Driving Holistic Security with Zero Trust

The exponential growth in cloud-native solutions, channel transformations, and ecosystem-centric business models are all contributing to higher security risks for organizations. As global firms pivot to remote workforce in the new normal, the need for protection has only increased. This is evident from a 238% increase in cyber-attacks on banks and financial institutions. In addition, the commercial cyber insurance market is expected to touch USD10 billion in 2020. Additionally, security is one of the top risks on the radar for many global (re)insurers.

Zero Trust (ZT) technology can help aid better security for the firms. It is a tool that offers guiding principles and strategies to uplift the enterprise security posture from the standpoint of architecture, resilient operations, and compliance. Using the ZT tool identities can be verified without exceptions and assumptions at every control point, i.e., architecture layer, network segment, and data access.

Challenges from Existing Traditional Approaches

In the current phygital era, online presence is no longer one of the channels for the firms but an existential need for B2C and B2B2C businesses and has reputation and legal penalty risks depending on how global and big you are. This drives the need for a comprehensive security strategy for these channels. Here’s a quick look at the current challenges for the IT teams responsible for digital security for a firm:

• Exposed code: The code is no longer protected by the enterprise firewalls but constantly stressed through genuine callers and malicious digital users of the present-day service endpoints for the borderless enterprises.
• Point solutions: Third-party security tools to protect and control often end up as optimized point solutions. This leaves the existing IT teams, already facing challenges with competency and resources, to sort through the process and technical integration. Any gap becomes a new vulnerability.
• Myopic approach: Security can no longer be tossed among developers churning code and reviewing by architects and clueless business analysts. It needs specialized attention, and the agile team members cannot afford a myopic story card-centric approach.
• Human weaknesses: Phishing emails, weak passwords, human errors and ignorance, and misconfigured tools still show up in root cause investigations for security breaches. It highlights that human interventions continue to be the weakest link and need to be effectively addressed.

Zero Trust to the Rescue

ZT builds on two main objectives – limit the surface exposure and increase defense depth. Here’s a look at ways to achieve these.

Surface limitation

Surface means applications that process transactions exposed as services on data-consuming resources. Since data is the ultimate guarded asset, it helps to take a data-centric approach on surface limitation.

Empower data governance

If the business aspires to be data-driven, it should take charge of data estate, realize the importance of data stewards, and begin with (sub) domain-wise data dictionary (glossary) and data lineage initiatives. Later, responsibilities can be expanded to include security policies and audit data lifecycle policies across the IT landscape. Data stewards must play the role of a guide and auditor.

IAM offers a good start

The first step of ZT is to identify and make identity and access management (IAM) a great starting point. In the current generation of social identities by Google, Facebook, LinkedIn, etc., the identifying job has been delegated. Trusting identity providers and the extent of trust is a bigger decision point. Incrementally, there is a need to apply the least privilege, minimal duration, and small perimeter principles.

Multi-layer protection at cloud scale

At layer 7, log-in forms have now been replaced with single sign-on (SSO) while regulators are mandating multi-factor authentication (MFA) in the financial world. At lower levels, on-premise appliances like firewalls are not enough. Enterprises need a Secure Access Service Edge (SASE) or Cloud Access Security Broker (CASB) solutions as per the cloud deployment model.

Eliminate implicit trust

Zero Trust mandates checking of the incoming channel, network, user-role, and data packets on each request. Technologies such as mobile device management, deny-all firewalls rules, client X.509 certificates, and data-in-transit (payload) encryption are available choices for enhanced depth of defense.

ZT: Evolve as you Go Along

Given the ZT tool needs to evolve to deliver in line with new workloads and emerging threats, there is a need to ensure we make the best use of our limited resources. Here’s how that can be achieved:

Filter the noise

Logs are a great start but cloud or on-prem ITOps dashboards aggregating logs, heart beats, readiness checks, KPI metrics, cluster events, firewall logs multiplied by instances will soon swamp operations. False alerts create avoidable panic among business leaders and internal compliance teams. Hence, investing in an analytics layer will make sense out of the noise.

Drive sense of ownership

It is an uneven setup with thousands of code-churning developers, a handful of reviewing architects, and a couple of operations staff. Legacy technology developers are naive to code vulnerability threats, and intranet app developers never had to worry about database encryption. There is a need to provide a repeatable process and tools to each stakeholder, e.g., code scanners for programmers to cope with this steep learning curve.

Conclusion

To effectively guard against human weakness, continuous tooling and automation, as well as awareness and coaching, are important. On the machine front, applying Zero Trust principles will offer a structured approach. This would help the security initiatives by driving ZT objectives of reducing the attack surface and increasing the depth of defense. However, ZT does not offer a prescriptive implementation path. The path to deliver is by carving your own journey, factoring in culture, IT estate, organization structures. Zero Trust is not a buy-and-patch solution but a strategic toolkit in holistic enterprise security transformation.