In the last few years, there has been an increase in the number of cyberattacks and it continues to grow.
More than 11.5 lakh incidents of cyberattacks were tracked and reported to India’s Computer Emergency Response Team (CERT-In) in 2021. According to official estimates, ransomware attacks have increased by 120 per cent in India, according to reports.
There’s no sign of slowing down, especially if businesses remain content with the way things are. However, one can break that cycle with the right tools and knowledge. It has been encouraged that organisations undertake the Zero Trust framework in order to secure the data and reduce the risk of cybersecurity-related incidents. In order to understand the importance and scope of Zero Trust W.Media spoke to Pawan Chawla, CISO, Future Generali.
“It is important to clear a myth about Zero trust, it is not a product or a solution that can be installed. It’s a strategy/framework for implementing cybersecurity in an organisation without perimeters. It’s built upon cyber best practices and sound cyber hygiene, such as vulnerability management, proactive patching, and continuous monitoring,” said Chawla.
He further explained that the objective of the Zero Trust framework is to Identify each user in the network and provide full visibility to the attack surface including IT, OT, and IoT. Limiting access to these assets will eventually reduce the attack pathways and allow ease in monitoring the attack surface, which will also help in identifying end-point vulnerabilities and patching them regularly.
Once security teams know how data flows within the organization, identifying critical assets that need to be secured becomes easier.
“Zero Trust is a foundational element of an adaptive approach to security that is essential for an organisation that has a presence online. Zero Trust works on the assumption that you can’t separate the good actor from the bad actor,” added Chawla.
Traditional approaches that focused on establishing a strong perimeter to keep the bad actors out no longer work. Resources (data, applications, infrastructure, devices) are increasingly hybrid or outside of the perimeter entirely.
Chawla further pointed out that with Zero Trust, no actor can be trusted until they’re verified. It’s a holistic, strategic approach to security that ensures that everyone and every device granted access is who and what they say they are. In today’s world, data is spread across a number of services, devices, applications, and people.
It’s not enough to have a password onto something or set up a firewall or some other kind of perimeter in order to protect the data. Let’s agree and accept that in today’s age of digital transformation, perimeters don’t exist and old approaches to security don’t stack up against the sophistication of today’s threats.
Beyond protecting valuable data by reducing the chance of a breach, there’s also a bottom-line benefit. Various studies have quoted Zero Trust approaches may result in 50 per cent fewer breaches and that the organisation spends 40 percent less on technology because everything is integrated. The numbers are still to be experienced and validated by practically implementing zero trust.
Understanding of Zero Trust
Zero Trust security is founded on three core principles which include verifying every user, validating every device, and limiting access intelligently.
Verify every user: “The objective is to make sure actors are who they say they are. It may sound obvious, but it often goes wrong when organisations rely on only one verification method like a single sign-on,” said Chawla.
The Single sign-on (SSO) has a lot of security advantages. The users don’t have to type a password each time they want to use or access something, and it cuts down on the number of passwords users have to manage. But what if that one credential gets stolen, or someone doesn’t lock their computer when they get up from their desk?
“In that case, SSO leads to a security gap. To avoid this problem, SSO needs to be balanced with other technology such as multi-factor authentication (MFA). Combined with SSO, it creates a tight web of security around an organisation’s network,” added Chawla.
Validate every device – These days everyone has their devices locked down with a password of some sort, and that is undeniably a great thing. One should remember that a password is only one piece of the puzzle. To ensure real safety, devices must also have adaptive MFA to go along with that password.
Chawla explained that when an MFA-supported password is combined with device management, then the right policies are put on the device and locked in place, and the context of the device (where it’s used, what browser it has, etc.) is always understood, then it’s safe to make an access decision. With the help of machine learning and intelligent technology, organisations will learn the normal behavior of their employees and when a deviation is detected from the baseline, you can block an employee’s access until they go through another round of authentication.
Limit access intelligently – “The last and most important principle to Zero Trust is understanding who uses an organisation’s resources. Who are we granting access to? What do they need to accomplish their job and how are they being managed? We need to ensure that on day one, a user is productive, and have access to the accounts they need. When they change roles, their access likewise changes to fit their new job, or if they leave, those privileges shall automatically be revoked,” said Chawla.
He further added that it is essential that all these capabilities are integrated and work together so they can be applied in real-time without adding delays to access decisions for APIs, or for users who are logging onto applications.
