A Study on the Security Requirements Analysis to build a Zero Trust-based Remote Work Environment

TL;DR

This paper proposes detailed security requirements for Zero Trust architectures in cloud-based remote work environments, analyzes major cloud services against these requirements, and identifies security gaps and countermeasures.

Contribution

It offers a detailed threat modeling and security requirement analysis for Zero Trust in cloud environments, extending existing guidelines from NIST and DoD.

Findings

Identified security gaps in Microsoft Azure, AWS, and Google Cloud.

Proposed specific countermeasures for identified threats.

Validated security requirements through analysis of commercial cloud services.

Abstract

Recently, the usage of cloud services has been increasing annually, and with remote work becoming one of the new forms of employment within enterprises, the security of cloud-based remote work environments has become important. The existing work environment relies on a perimeter security model, where accessing one's resources is based on the assumption that everything within the internal network is secure. However, due to the limitations of the perimeter security model, which assumes the safety of everything within the internal network, the adoption of Zero Trust is now being demanded. Accordingly, NIST and DoD have published guidelines related to Zero Trust architecture. However, these guidelines describe security requirements at an abstract level, focusing on logical architecture. In this paper, we conduct a threat modeling for OpenStack cloud to propose more detailed security requirements compared to NIST and DoD guidelines. Subsequently, we perform a security analysis of commercial cloud services such as Microsoft Azure, Amazon Web Service, and Google Cloud to validate these requirements. The security analysis results identify security requirements that each cloud service fails to satisfy, indicating potential exposure to threats. This paper proposes detailed security requirements based on the Zero Trust model and conducts security analyses of various cloud services accordingly. As a result of the security analysis, we proposed potential threats and countermeasures for cloud services with Zero Trust, and this is intended to help build a secure Zero Trust-based remote work environment.