Traditional enterprise security is now inadequate in the face of pervasive cyberthreats. For instance, many organisations had to rely on VPNs during the onset of the pandemic, as employees had to work remotely. However, VPN is no longer the cutting-edge solution it once was, as various cybersecurity experts would say.
During this time, the more recent concept of zero trust rose in prominence across verticals. While the term has been around for quite some time, it was only now that the capabilities to support the security principle came into fruition.
During the Malaysian leg of the “Change Faster – A Zero Trust Discussion” roundtable organised by Jicara Media and hosted by Cloudflare, senior IT experts endeavoured to shed light on pressing security concerns, as well as the use of zero trust within the local enterprise space.
Expanding threat landscape
For Nantha Kumar A/L Subramanian, Chief Digital Officer of KPJ Healthcare, tighter access restrictions were a must, because the threat landscape has significantly expanded.
“It’s very difficult to differentiate (the) good guys (from the) bad guys. Because of the new way of working — remote access, remote workers, and all that, it is very difficult to identify who are the authorised users. To me, it is critical to verify the user (and) the device. This is where we implemented network access controls for very granular access to our data centre, which changed the way we request access,” Subramanian revealed.
Logistics platform TheLorry has noticed similar circumstances and is actively looking at security solutions that would fit their needs, noted Waqas Khalid Obeidy, the company’s Chief Innovation Officer.
“Phishing and ransomware are something (we consider as) the highest priority, because we do have our clients’ financial data back in our data centre. Especially during this pandemic, a lot of my colleagues work remotely, access (through) VPN, (and) access all this financial information. So (this) is what I’m currently in the midst of — comparing the best solutions out there that can protect, especially (our) clients’ financial (data) that is crucial for my management,” he said.
Meanwhile, e-government solutions provider MYEG Services, which has been working closely with Cloudflare, is currently in the early stages of zero-trust implementation, and is exploring ways to expand their adoption of the security model.
“We are implementing a hybrid architecture, whereby some of our workloads and data storage are in the cloud, then some of them (are) on-premises, because of the requirement set by the government,” shared Rushdan Anuar, MYEG Services’ IT Director.
Because the times have changed, and the pandemic notwithstanding, enterprises must also adapt accordingly, especially in terms of security design and implementation, noted Satyen Desai, VP – South East Asia & Korea, Cloudflare.
“These days, everything is so easy to connect. It’s quite easy to get above and beyond what (the) internet was (originally) designed for — doing your mobile banking, social media, and so on. As we now think about the new internet, or what (the) internet is going to change into, we’re going to have to become more and more secure and reliable,” Desai said.
As with any other undertaking, implementing zero trust can cause quite a stir for people who do not understand what it is.
According to Fernando Serto, Chief Technologist & Evangelist, APJC at Cloudflare, zero-trust adoption can start with solving a particular problem at a certain unit or company department, such as remote access to certain applications.
“You have 50 users from finance, and they need access to a particular application (for example). Now they’re working from home, and you want to minimise the risk of access to that particular finance app, you can just tackle that use case; you don’t need to go and ask the board for multimillion dollars to solve the problem for the whole 10,000 users that you may have in your organisation,” Serto said.
Another security concern is the proliferation of BEC scams, which has outpaced malware in terms of revenue generated by bad actors.
“If you think of the cybercrime industry, if you can call cybercrime an industry, the malware industry within cybercrime generated US$47 million of revenue in 2021. This is tied to phishing and malware. The business email compromise industry generated US$2.4 billion, so it’s a much bigger problem. Even though it’s a much bigger problem we all focus on, let me do URL filtering, because this looks like phishing, so let me get rid of it. There’s a much bigger problem than that, because attackers are going beyond URL filtering, as all security vendors share threat intelligence,” the security expert said.
As such, Cloudflare developed a preemptive, cloud-based solution to BEC scams, following its acquisition of cybersecurity firm Area 1.
“Our solution is actually looking into language used, analysing sentiment, and being able to raise an alert with a ‘Hey, you have a possible incident here,’ because these two people have never really spoken before, never used that type of language before,” Serto explained.
“The (zero-trust) framework has been around since 2011. The technology is only ready now for you to start onboarding as you go, rather than having to tackle it as a big project trying to boil the ocean,” he remarked.
With the zero-trust framework encompassing a lot of security solutions and strategies, businesses can immediately start a zero-trust approach to security easier than expected, Serto noted.
“I’ve seen organisations getting zero trust implemented by never using the word ‘zero trust’. (Zero trust) is so easy to consume. It actually improves the agility and performance (of your apps), and user experience. They (organisations) managed to get zero-trust network access deployed, having third parties accessing applications on a remote browser, and you can stop them from doing simple things like copy, paste, upload, and download,” he observed.
API security is also another area that organisations can focus on, the expert recommended, given the recent data breaches hinged upon API vulnerabilities.
“It’s difficult for an IT operations person to identify an attack based on log files. IT says that every API has a different schema. Every API will look different to the naked eye. If you’re not using proper API security focus tools, you’re not winning the game at all,” Serto said.
Meanwhile, Izzat Aziz, the Director of Technology, Risk & Cybersecurity at KPMG, emphasised that zero trust is so much more than just the technology.
“Technology is just one-third of the solution when it comes to managing risks. The other two being the people element, as well as the policies and procedures that are set in place. The philosophy of zero trust is holistic in the sense that it encompasses all three of these elements, and it is precisely this that we advocate to our clients,” he said.