Zero Trust may hold the key to cybersecurity in APAC

The number of attacks keeps going up across APAC despite organisations spending more and more resources on their cybersecurity efforts.

As an example, in 2021, Singapore was ranked sixth in the world for having the most databases exposed to the Web. In the same year, nearly every organisation surveyed in Singapore (97%) in Mimecast’s research was the target of a phishing attack. Enterprise leaders are looking for new approaches because existing ones just aren't working - and Zero Trust seems to be one of the best options out there.

There is no doubt that both internal and external networks are susceptible to compromise and should be protected equally. As part of this process, the key steps should be to identify, map and segment business-critical data and enforce policies and controls using automation and constant monitoring.

Most IT experts, unfortunately, implicitly trust their environments. They (or their managers) may believe that the firewalls are standard security tools are enough to keep the bad guys out. However, this kind of ‘she’ll be right’ attitude needs to change. We need to assume that the bad actors are already in our environment.

The cybersecurity situation in APAC

Cybercriminals are increasingly targeting Asia-Pacific, as businesses transitioning to digital offer a broad target surface. Password-less access is significantly less common in Asia-Pacific than in other regions. As cyber threats become increasingly sophisticated, APAC organisations are slow to recognise the importance of replacing passwords with more robust security and identity management (IAM) systems.

This makes APAC fertile ground for Zero Trust adoption. Since the early days of digital transformation and in response to a wide range of complex, devastating threats, Zero Trust has steadily become a standard for securing digital transformation and its associated risks for:

• Multi-cloud, hybrid, multi-identity networks
• Unmanaged devices
• Legacy systems
• SaaS apps

And its adoption is becoming more widespread. As per The State of Zero Trust Security in Asia Pacific 2022 report by Okta:

• Overall, 96% of APAC respondents have a defined Zero Trust security initiative in play or in plan for 2022.
• Almost half (49%) of APAC organisations have a Zero Trust Strategy in place today compared to last year, when APAC adoption was at 31%.
• The top 3 challenges within APAC to implement Zero Trust initiatives are skill shortages, awareness of Zero Trust and stakeholder buy-in.

These numbers indicate a growing consensus among APAC organisations concerning the need for an identity-first approach in Zero Trust environments.

Every organisation has unique challenges due to the nature of business, digital transformation maturity and security strategy. When implemented properly with the required support, Zero Trust can be an excellent security investment.

What is Zero Trust?

Zero Trust is a security concept centred on the belief that organisations should not trust anything and anyone inside or outside its premises and network. They must instead verify any attempt to connect to its network and applications before granting access. 

This model is based on the assumption that a network is already compromised. Therefore, you cannot rely on perimeter security and instead must secure individual nodes within the network.

The key component of the Zero Trust strategy is never to trust anyone. The node needs to know who you are before we can allow you access to its part of the network. It will only allow access if it recognises the IP address, machine, etc., or if the user is authorised.

Zero Trust leverages technologies such as multifactor authentication, Identity and Access Management (IAM), orchestration, analytics, encryption and scoring and file system permissions. Zero Trust governance policies recommend giving users just the right access - not more, not less - they need to accomplish a task.

This way, Zero Trust minimises the risk of critical threats, including insider threats, supply chain attacks and ransomware. 

Zero Trust is not just technology - it's about processes and mindset as well

There is a human tendency to trust too much and be lax about security where the threat isn’t immediate. This is an inherent problem in cyber - too many endpoints and APIs are available way too openly with too many default connections. Due to the internet, everyone can access and share anything at any time. Trust becomes a crucial failure point: If you trust everything blindly, then you won't be able to change anything concerning security.

A number of enterprise IT teams are already applying Zero Trust principles in different ways. They often have multifactor authentication, IAM, and permissions systems in place. Others choose to implement micro-segmentation in parts of their network instead of trying to overhaul the entire network at once. Which is good news for IT managers looking to transition to zero trust gradually. Organisation-wide IT environment can be secured by combining existing technologies and Zero Trust governance processes.

This calls for IT teams to leverage micro-segmentation and granular perimeter enforcement based on their users. Understand who the user is. Make sure the user is who you think it is and capture the security status of the endpoint. Does that endpoint have permission to access the information they are trying to access?

Review the organisation-wide network and next-gen firewalls and segment them to control who, what, where and when can connect and access. So, the trick is to design from the inside out vs. outside in.

My two cents for the decision makers across APAC

Don’t mistake compliance for security. Your network may be compliant with various security frameworks but still vulnerable to attacks. There has been a limited amount of progress in introducing Zero Trust to legacy and existing environments, primarily due to the complexity that is associated with implementation.

If you thought your IT environment needs a complete overhaul to implement Zero Trust, that is not the case. Lee Roebig, Customer CISO for Sekuro talked more about getting to know Zero Trust in a recent episode of the Get Cyber Resilient Show podcast. Lee, who was implementing Zero Trust principles even before the term was coined says, “A Zero Trust strategy should be heavily controls-focused and look to integrate technology in the right places while bolstering what you currently have. It's not about refreshing everything you have. You can definitely apply Zero Trust principles into a lot of what we already have as well.”

His advice to security leaders looking to implementing Zero Trust is simple. “Look at your entire cybersecurity posture and find the weak spots that have been left behind or neglected for various reasons. That is the area that you should focus on first and think about how you can apply a Zero Trust aligned approach.”

If planning an organisation-wide digital transformation, pursue the Zero Trust implementation as a part of the overall transformation strategy, as Zero Trust may hold the key to resilient cybersecurity. You can't just piece together technology and hope to get it right. Business leaders need to be aware that Zero Trust, like any other successful IT or security protocol, requires ongoing effort to succeed. Certain elements of the Zero Trust effort may present more challenges than others, so they need to be prepared accordingly. Don't look at this as a one-off project, but a multi-year, multi-phase project.