Zero Trust May Hold the Key to Cybersecurity in APAC

The number of attacks keeps going up across APAC despite organizations spending more and more resources on their cybersecurity efforts. Enterprise leaders are looking for new approaches because existing ones just aren't working - and zero trust seems to be one of the best options out there.

There is no doubt that both internal and external networks are susceptible to compromise and should be protected equally. As part of this process, the key steps should be to identify, map, and segment business-critical data and enforce policies and controls using automation and constant monitoring.

Most IT experts, unfortunately, implicitly trust their environments. They (or their managers) may believe that the firewalls and standard security tools are enough to keep the bad guys out. However, this attitude needs to change. We need to assume that the bad actors are already in our environment.

The Cybersecurity Situation in APAC

Cybercriminals are increasingly targeting Asia-Pacific, as businesses transitioning to digital offer a broad target surface. Password-less access is significantly less common in Asia-Pacific than in other regions. As cyberthreats become increasingly sophisticated, APAC organizations are slow to recognize the importance of replacing passwords with more robust security and identity management (IAM) systems.

This makes APAC fertile ground for zero trust adoption. Since the early days of digital transformation and in response to a wide range of complex, devastating threats, zero trust has steadily become a standard for securing digital transformation and its associated risks for:

• Multi-cloud, hybrid, multi-identity networks
• Unmanaged devices
• Legacy systems
• SaaS apps

And its adoption is slowly becoming more widespread as there is a growing consensus among APAC organizations concerning the need for an identity-first approach in zero trust environments.

Every organization has unique challenges due to the nature of business, digital transformation maturity and security strategy. When implemented properly with the required support, zero trust can be an excellent security investment.

What Is Zero Trust?

Zero trust is a security concept centered on the belief that organizations should not trust anything and anyone inside or outside its premises and network. They must instead verify any attempt to connect to its network and applications before granting access. 

This model is based on the assumption that a network is already compromised. Therefore, you cannot rely on perimeter security and instead must secure individual nodes within the network.

The key component of the zero trust strategy is never to trust anyone. The node needs to know who you are before we can allow you access to its part of the network. It will only allow access if it recognizes the IP address, machine, etc., or if the user is authorized.

Zero trust leverages technologies such as multifactor authentication, IAM, orchestration, analytics, encryption, and scoring and file system permissions. Zero trust governance policies recommend giving users just the right access — not more, not less — they need to accomplish a task.

This way, zero trust minimizes the risk of critical threats, including insider threats, supply chain attacks, and ransomware. 

Zero Trust Is Not Just Technology — It's About Processes and Mindset as Well

There is a human tendency to trust too much and be lax about security where the threat isn’t immediate. This is an inherent problem in cyber — too many endpoints and APIs are available way too openly with too many default connections. Due to the Internet, everyone can access and share anything at any time. Trust becomes a crucial failure point: If you trust everything blindly, then you won't be able to change anything concerning security.

A number of enterprise IT teams are already applying zero trust principles in different ways. They often have multifactor authentication, IAM, and permissions systems in place. Others choose to implement micro-segmentation in parts of their network instead of trying to overhaul the entire network at once. Which is good news for IT managers looking to transition to zero trust gradually. Organization-wide IT environments can be secured by combining existing technologies and zero trust governance processes.

This calls for IT teams to leverage micro-segmentation and granular perimeter enforcement based on their users. Understand who the user is. Make sure the user is who you think it is and capture the security status of the endpoint. Does that endpoint have permission to access the information they are trying to access?

Review the organization-wide network and next-gen firewalls and segment them to control who, what, where and when can connect and access. So, the trick is to design from the inside out vs. outside in.

My Two Cents for the Decision Makers Across APAC

Don’t mistake compliance for security. Your network may be compliant with various security frameworks but still vulnerable to attacks. There has been a limited amount of progress in introducing zero trust to legacy and existing environments, primarily due to the complexity that is associated with implementation.

If you thought your IT environment needs a complete overhaul to implement zero trust, that is not the case. Lee Roebig, Customer CISO for Sekuro, who was implementing zero trust principles even before the term was coined says, “A zero trust strategy should be heavily controls-focused and look to integrate technology in the right places while bolstering what you currently have. It's not about refreshing everything you have. You can definitely apply zero trust principles into a lot of what we already have as well.”

His advice to security leaders looking to implementing zero trust is simple. “Look at your entire cybersecurity posture and find the weak spots that have been left behind or neglected for various reasons. That is the area that you should focus on first and think about how you can apply a zero trust aligned approach.”

If planning an organization-wide digital transformation, pursue the zero trust implementation as a part of the overall transformation strategy, as zero trust may hold the key to resilient cybersecurity. You can't just piece together technology and hope to get it right. Business leaders need to be aware that zero trust, like any other successful IT or security protocol, requires ongoing effort to succeed. Certain elements of the zero trust effort may present more challenges than others, so they need to be prepared accordingly. Don't look at this as a one-off project, but a multi-year, multi-phase endeavor.

**This blog was originally published on November 23, 2022.