specification document. The secure CDE platform implements a Zero-Trust design principles by starting from the business needs, i.e. set-up up a global process for coding and Data Science.
Hence, users perform their activities with workspaces with access to resources such as code repositories, data buckets and external services. Any of these resources can be deployed on-premise or in the Cloud. Then, the platform lets process owners set up dynamic security policies. Security policies are based on attributes that are continuously assessed during operations. The platform implements security controls of ISO 27001 that are relevant to the business needs, i.e. the scope of applicability of the standard. For example, when importing a new code repository, the resource can be classified such that dynamic policies can be defined to enforce security access policies to it.
Screenshot: The selection of attributes for security policies when connecting an asset to the secure CDE platform (Workspaces Dashboard.)
Finally, the secure CDE platform provides security functions such as Identification and Access Management (IAM), Security Analytics and Data Loss Prevention such that security policies can be enforced based on the business needs. The diagram below illustrates the data flow and the policy decision and enforcement points.
Diagram: The Implementation of security policy decision and enforcement locations in a Zero-Trust Architecture (See NIST SP 800-207)
When considering a security solution, companies have to make sure that it does not hinder productivity. Beside offering a great deal of collaboration features, the secure CDE platform implements the Zero-Trust Architecture principles in the most transparent manner.
At first, a process based on Zero-Trust Architecture design principles requires more authentication and authorization activities than a classic IT infrastructure. This need is made transparent by enabling the use of Identity Providers such as Google Identify and Azure Active Directory, and the use of Single Sign-On. Open standards such as OAuth, OpenID Connect and SAML are used by the platform to enable the implementation of a mostly transparent authentication and authorization mechanism. In addition, the platform automates the management of cryptographic keys to help manage identities across connected tools, e.g. external services, code repositories, data bucket providers, etc. on behalf of users.
Interoperability issues are greatly mitigated because the secure CDE platform implementation is based on open standards. Needs for interoperability stemming from the business process to support can easily accomodated such that the secure CDE connects to additional services.
An important design principle when building a Zero-Trust Architecture is the definition of the scope. Finding the right scope for access control security comes through the application of microsegmentation. The platform implements these principles by design and let managers apply them though simple yet powerful user interfaces.
Using micro-segmentation, the secure CDE platform initially narrows the scope of access control to the business process at stake, i.e. the development process supported by the platform. This way, all data resources and applications necessary to this process are isolated from non-participating users or applications.
Then, micro-segmentation is used to put an access-control wrapper around resources. As explained at the beginning of this text, resources are managed by the process such that access can be whitelisted at the level of the resource, and such that it is accessed through specific encrypted protocols. In effect, the platform allows companies to perform automated micro-segmentation of their data resources, either on-premise or in the Cloud across three levels of abstraction: the business process, the access protocol and the resource location on the network.
Diagram: The secure CDE platform allows the implementation of micro-segmentation at three levels in the business process.
Secure Code Development Outsourcing
Expand your code development capability by onboarding any talent from any location while protecting your source code and data using our Zero-Trust Architecture with Data Loss Prevention.
We created a Virtual Workspace Infrastructure (VWI) to deploy Cloud IDEs with plenty of collaborative features, data security and automation.
Data-Secure IDEs for Data
Improve the data security of your Data Science process by using our platform to deploy Data Science Workspaces as full IDEs in your company or anywhere.
Share your data securely during innovation tournaments on Kaggle. Connect to cloud pipelines and experiment management applications such as MLFlow, Kubeflow, etc.
Connect your workspaces securely to code repositories, data buckets from all major cloud providers.
Zero-Trust, DLP-Enabled Cloud Coding
You can operate your company like we do, we develop our platform using our platform. Our enterprise-grade cloud IDE platform allows you to put your entire DevOps process, including all coding activities in the Cloud.
Our platform enforces zero-trust architecture principles in addition to providing data loss prevention. This will provide you with a leap improvement in your DevOps security and master DevSecOps automation.