Zero-trust architecture is based on the assumption that none of the entities within the architecture are trusted implicitly based on their properties; explicit authentication and authorization based on certificates take place prior to establishing a session with the resource. However, there is no mechanism to monitor and enforce the distribution of certificates based on cloud-based service accounts. This disclosure describes techniques to bind a certificate policy to a service account that enables enforcement of specific policies on a virtual machine based on the particular service account associated with that virtual machine. The mapping between a certificate policy and the corresponding service account in the installed certificate is used to validate compliance with the policy. A mismatch between the policy in the presented certificate and the expected policy triggers an event that signals a potentially compromised virtual machine.
Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.
Namer, Assaf, "Binding Certificates to Service Accounts Deployed on Zero-Trust Cloud Virtual Machines", Technical Disclosure Commons, (November 18, 2021)