Cyber threats are pervasive in modern society and this is validated in the Gartner 2021 CIO agenda survey which indicates cybersecurity as the top priority for new spending amongst 61% of CIOs.
As more organizations leverage cloud computing, the traditional network security perimeter has all but vanished, and security teams are finding it difficult to identify who and what should be trusted to allow access to the networks. Perimeter network security focuses on keeping attackers out of the network but this traditional approach is vulnerable to users and devices inside the network.
“When viewed from the lens of the moat-and-castle or fortress mentality which takes one brick to be dislodged or for the attacker to be inside the wall for the whole security thing to come crashing down,” says Brian Chappell, chief security strategist, EMEA & APAC, BeyondTrust.
According to Forrester Research, an estimated 80% of breaches involve privileged access abuse. Such violations include highly visible supply chain breaches at Solar Winds, Microsoft Exchange, and Colonial Pipeline which have brought zero trust into the spotlight.
Zero Trust is an approach to secure the entire infrastructure with a range of strategies that are designed for breach. With a zero-trust security model, nobody is trusted automatically, even after clearing the perimeter. Instead, all identities are verified, minimum access is granted based on context, and activities are monitored to make sure controls are working as expected. The increasing use of people inside the perimeter via phishing, vulnerable email attachments and poisoned URLs means that more often the attack effectively begins from inside the safe space.
Zero trust approach marks a shift in assumption that the inside of your perimeter is a safe space to an assumption that nobody within or outside the environment can be trusted. “Although this may appear as an extreme measure it makes sense when viewed from the lens of the moat-and-castle or fortress mentality which takes one brick to be dislodged or for the attacker to be inside the wall for the whole thing to come crashing down,” says Brian Chappell, chief security strategist, EMEA & APAC, BeyondTrust.
“Allowing the least amount of access is a key principle of zero trust as it grants access only when absolutely necessary, rigorously verifying requests to connect to systems and authenticating them beforehand. Constricting security perimeters into smaller zones to maintain distinct access to separate parts of the network limits lateral access throughout the network.”
Bahaa Hudairi, Regional Sales Director META, Lookout
Zero Trust Approaches Gaining Momentum
The zero-trust market in Middle east is experiencing significant momentum and market reports indicate it is expected to experience a CAGR of approximately 15% during 2021-26. The rapidly evolving IT landscape with Cloud-first and mobile-first approach along with the pandemic that required organizations to extend the corporation to the homes of employees expanded the surface area of attack. This created complex IT environments that are spread across corporate data centers, co-location centers and public Cloud enlarging the space for defenders to protect.
“As more organizations do more computing outside their perimeter in the cloud, security teams find it increasingly difficult to trust or identify who and what should be allowed or trusted with access to their networks. As a result, an increasing number of organizations are adopting Zero Trust,” says Vibin Shaju, Presales Director – EMEA, Trellix, a cybersecurity services provider.
Given the complexity of the technology environment specifically as public Cloud comes into play, old approaches of securing the perimeter are no longer sufficient and organizations have to find new ways of enhancing security systems with new approaches such as least privilege access or zero-trust which require every user and device to be authorized and authenticated at each layer.
“While there are many starting points on the path to zero trust, all roads still lead to identity, with privileged access controls being the lowest-hanging fruit. With an identity-centric zero-trust approach, organizations can ensure least privilege access by verifying who or what is requesting access, the context of the request, the risk to the access environment, and just-in-time/just enough privilege elevation.”
Joseph Carson, Chief Security Scientist & Advisory CISO, Delinea
Speaking about the imperative of zero trust, Taj El-khayat, Managing Director for Growth Markets at Vectra AI, a San Hose based cyber security solutions provider, says, “All companies need to move security forward to ensure that they can rapidly identify threats and quickly respond. Zero trust frameworks, when implemented well, can help to protect organizations from unauthorized access to networks, applications, and data. If a threat bypasses zero trust defenses, then network detection and response systems will help ensure that the threat is suppressed before it becomes a breach.”
Granular access to resources ensures more control within the network and restricts the damage a breach can cause. User and device authentication has become a key pillar of organizational security and all users, both inside and outside the network, must be validated at each layer for higher security. The environment is continuously monitored via tools that provide high level of visibility into who is accessing what. In case of breach, the system sends an alert and resolution is quickly achieved with log tracing.
In addition to strengthening organizational security, implementing zero trust delivers more benefits. “The business benefits of Zero Trust implementation often include gaining an accurate inventory of infrastructure, improved monitoring and alerting, streamlining of security processes and operation flexibility when moving applications, data and services,” says Israel Barak, Chief Information Security Officer, Cybereason, a cybersecurity technology provider from Boston.
“Zero trust frameworks, when implemented well, can help to protect organizations from unauthorized access to networks, applications, and data. If a threat bypasses zero trust defenses, then network detection and response systems will help ensure that the threat is suppressed before it becomes a breach.”
Taj El-khayat, Managing Director for Growth Markets at Vectra AI
Primary elements of a zero-trust security architecture
The Zero Trust model requires multiple security controls throughout an IT environment to protect and manage identities, devices, networks, applications, and data. The single largest aspect of a Zero Trust architecture is the concept of identity and this includes establishing identity (authentication) and the assignment of privileges to the identity (authorisation). Zero Trust, as the name indicates, focuses on verifying and validating identity rather than blindly trusting prior authentication and authorisation.
Speaking about zero-trust implementation, Joseph Carson, Chief Security Scientist & Advisory CISO, Delinea, says, “While there are many starting points on the path to zero trust, all roads still lead to identity, with privileged access controls being the lowest-hanging fruit. With an identity-centric zero-trust approach, organizations can ensure least privilege access by verifying who or what is requesting access, the context of the request, the risk to the access environment, and just-in-time/just enough privilege elevation.”
Zero Trust views every attempt to access the network as a threat. While traditional security often requires nothing more than a single password to gain access, multi-factor authentication (MFA) requires users to enter a code sent to a separate device, such as a mobile phone, to verify they are in fact who they claim to be. The objective is to prevent unauthorized access to data and services and make control and enforcement as granular as possible.
Privileged Access Management (PAM) capabilities such as verifying identities, MFA, and enforcing least privilege makes zero trust a robust security model.
Explaining how zero-trust strengthens security, Bahaa Hudairi, Regional Sales Director META, Lookout, end-point and Cloud security solutions provider,
says, “Allowing the least amount of access is a key principle of Zero Trust as it grants access only when absolutely necessary, rigorously verifying requests to connect to systems and authenticating them beforehand. Constricting security perimeters into smaller zones to maintain distinct access to separate parts of the network limits lateral access throughout the network.”
“The business benefits of Zero Trust implementation often include gaining an accurate inventory of infrastructure, improved monitoring and alerting, streamlining of security processes and operation flexibility when moving applications, data and services.”
Israel Barak, Chief Information Security Officer, Cybereason.
Zero Trust is not a technology, it’s an architecture and as such is made up of many components, most of which are not dependent on each other. The implementation cannot be achieved via a big-bang approach, rather it is a journey with manageable steps that must be taken one at time.
A key challenge of zero trust implementation is that it must be delicately balanced with business priorities for effective outcomes. Otherwise, it can slow down business processes and affect productivity which in turn will lead to greater challenges as employees start finding ways to circumventing the security system.
As zero-trust models rely on a vast network of strictly defined permissions, effective implementation require a large amount of administrative responsibilities. Businesses and companies are in a dynamic mode and people are often moving into new roles or changing locations and keeping the permissions accurate and up to date requires ongoing input and considerable management effort.
Even as things change inside the organization, people require continuous and consistent access to sensitive data and information to work, communicate and collaborate and so access controls must be updated each time to ensure the correct people have access to specific information.
“If employees change roles and find themselves locked out of files or applications for a week, their productivity can plummet and in the worst instances, lost productivity becomes a bigger problem than cybersecurity itself.”
Vibin Shaju, Presales Director – EMEA, Trellix
Balancing Zero Trust with Business Priorities
The process of delivering Zero Trust is also going to unlock many of the regulatory compliances, or at least the cybersecurity aspects of them, that companies have to address now or in the future. “When you are implementing an architecture assembled from foundational cybersecurity practices, that foundation provides the base for more than just the architecture itself,” says Brian Chappell, of BeyondTrust.
The Outlook
Embracing zero-trust puts cyber security in the front and center of organizational strategy. Business operations are closely integrated with technology systems and these systems are under constant attack from threat vectors. Organizations must shift the mindset from “How do we implement this and secure it?” to “How do we securely implement this?” Given that businesses operate in a dynamic environment, the security posture also needs to evolve and adapt continuously to mitigate cyber security risks and enhance business resilience.
