Authored by: Matthew Heap, Head of Solution Architecture, APJ for Rackspace Technology.
Whether it’s between leaders, managers and workers, vendors and customers, or companies and regulators, trust lowers the barriers to cooperation and keeps things moving smoothly.
Still, most businesses – and people – recognise that to be too trusting too soon can be a serious disadvantage. For one emerging network security model, any trust at all is too much.
We’re talking about zero trust, an approach to security that’s experienced skyrocketing interest this past year as enterprises have seen their traditional network perimeters stretched perilously thin by mass remote working and expansion to public cloud and SaaS applications.
In simple terms, zero trust means “never trust, always verify.” Zero trust has become a hot topic for executives since remote access rapidly expanded due to COVID-19 and there was an increase in adversaries looking to exploit remote users and computers. Never trusting and always verifying is more rigorous, proactive and responsive than just building perimeter defences to keep malicious actors out of networks multi-cloud workloads and applications along with remote access from anywhere on any device, perimeter-based trust models are increasingly failing to provide appropriate safeguards.
In 2020, Forrester predicted that Asia Pacific will finally catch up on Zero Trust adoption. Although Zero Trust adoption in Asia Pacific has lagged behind its global peers, the acceleration of cloud adoption and an explosion in remote work as well as changing regulations and consumer behaviours make it ripe for change. Forrester anticipates that at least one government in Asia Pacific will embrace a Zero Trust cybersecurity framework in 2021.
In Singapore, this came to be when Senior Minister of State, Ministry for Communications and Information Dr. Janil Puthucheary announced that all Critical Information Infrastructure (CII) owners are required to maintain a mandatory level of cybersecurity under the Cybersecurity Act. The CII refers to 11 sectors responsible for the delivery of the country’s essential services, including government, energy and healthcare. Not only does a zero-trust approach to security allow businesses to respond faster and with more precision, it also limits the potential for lateral movement of malicious traffic or actors from resource to resource undetected within a compromised environment if a breach was to occur (many of the breaches that have happened
Yet for all its rewards, zero trust implementation is a complicated endeavour. Apart from the technical challenges, success depends on engaging and activating multiple stakeholders from across the business, and providing a lot of user hand-holding.
This article will help tech leaders get their bearings with zero trust as they start to think about how they might implement it themselves.
Exploring the technical aspects of zero trust
In practical terms, effective zero trust implementation requires not just technology, but also policy and process. It’s not a switch which IT teams can flip or a product or service that they can buy, but it does require a blend of tooling distinct from that used in traditional perimeter-based security.
Wrapped around these solutions are strict policies defining which users and devices can access which resources; there can be no more free and open access. Defining these policies and enabling their implementation can be a heavy lift. It requires the understanding of application workflows and dependencies, but there are automation and AI-based solutions to ease some of the burden and the benefit to both security and operations is worth the effort. Zero trust security relies on identity and access management, endpoint control and a mature security monitoring capability.
It is a must to bring people along on the zero-trust journey
It’s important to recognise that implementing zero trust crises crosses team boundaries throughout the organisation. It draws in security, network and identity access management (IAM) teams, along with asset owners and admins, and application owners. This kind of scope means the CIO/CTO will often be the lead, with the CSO/CISO a critical contributor thanks to their perspective on risk management.
Organisations must also invest time in awareness building and socialisation of the benefits of zero trust, creating detailed FAQs and sharing them via company newsletters and intranets with plenty of links to resources. Trust us: education and communication before rollout can save businesses a lot of help desk pain as their policy and process changes start going live.
Start small, start critical – and utilise DevOps
Businesses can get off on the right foot with zero trust by starting small to build a series of incremental but highly visible wins. They may want to start with access control and then move inwards toward more complicated data centre implementations.
If IT teams start with a baseline across their environment, they can add to this as they discover and classify workload and data. At the same time, start lining up technology solutions and their configurations. Understand the requirements and select partners to help integrate appropriate technologies to provide for authentication, access control, micro-segmentation and monitoring.
Prior to enforcement, it is recommended to identify and build company policies and then soft-launching policies in logging mode to help refine the picture of what’s going on in the environment. This offers the opportunity to test processes before launch, to both mitigate the risk of taking down critical systems and to identify patterns and processes that can be automated. From there, adopt rolling implementations to subsets of users – in parallel to business' existing security systems at first – to iron out processes and build confidence in the user base.
It’s worth mentioning that it’s likely to be very difficult to get all this right without using agile methodologies within the project to deploy DevOps. The early stages are a lot of work with a lot of changing priorities. So use agile methodologies to hasten and pivot where necessary.
Furthermore, operational overheads can quickly mount, owing to the multiple and ongoing changes and updates to infrastructure and policy. DevOps can help here as IT teams work toward automating user and device updates, or application and systems access flows. With infrastructure as code, for example, systems can be created that allow users to self-serve by registering a ticket for a new device, which then pushes out an update to the infrastructure. There are also technologies now that can help deploy DevOps to legacy workloads as well as apps built in a legacy manner.
Zero trust is worth the effort
Moving to a zero-trust security strategy takes several months of hard work and many hours of ongoing monitoring and management. And yet it’s a journey we expect the majority of enterprises will undertake.
The shift we have seen to remote work this past year won’t reverse fully and for some, it may become the norm. So executive-level anxieties will remain over whether users’ endpoints are protected, the mitigation of insider threats, and the risks of lateral movement by intruders should they make it through their perimeter defences.
It’s not magic; there’s no silver bullet in security. Zero trust is a way to move organisations away from perimeter-based security to a secure access service edge (SASE) as businesses continue its digital transformation.