A real world deployment
Whilst CloudClient was a research project, its successful outcomes were subsequently adopted across both UK government departments and private sector organizations within the Critical National Infrastructure. Well aligned with a ‘cloud first’ policy, the ‘cloud client’ model allowed a number of security benefits to be derived by optimizing end user devices for cloud access. However, in addition to security, the need to optimize usability proved a key driver for user adoption. Even with some of the most sensitive government environments, security today needs to be as automated and transparent as possible, whether that is single sign-on, timely certificate management or automated patching. These are all necessary characteristics of a well-designed Zero Trust architecture.
Security operations overheads may also be reduced through the cloud client model, as a light-weight and secured OS can significantly change the security event monitoring landscape. Minimizing the software stack with a browser-based model reduces security auditing ‘noise’ from endpoints, while cryptographically enforced health checks provide a very low-volume high-value audit profile. This can offset the potential for increased network traffic logging and inspection as advocated by the Zero Trust model.
With NCSC and wider UK government’s preference for commercial off-the-shelf products, Becrypt has been able to productize the project’s outputs in the form of an end user device platform called Paradox (no formal endorsement by NCSC implied).
The CloudClient program and subsequent real-world deployments have shown how a standards-based approach can be adopted to combine both device health and identity management with user identity management to provide granular access to services. Beyond security the model also demonstrated how the typical cloud benefits of security, cost and flexibility can be extended to the end user device infrastructure. When moving to cloud and online services, there is a temptation to focus on the benefits that the chosen cloud-based infrastructure can offer, but when the endpoint needs little more than a browser, it becomes difficult to justify a general-purpose OS, and easier to implement Zero Trust enabling controls.
To date, Paradox has been deployed to secure desktops, laptops and kiosks with a range of use cases from standard enterprise access to O365, to the more specialized examples of SOC hosting and control of 3rd party supplier access, providing varied examples of the shift towards a Zero Trust model.