Zero-Trust is beyond a buzzword by this time. It is even more than just strategy. It is now a paradigm, a philosophy. Actually, zero-trust is the standard in cybersecurity now—and beyond.
Daniel Kwong, Field Chief Information Security Officer for South East Asia and the Hong Kong Region at Fortinet, defines zero-trust in much the same way the National Institute of Standards and Technology does: A cybersecurity paradigm that focuses on resource protection, where trust is not given as a one-time thing but rather evaluated constantly.
“The key word is ‘paradigm’; it’s not a strategy. It’s a practice, a common way to ensure cybersecurity,” Kwong points out in an exclusive interview with Cybersecurity ASEAN. “It’s very important that we don’t grant implicit privilege to anything—no matter if it is a person, an endpoint or a piece of equipment.”
Trust No One, Trust Nothing
The overriding idea behind zero-trust is that no one should ever be trusted unless their identification has been thoroughly verified. In a way, zero-trust resembles something bordering on digital paranoia, where it is assumed that threats are everywhere and can strike at any time. Zero-Trust also considers every attempt to access the network as a threat. This sort of digital paranoia informs the thinking of cybersecurity teams and compels them to be more stringent.
This setup deviates considerably from the traditional ways of cybersecurity in which firewalls and networks are, according to Kwong, configured on the basis of two dichotomies only: Trusted and untrusted. But this system has long outlived its usefulness, with Kwong emphasising the pressing need to implement the “trust no one, trust nothing” standard that is zero-trust.
Kwong clarifies, however, that zero-trust is more than just determining the trustworthiness of those requesting network access. Continuous monitoring is just as important, and network administrators “need to have a continuous way to monitor the access.” The reason this is critical is that the initial verification of credentials does not necessarily guarantee compromise-free access every single time. In other words, that “trusted” connection can still turn out to be an attack vector.
Organisations Need a Degree of Paranoia More Than Ever
Having a healthy dose of digital paranoia is a good thing because it leads to heightened vigilance that can, in turn, result in security being fortified. This is why even governments are calling for the implementation of zero-trust, as enhanced cybersecurity is more vital now than at any point in history. The reason, according to Kwong, is that cybercriminals can compromise far more than data nowadays. They can actually compromise people’s quality of life—as evidenced by the Colonial Pipeline attack fallout in 2020. Worse, they can potentially kill thousands, which would have been the case when someone hacked into a water-treatment facility in Florida, USA last year and raised sodium hydroxide levels in the city’s water.
“A lot of critical infrastructures now rely on new technology and IoT,” notes Kwong. “Cybersecurity incidents now are not just about data loss, data breach or ransomware. Sometimes, they are life-threatening . . . and that’s the reason why governments need to change people’s mindset.”
Exacerbating matters, according to Kwong, is the ease at which cybercriminals can carry out attacks. Threat actors, in fact, can just visit the dark web to get their hands on cyber attack toolkits, including even Ransomware-as-a-Service. Little wonder then that in its 1H 2022 FortiGuard Labs Threat Landscape report, Fortinet uncovered some alarming trends, like malicious cyber actors experimenting with new attack vectors, cyber criminals increasing the frequency of zero-day attacks and new ransomware variants increasing by nearly 100% over the previous six months.
Add to all that the fallout of the COVID-19 pandemic, which Kwong and most IT experts say accelerated digital transformation and ushered the remote work paradigm into the mainstream much faster than anticipated. The result, Kwong notes, is a “fuzzy perimeter.” And the problem is, cybersecurity has traditionally focused on how to protect this perimeter—and that just got a lot more difficult now that this perimeter is continuously being blurred by digital transformation and remote work.
A Paradigm Shift Is in Order
All this complicates cybersecurity a great deal, Kwong points out, to the point that traditional methods are no longer as effective as they once were. That is not to say zero-trust is some panacea, but it can certainly “help in catching up with the ever-changing threat landscape.” In other words, turning to zero-trust is a step in the right direction—a big, important step.
But like all paradigm shifts, the people in charge, in the eyes of Kwong, will have to lead the way.
“Most important is the mindset of people. Anyone from CISOs to anyone from the IT department to the people managing the technology should have the philosophy of not trusting anything,” explains Kwong. “Everything must confirm their status, and there should be segmentation of control. Only then can we go to the [zero-trust] architecture, the strategy of which is to replace all implicit trust on different levels of access and remote users for a consistent convergence of network and security.”
Even with zero-trust firmly established, Kwong cautions against deploying one too many cybersecurity tools. The reason, Kwong points out, is that these cybersecurity tools “don’t talk to each other,”—effectively compromising their ability to work in concert with one another.
In place of a cadre of cybersecurity tools, Kwong recommends instead the deployment of a Cybersecurity Mesh Architecture (CSMA), a composable and scalable cybersecurity approach where a wide range of security tools are integrated into a cooperative, interoperable and dynamic ecosystem. Deploying a CSMA, incidentally, is something Gartner and CSA both recommend, with the latter calling it “the future of cyber defence.” It is also an architecture Fortinet knows intimately, as its Fortinet Security Fabric is the industry’s highest-performing cybersecurity mesh platform.
The Onus Is on the People
Everything inevitably circles back to trust—or, in this case, the need to withhold it. It should be given only after a thorough vetting and validation process and then monitored vigilantly and constantly the entire time access is granted. This is the new normal in cybersecurity, and it is up to the people in charge of it to adopt the zero-trust paradigm for their respective organisations.