The exponential growth in cloud native solutions, channel transformations and ecosystem centric business models are all contributing to higher security risks for the organizations. As global firms pivot to remote workforce in the new normal, the need for protection has only increased. This is evident from 7x growth of cyber-attacks1 on the one hand, and the USD 10 billion cyber insurance premium market2 on the other. Additionally, security is one of the top risks on the radar for many global (re)insurers3.
Zero Trust (ZT) technology can help aid better security for the firms. It is a tool that offers guiding principles and strategies to uplift the enterprise security posture from the standpoint of architecture, resilient operations and compliance. Using ZT, identities can be verified without exceptions and assumptions at every control point i.e., architecture layer, network segment, and data access.
Challenges from Existing Traditional Approaches
In the current phygital era, online presence is no longer one of the channels for the firms but an existential need for B2C/B2B2C businesses and has reputation and legal penalty risks depending on how global and big you are4. This drives the need for a comprehensive security strategy for these channels. Here’s a quick look at the current challenges for the IT teams responsible for digital security for a firm:
- Exposed code: The code is no longer protected by the enterprise firewalls but constantly stressed through genuine callers and malicious digital users of the present-day service endpoints for the borderless enterprises.
- Point solutions: Tens of security tools5 to protect and control from different vendors end up as optimized point solutions. This leaves the existing IT teams, already facing challenges with competency and resources, to sort through the process and technical integration. Any gap becomes a new vulnerability.
- Myopic approach: Security can no longer be tossed among developers churning code, and reviewing by architects and clueless business analysts. It needs specialized attention and the agile team members cannot afford a myopic story card centric approach.
- Human weaknesses: Phishing emails, weak passwords, human errors/ignorance and misconfigured tools still show up in root cause investigations for security breaches. It highlights that human interventions continue to be the weakest link6 and need to be effectively addressed.
Zero Trust to the Rescue
ZT builds on two main objectives – limit the surface exposure and increase defense depth. Here’s a look at ways to achieve these.
Surface means – applications that process transactions exposed as services on data consuming resources. Since data is the ultimate guarded asset, it helps to take a data centric approach on surface limitation.
Empower data governance
If the business aspires to be data-driven, it should take charge of data estate. Realize the importance of data stewards and begin with (sub) domain wise data dictionary (glossary), data lineage initiatives. Later, expand responsibilities to define security policies and audit data lifecycle policies across the IT landscape. Data stewards must play the role of a guide and auditor.
IAM offers a good start
The first step of ZT is to identify making Identity and Access Management (IAM) a great starting point. In the current generation of social identities by Google, Facebook, LinkedIn etc. the identifying job has been delegated. Trusting identity providers and the extent of trust is a bigger decision point. Incrementally, there is need to apply the least privilege, minimal duration and small perimeter principles.
Multi-layer protection at cloud scale
At layer 77, simple forms matured to SSO, and now MFA is also a regulatory mandate8 in the financial world. At lower levels on-prem appliances like firewalls are not enough. Enterprises need a SASE or CASB solutions9 as per cloud deployment model
Eliminate implicit trust
Zero Trust mandates checking of incoming channel, network, user-role and data packets on each request. Technologies such as Mobile device management, deny-all firewalls rules, client X.509 certificates and data-in-transit (payload) encryption are available choices for enhanced depth of defense.
ZT: Evolve as you Go Along
Given the ZT needs to evolve to deliver in line with new workloads and emerging threats there is need to ensure we make the best use of our limited resources. Here’s how that can be achieved:
Filter the noise
Logs are a great start but cloud or on-prem ITOps dashboards aggregating logs, heart beats, readiness checks, KPI metrics, cluster events, firewall logs multiplied by instances will soon swamp operations. False alerts create avoidable panic among business leaders and internal compliance teams. Invest in an analytics layer to make sense out of the noise.
Drive sense of ownership
It is an uneven set up with thousands of code churning developers, a handful of reviewing architects and a couple operations staff. Legacy technology developers would be new to code vulnerability threats and intranet app developers never had to worry about database encryption. There is need to provide a repeatable process and tools to each stakeholder e.g. code scanners for programmers to cope with this steep learning curve.
There is need for continuous tooling/automation, awareness and coaching to effectively guard against human weaknesses. On the machine front, applying Zero Trust principles will offer a structured approach. This would help the security initiatives by driving ZT objectives of reducing the attack surface and increasing the depth of defense. However, ZT does not offer a prescriptive implementation path. The path to deliver is by carving your own journey factoring in culture, IT estate, organization structures. Zero Trust is not a buy and patch solution10, but a strategic toolkit in holistic enterprise security transformation.
1. TechTarget, "Enterprise cybersecurity threats spiked in 2020, more to come in 2021," December 2020, https://searchsecurity.techtarget.com/feature/Enterprise-cybersecurity-threats-spiked-more-to-come
2. Pinsent Masons, "Personal cyber insurance market tipped to grow," January 2019, https://www.pinsentmasons.com/out-law/news/personal-cyber-insurance-market-tipped-to-grow
3. Swiss Re, "SONAR 2020: New emerging risk insights," June 2020, https://www.swissre.com/institute/research/sonar/sonar2020.html
4. GDPR, "GDPR Fines and Penalties," accessed at https://www.gdpreu.org/compliance/fines-and-penalties/
5. CSO, "10 essential enterprise security tools," October 2018, https://www.csoonline.com/article/3310247/10-essential-enterprise-security-tools-and-11-nice-to-haves.html
6. Ciso Mag, "Psychology of Human Error” Could Help Businesses Prevent Security Breaches," September 2020, https://cisomag.eccouncil.org/psychology-of-human-error-could-help-businesses-prevent-security-breaches/
7. Forcepoint, "What is the OSI Model," accessed at https://www.forcepoint.com/cyber-edu/osi-model
8. Okta, "Which Industries Require Two-Factor Authentication," accessed at https://www.okta.com/identity-101/which-industries-require-2fa/
9. Zscaler, "Modern architecture for a cloud and mobile-first world," accessed at https://www.zscaler.com/products/secure-access-service-edge
10. Forrester, "Zero Trust Is Not A Security Solution; It’s A Strategy," February 2021, https://go.forrester.com/blogs/zero-trust-is-not-a-security-solution-it-is-a-strategy/