When planning for a zero trust approach to cybersecurity, agency technology teams need to keep a certain axiom in mind: Commercial cloud service providers secure their clouds, but the customer must ensure the security of what it hosts in the cloud.
“The clouds really don’t offer a comprehensive solution for looking at security risk in the cloud,” said Chris Saunders, public sector solutions engineering lead at Wiz.
When agencies initially focused on zero trust, “it was very much about the devices the government used to access applications — the endpoints, the phones — very much focused on that use case,” Saunders said during Federal News Network’s Accelerate Together: Zero Trust 2025.
Now, agencies face the challenge of applying zero trust principles to their multicloud infrastructures. Saunders said the primary requirement for cloud infrastructure zero trust is total visibility.
Gaining visibility across multicloud environments
“You have to know what you’re going to access for risk and then be able to drive analytics across that to understand what’s out there, what shouldn’t be there, what’s allowed to be there and what you haven’t looked at yet,” he said.
Moreover, visibility must encompass all of the cloud services and agency uses, Saunders said. That way, the zero trust approach can in turn encompass inter-cloud traffic as well as traffic among resources within a given commercial cloud.
In particular, he advised organizations to watch out for artifacts left by developers while coding applications for cloud hosting.
“Sometimes, developers will leave things called ‘secrets,’ ” he said, which allow potential access to operating systems or environments, and they leave them on multiple clouds, which could lead to cross-cloud leakage.
Why to think differently about identities in the cloud
In addition to full visibility, “you have to understand your identities in the cloud,” Saunders said. “They’re very different from identities in an on-premise data center, on a phone or on a laptop.”
Instead, cloud identities track lateral instructions or data calls happening between clouds from different providers.
Wiz in effect lets users see past the front ends of cloud providers “to show you the paths from one cloud to another, to show you the inventory, regardless of the cloud,” he said.
For instance, all of the virtual machines an organization has running in its cloud presences will be visible to enable what Saunders called “democratizing security. You don’t have to be an expert in AWS, Azure or Google to get value and reduce your security risk.”
To help identify potential gaps, Wiz can “provide a comprehensive view across all those clouds to really fill the gaps of where the cloud provider ends and you, as a government agency, begin,” he said.
Continuous monitoring also a necessity in the cloud
Given the constantly shifting threat landscape, agencies remain obligated to continuously monitor their networks and application activities, an imperative that predates the zero trust movement.
“Cloud is the perfect fit for continuous anything,” Saunders said.
This stems from how cloud architectures are built on application programming interfaces (APIs).
“Everyone uses APIs to either spin up cloud infrastructure or get information from the cloud,” he said. Similarly, Wiz uses the same APIs “to continuously monitor for misconfigurations, for secrets, for vulnerabilities.”
This approach also reveals whether controls recommended by the National Institute of Standards and Technology are in place.
“We do that on a 24-hour basis,” Saunders said.
By its very nature, cloud introduces risks
Traffic within instances of cloud applications, or between clouds, makes things more complicated though. The qualities that make cloud computing attractive also make it harder to monitor and establish zero trust, Saunders said.
“I don’t know if it’s a downfall of cloud, but one of the promises of cloud is we give anyone the ability to spin up infrastructure at will,” he said. “It’s supposed to be very elastic. We want to be able to spin things up and down for various reasons, either for scale or for cost savings.”
But these activities require a lot of permissions for resources to access one another. That’s where developers tend to take shortcuts, he pointed out, which is not a good practice for zero trust.
“You want to identify the excessive permissions that you have in the environment and be able to give that to the person who can fix that,” Saunders said.
He emphasized that Wiz identifies these conditions not by putting agents on applications throughout the infrastructure. Instead, it uses read-only access to the APIs connected to cloud-provided services, virtual machines, containers and other resources.
“We iterate through — we build out what’s called an inventory for Wiz,” Saunders said. “And once we have that inventory, we begin to assess it for risk, critical vulnerabilities on the workloads, misconfigurations, any secrets — and the same for the cloud services.”
Wiz also combines with other tools in an agency’s security information and event management (SIEM) tool set to create a full picture. For example, Wiz integrates with tools from Okta, which concentrate on devices and human identities that are consuming cloud resources.
Saunders said that by adding a comprehensive view of its cloud infrastructure to that of its own devices and users, an agency gains a more comprehensive view of its risks.
“Sometimes we’ll look at risk in a bubble. We want to be able to correlate different risk factors together to get the context we need.”
Discover more articles and videos now on Federal News Network’s Accelerate Together: Zero Trust 2025 event page.
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
