Technology Record - Issue 31: Winter 2023

60 VIEWPOINT Organisations should catalogue data and map cryptographic assets to develop their zero-trust strategies and introduce post-quantum cryptography to protect against future cyberthreats SAMANTHA MABEY: ENTRUST Why security strategies should centre around data When it comes to the security of any organisation, what is the most critical thing businesses are trying to protect? Data. From government intelligence to personally identifiable information, there is a slew of data being stored and transmitted by organisations and it all needs to be secured. Why? Because this information is exactly what bad actors are targeting. One of the best ways for organisations to mitigate risks and improve their overall security posture is to implement a zero-trust approach – or at least consider the ‘never trust, always verify’ principle that zero trust is based on. This simply means that organisations should not implicitly trust anything inside or outside the perimeter. Every organisation will be a little bit different in what solutions it needs and how they are implemented, but the steps to get started are generally the same for all. The first steps involve having a full inventory of data and its flows. By knowing where high-value data sits, and how it gets processed and transmitted, businesses will have a good indicator of where to start. From there, they can ensure they have an inventory of cryptographic assets – like keys, certificates and secrets – and then map that to their data to understand how everything is secured. This will give the picture of what the attack surface looks like and help them identify if there are any risks or gaps that need to be addressed immediately. Next, as firms prepare to implement a new digital security strategy, including zero trust, it’s critical to be crypto-agile. It helps mitigate any risks related to cryptography, allows change to be implemented easily and ensures strong governance along the way. It’s also worth noting that this isn’t something that can be done quickly or with one solution or technology. Organisations should incrementally implement a zero-trust approach, rolling it out in pieces or layers, with the security framework building upon itself over time. Not only will this type of approach improve security, but it will also deliver business value – especially when firms make the connection between zero trust and other projects such as post-quantum (PQ) readiness. Most of the cryptography best practices organisations perform as part of implementing zero trust will also be part of the journey they embark on when preparing for the PQ threat. This is important not only because of the threat quantum computing poses to digital “All organisations share the critical need to keep their data secure”