How organizations can augment their security initiatives with zero trust
Modern businesses have been renewed by the pandemic. The move to remote and hybrid work has necessitated organizations to accelerate their digital transformations to convert an office-centric workplace into a complete homeworking space almost overnight.
Digital technologies, software-as-a-service (SaaS) and cloud computing were the enablers in altering workspaces to ensure businesses survive in a challenging environment. As the Internet of Things (IoT) expanded to accommodate and provide seamless processes in our lives and in the jobs we do, IT systems became relatively complex. This has inadvertently paved the way for vulnerabilities to sophisticated threats of cybercrimes in the digital sphere.
According to the Digital Crimes Unit of Microsoft Asia 2019, around 720 people fell prey to cyber criminals across the globe every minute – translating to one million victims every day. In 2018, the Royal Malaysia Police dealt with 10,742 cybercrime cases with an estimated loss amounting to RM400 million. The total number of cases increased to 11,875 in the following year with an estimated loss of RM500 million.
2018 Total cybercrime cases: 10,742 Estimated loss: RM397,944,265 |
2019 Total cybercrime cases: 11,875 Estimated loss: RM497,719,498 |
Source: Royal Malaysian Police https://go.ey.com/3agc0ve |
With the rise of hybrid and remote work, the continuous shift to cloud servicing, the growth in the adoption of mobile devices and an onslaught of cyber-attacks that could potentially damage supply chains, zero trust is set to take centre stage in the world of cybersecurity.
Never trust, always verify
Organizations have never been faced with as many challenges in protecting their data resources, and never was there a need to be more suspicious of users and devices accessing their networks. The zero-trust model, in layman’s terms, means trusting no one even when connected to a permissioned network.
For organizations, there is too much at stake to trust anyone or anything outside their entity. The most notable effect of the shift to zero trust is the realization that traditional virtual private networks (VPNs) are no longer fully capable of securing remote access to corporate networks.
When the COVID-19 pandemic hit, the work-from-home concept became inevitable. Organizations relied on VPNs to support their distributed workforces – with results that fell short of expectations. VPNs may not be ideal to provide completely secure access for many users relying on devices that, in many instances, are not as secure as they could or should be.
As such, VPNs will not provide the sufficient defense mechanism against threats. Companies with a sizeable hybrid workforce will need to support a significant volume of VPNs, which will trickle the burden to the IT or cybersecurity team to manage and maintain.
Zeroing on Trust
There is no silver bullet when it comes to adopting zero trust. Zero trust is a framework that requires focus on people, process, and technology aspects to be effective. It drives a change in how cybersecurity is managed to strengthen the organizations’ cybersecurity posture. It begs the question – where should organizations start this journey?
The emphasis is on the journey and any journey starts with the first step followed by others. The most effective approach is to adopt zero trust using a piecemeal and not ‘big-bang’ approach. Focus on the most critical and sensitive data first – the data that is if compromised, lost, or exposed will have a detrimental impact on the organization.
Where is this data hosted? Who has access to this data? What is the business justification for needing access to it? Start the adoption at this point and build it out over time.
Don’t underestimate the impact of culture. It is better not to call it zero trust as it is a nomenclature that is widely misinterpreted as a solution used when organizations do not trust their employees. This is of course opposite to the objective. It indicates that we do not trust our internal IT network.
See the adoption of zero trust as an opportunity to engage and collaborate with stakeholders. Build internal relationships to protect business data assets to provide access more efficiently to data that is needed by the right people at the right time to drive the business forward.
Zero trust is about eliminating dangerous trust assumptions of a technical nature in security architecture and establishing a singular security strategy to support the business.
Six foundational assumptions of the zero trust model
- The network is always assumed to be hostile, and all communication is secured regardless of the network location.
- External and internal threats exist on the network and network locality is not sufficient for deciding trust in a network. Any person or device cannot be trusted just because they are part of the company with the assumption that the person is already dealing with both outside adversaries and malicious insiders.
- All data sources and computing services are considered resources that need to be protected.
- Every device, user, network, and data flow are authenticated and authorized. The former means positive confirmation that an entity confirms who or what they say they are. The latter means the entity has the need, rights, and reasons to do what they’re doing.
- Any access to resources is granted on a per-session basis.
- All security policies are dynamic and incorporate as many sources of contextual data as possible.
The Zero Trust approach is most effective when it’s extended throughout the entire digital landscape and used as an integrated security strategy. This is done by implementing zero trust controls and technologies across six foundational elements:
- People
- Devices
- Applications and Services
- Infrastructure
- Networks
- Data
