ARTICLES

Service-to-Service Zero Trust Control for Hybrid Cloud

The hype around zero trust security has seemingly slowed down. This is inherently positive for the state of cyber security! It suggests that, finally, zero trust is becoming less of a novelty approach and more of an accepted practice. Vendor marketing materials continue to include zero trust verbiage, because it is a pivot from earlier architectural approaches, but we're seeing the term used more like a descriptor, as one would say, “I’ll have a turkey burger” instead of “I'll have a burger,” the latter assuming that “burger” implies “beef” and therefore requires clarification. (Honestly the debate around the validity of turkey as burgers may be more hotly contested than whether zero trust is a subset within security.)

Naturally, achieving a zero trust environment is significantly harder than talking about it. According to recent studies, while 60% of companies are working toward zero trust architectures, only 15% say they have implemented zero trust. But with the plethora of vendors building their products from the ground up based on zero trust principles, adoption will continue to grow and organizations will become incrementally more secure. It is easier to bake zero trust into nascent products designed to be deployed in modern computing environments like the cloud and containers than it is to take an existing tool or network and rearchitect it.

This was the opportunity Shauli Rozen, CEO and Co-founder of Cyber Armor, and his colleagues identified when they decided to start the company in 2018. An engineer by trade, Rozen’s career path had drawn him to business-focused roles. When his co-founders approached him with an opportunity to merge the two sides of his profession and ride the wave of zero trust with a new solution offering, Rozen said he “couldn’t resist.”

What the team built is what they call a “service-to-service control plane for native, hybrid, and multi-cloud environment.” So far, this sounds an awful lot like other companies’ marketing literature. Where the differentiation comes in is in the technology nuts and bolts. Recognizing a need for an authentication mechanism that can be effective ubiquitously across cloud, container, and mesh networks—and without the need for overwhelming policy management—the Cyber Armor team focused their attention on creating something they call “code-DNA.”

Creating cryptographic identity

The way Rozen explained code-DNA is that it is continuous verification of cryptographic software integrity based on properties in the code. Their patent-pending technology has the ability to translate offline signatures into runtime signatures during memory execution. Each signature uniquely identifies each software service and, when applied to both ends of a communication, can be inspected for its authenticity. As is inherent in the definition of zero trust, if a signature fails to match what is expected, communication is denied; only explicitly authorized and trusted workloads, as authenticated by their code-DNA, are permitted to communicate or access data and system resources. Rozen considers this analogous to the practice of adding second factor biometric authentication (e.g., fingerprint, retina scan) to first factor password-based authentication: “We do the same, but for microservices” he said.

In addition to this cryptographic identity, Cyber Armor automatically encrypts all east-west traffic in a way that the encryption is dependent on the identity of the allowed workload. All data and secrets are encrypted at rest, in transit, and in use. The result is that, even if an attacker finds their way onto a network by some other vulnerability (as is common), collateral damage is limited because the attacker can’t see the data (because all communication channels are encrypted) or remove data from the system (because only known signatures computed during CI/CD are allowed to run).

In keeping with the idea of data and network protection built for modern computing environments, Cyber Armor is pre-integrated with common DevOps tools such as Jenkins, Ansible, Docker, and more. In Kubernetes and Istio environments, Cyber Armor will be injected as part of container orchestration and controls. These integrations mean that developers don’t need to take any special steps to ensure their code is delivered securely and in line with development goals, even if they're using non-binary or open source code. Everything running in the production environment is verified before authorization is granted, thereby preventing execution of arbitrary or malicious code.

Inherently deployed

“The problem with technologies like firewalls, access control lists, and microsegmentation, even if they’re built on a zero trust framework,” Rozen said, “is that they are applied after software is deployed. That creates a gap in protection. Anywhere there is a seam, there is opportunity for failure. Cyber Armor is deployed in the CI/CD pipeline and runs continuously through runtime.”

Although Cyber Armor is a small startup at present, they have a big idea that sounds like a viable approach within the zero trust category of products. I’m excited to see what’s next for this group; with the founders’ combined background and skill sets, and a strong funding team behind development of the product, the company is well-poised to grow and help companies achieve zero trust for their runtime environments.