Technology Record - Issue 28: Spring 2023

100 VIEWPOINT Businesses must prepare for the evolving threat landscape by following the principle of ‘never trust, always verify’ ROHAN RAMESH: ENTRUST Making sense of zero trust Organisations of all sizes continue to face an increasing number of cyberattacks both in scale and sophistication, and they need to assume the mindset that it’s not if, but when, their security will be breached. The combination of cloud adoption, digital transformation and the impact of the Covid-19 pandemic has accelerated the shift to an environment that encourages working from anywhere, at any time, and on any device, and this is eroding all perimeters of business security boundaries. As the perimeter disappears, the attack surface grows due to security vulnerabilities and poor cyber hygiene by employees, contractors and vendors. This allows attackers to gain access to a business network through an initial attack, after which they may look to establish persistence and move laterally to find and compromise high-value data and resources. To defend against this increasingly complex and evolving threat landscape, we need to establish guidelines, controls and frameworks to help businesses defend against cyberattacks. One such framework is called ‘zero trust’ which, due to its holistic nature, is rapidly gaining widespread adoption. A robust zero-trust strategy is a paradigm comprising of interlocking technologies, procedures and security controls operated as part of a cohesive cybersecurity strategy. It is an assurance fabric that is regularly reassessed against changing risks and encompasses people, process and technology. At its core, the zero-trust concept is about stopping organisations from automatically trusting users, data, and processes inside and outside their perimeters. It is based on the principle of ‘never trust, always verify’ and can be achieved through three behaviours, the first being to verify explicitly. This translates to ensuring strong authentication on the premise of appropriately strong registration. When it applies to users, we must make sure that the person who is requesting authentication is the account owner and that the account has not been compromised by account-takeover attacks. To ensure a more holistic defence, the concept of verifying explicitly should extend across users, devices, applications and workloads to avoid points of compromise. Secondly, a zero-trust strategy is built from least privilege access, which only allows a limited number of accounts authorised access to information that is limited to permissions needed to complete a specific task or responsibility. Thirdly, businesses should assume that there is no perimeter and always be prepared for a security breach at any time. This requires security controls and policies to verify every access request and to apply mitigation “The zero-trust concept is about stopping organisations from automatically trusting data and processes”