Taking the Next Steps Towards Zero Trust Security
Zero trust isn’t so much about building a hedge of invulnerability so much as imbuing the organization with the resilience that lets it keep going even in the face of a cyber-attack, says Pei Yuen Wong, chief technology officer at IBM Security ASEAN.
Wong was speaking to CDOTrends about the zero trust cyber security journey, including common misconceptions and how a zero trust implementation can fail even after a successful start.
“Cyber resilience is the ability to keep operating even if hackers penetrate your defenses; you might be badly beaten, but you are not out. A bank, for instance, would still be able to act on legitimate instructions from their customers, dispense money, and continue doing whatever it is that banks normally do,” he explained.
Zero trust security is broad
“Any successful zero trust approach needs to cut across the whole spectrum of cybersecurity, from identification of both assets and threats, effective protection, prompt detection, and effective response and recovery. All these are important and vital considerations for an organization to be resilient,” said Wong.
A common mistake by organizations, according to Wong, is to just get point security solutions to address specific threats based on the fad of the day or a prevailing concern. “The hallmark of a good zero trust approach is one that keeps abreast with the latest developments in the threat landscape, anticipates what could be on the horizon, and ensure that the zero trust implementation program is sufficiently robust to address these foreseeable changes in the threat environment.”
“For instance, there might be a surge of media reports about businesses hit with ransomware in recent times. Yet ransomware as a threat is a natural evolution in the cyber threat environment that should already have been taken into account in the plan without needing to fundamentally shift the focus of the zero trust implementation program.”
The ultimate outcome in the zero trust ‘assume breach’ paradigm is not to prevent a breach, observed Wong, but to ensure that the organization continues to function amid an attack. And this cannot happen without response and recovery.
“Organizations often do not adequately test the robustness of their response and recovery procedures. I am sure that they have backups in place and business continuity plans documented, and they probably perform basic tests or spot recovery exercises to meet compliance requirements,” said Wong.
“But hit them on a massive scale or conduct an unannounced red teaming exercise targeting their crown jewels, and they suddenly realize that they are unable to detect the attacks promptly enough, let alone recover fast enough – which more comprehensive tests targeting production environments would have revealed.”
Know your enemy and know yourself
To do well in the zero trust journey, organizations must not only be clear of the assets they are trying to defend but must also be well equipped to detect ongoing security attacks and respond quickly. In a nutshell, businesses must know themselves and their enemies well, in the words of renowned Chinese military strategist Sun Tzu.
“Gaining intelligence and insights into the TTP (Tactics, techniques, and procedures), and the modus operandi of the bad guys is important for any organization to safeguard themselves. We need to know who we are fighting against,” noted Wong.
Observing the technical expertise and sophistication of hackers can reveal their motivations and likely targets, says Wong. “Are [the hackers] going to target our trading systems, money transfer systems, or are they going to focus on our knowledge repositories and databases to steal intellectual property?”
And despite how Hollywood often portrays hackers, compromising an organization is a painstaking process. “Be it espionage, intellectual property theft, or other ulterior motives, it is more likely than not that the bad guys would need to take multiple steps to reach their final objective,” explained Wong.
“When zero trust is done well, there are many opportunities for us to catch threat actors as they move around in the environment before they can cause irreparable damage to the organization. We must therefore have robust measures at every step of the cyber kill chain and move quickly to detect and catch them as early as possible. If we miss them the first time, we try not to miss them when they make their second, third, or fourth move.”
Don’t lose sight of the original intentions
The lengthy implementation for zero trust can sometimes result in the original intentions being forgotten, cautioned Wong. He recounted an organization that started well on its zero trust journey. Along the way, it decided to implement identity management (IdM) to address a perennial glut of dormant and privileged accounts across the organization, which was the right thing to do.
“But over time and as people moved on, the IdM implementation became nothing more than a shiny new solution with a nicer, more intuitive interface to be rolled out. The deployment was successful, and users were happy. But despite the original plan to address the proliferation of domain accounts and privileged accounts, the accounts remained. The project, therefore, didn’t meet the original zero trust objective that the team set out to achieve.”
A common issue is when the execution team or management faces challenges along the zero trust implementation journey. Whether resource constraints or architectural roadblocks, the tendency is to cut corners to meet project timelines. Or as is common to lengthy system deployments, the project might change hands with a poor handover.
“When these situations happen, and especially as people leave the organization, those new to the project might not be aware of the original intentions or rationale behind certain design decisions. It is hence crucial to have a good governance structure with relevant expertise to regularly review the progress of the zero trust implementation plan in its entirety to ensure that the objectives and outcomes set out are consistently met.”
For now, the security industry continues to evolve and improve. Crucially, security solutions are converging, says Wong. “With open APIs and standard-setting bodies, we are now increasingly moving away from standalone security solutions that work independently from each other. We are not quite there yet as an industry, but we are moving in the right direction.”
Paul Mah is the editor of DSAITrends. A former system administrator, programmer, and IT lecturer, he enjoys writing both code and prose. You can reach him at [email protected].
Image credit: iStockphoto/scyther5
