Zero Trust Architecture (ZTA) approach of cybersecurity

EY Tech Trends series

Chapter III: Zero Trust— the vigilant enterprise

Authors

3 minute read 01 Nov 2022

Zero Trust Architecture (ZTA) evaluates access for all entities continuously at each stage.

This is part of the EY Tech Trends series wherein each chapter will focus on the rising shifts in key technology areas and the impact of these technologies across sectors.

In brief

  • Organizations cannot prevent cyber risks brought by new-age technologies and workplaces using the traditional cyber security measures. 
  • ZTA constantly assesses access at every stage for all the entities throughout its process lifecycle.
  • The first stage for implementing ZTA is to prepare a strong framework that also defines the access policies.   

The Zero Trust Architecture approach of cybersecurity works on the principle of ‘Never trust, always verify’. It entails not only limited access for all entities but also continuous evaluation of the access.

ey chapter 3

Watch: Leadership in action

Cybersecurity is now one of the biggest global business risks. With an increasing number of enterprises adopting an always-online mode, especially after the pandemic, there is an increased need and urgency for cybersecurity

Cyber-attacks cause losses of   ̴US$6 trillion per year globally, according to a leading technology company’s estimates. This may cross US $10 trillion by 2025. India reported 14,02,809 and 674,021 cybersecurity incidents in 2021 and 2022 (till June), according to the Computer Emergency Response Team (CERT). Another report finds that data breaches cost Indian businesses an average of INR 17.6 crore in FY2022 — the highest ever reported. 
 

Today’s hyper-connected enterprises, work-from-home, and cloud-first approaches have made old cyber defense strategies inadequate. Moreover, with the deperimeterization of enterprise IT architectures, companies now need to extend their security blanket to other stakeholders — from vendors to customers and employees.
 

Traditional cyber defense models based on risk have been fragile in the face of new attacks. IT departments that were used to building defense architectures based on a clearly delineated enterprise perimeter are now faced with rising incidence of supply chain viruses and malware inserted into trusted software platforms. Zero Trust Architecture (ZTA) principle, which is a radical departure from trusted access that depended on identifying the entity accessing the system and then defining its permitted access. 
 

The Zero Trust Architecture

In the traditional system of trusted access, a high-security clearance person entity could access the entire IT system or most of it depending on the job’s requirement. However, ZTA operates on a ‘Deny by Default’ and ‘Always Verify’ principles. This means that access needs to be defined for not only the person entity but also for the non-person entity (device, network, application and data being accessed); and is limited to that specific purpose. The access is continuously evaluated throughout its process lifecycle in terms of trust and the risk associated. Based on the changes in metrics, the ZTA dynamically enforces the privilege associated with each access.

How EY can help

ZTA protects a firm from external as well as internal threats. Segmenting the network into countless micro-perimeters prevents infiltrators from progressing towards the core data. In addition, it constantly verifies users and devices.

Cyber AI and ML further strengthen ZTA’s ability to continuously evaluate the trust associated with each access and enforce dynamic policies to create a more robust cyber defense architecture. This results in an enhanced user experience, agility, and adaptability while making policy management stronger. Cloud-based ZTA also increases scalability and ease of adoption.
 

Implementing ZTA
 

According to Gartner, 60% of organizations will embrace ZTA as a starting point for security by 2025. However, the approach requires a cultural shift in thinking and communication, as it is not a single technology, product, or service. Instead, it is a mix of products, processes, and people. This requires long-term commitment, which calls for financial and non-financial resources, along with prioritization and support throughout the organization. Therefore, companies should communicate the business relevance of ZTA by aligning resilience and agility. 
 

The framework of adopting ZTA needs to be based on visibility, analytics, and control. Key control elements include robust security posture management and cyber detection and response. As organizations mature in their journey towards ZT and cloud adoption driven by digital transformation initiatives, they will need to add a pillar of ‘Code Trust’ to the existing ZTA principle.
 

The first step towards ZT is to have a clear plan for the framework that suits the enterprise. Companies can frame a policy engine that defines access policies. There will also be behavioral monitoring tools to execute the decisions made by the policy engine. 
 

There needs to be a stage-wise shifting to ZTA. One way to deploy the technologies is to start with smaller use cases and then expand. This will help employees adapt to the system. The organization must align the deployment with new technologies and its digital transformation. For instance, organizations moving to cloud will store data outside their perimeter, so it would be difficult to apply a single security control system across the entire network.
 

Threatscapes will progress over time. Therefore, organizations should consider ZTA as a journey to enhanced security, where every stakeholder has a role to play, rather than a destination.

Summary

With hyperconnected organizations, remote workplaces, and new-age technologies, new cyber risks have become a serious threat to businesses globally. Traditional cybersecurity measures are very inadequate in this scenario and organizations are adopting Zero Trust Architecture. ZTA, which operates on ‘deny by default’ and ‘always verify’ principles, provides access only for a specific purpose and continuously evaluates access at each stage. It segments the network into many micro-perimeters and prevents infiltrators from reaching the core data.

About this article

Authors

Related topics
Technology
Cybersecurity
Emerging technology
Digital

Related content

Tech Trends: how businesses can adopt Zero Trust Architecture for cybersecurity

Explore how businesses can adopt zero-trust architecture for cybersecurity in EY's Tech Trends podcast. Strengthen your cyber defenses. Tune in now!

14m 38s

Chapter IV: How cloud adoption lets untethered enterprises soar

Cloud computing has reshaped the way organizations do business. Learn more about the emerging trends of cloud adoption.

Abhinav Johri

EY Tech Trends chapter II: how are Indian telecom companies donning a 5G skin?

Discover telcos need to reinvent themselves to stay relevant in the enterprise segment as non-telcos could soon start offering their own 5G services. Learn more about 5G technology in India.

Burgess Cooper

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.