The zero-trust concept in cybersecurity, where devices are never trusted by default but always verified, is not new.
However, zero trust may just be the turning point for organisations in Asia as they strengthen their defences in an increasingly digitalised environment, amidst an intensifying cyberthreat landscape.
The zero-trust approach calls for devices to be verified even if they have previously been permissioned on a network. We now connect more devices via the Internet of Things (IoT) than ever before in both the personal and professional settings. Generally, IoT equipment are designed to provide a single service – which unfortunately means security is not their main priority. This lack of in-built security makes these devices vulnerable to attacks, creating a potential route into the entire organisation’s network for attackers.
According to a recent study, only 26% of organisations in Singapore prioritise their devices when implementing zero-trust security. Businesses and organisations will have to do better as they continue their digital transformation journeys. They will need to prioritise cybersecurity in their network infrastructure strategies as connected devices and IoT play increasingly significant roles in their overall technology stack.
The 101 of zero trust
Network segmentation is the principle of zero trust. Once a compromised device is reported, attacks can be reduced, lateral movements on the network can be limited, and other connected systems can be spared.
There are two approaches to network segmentation depending on the existing degree of trust. The boundary of trust is historically both physical and implicit, so the computer network is protected by a firewall. That is, what is inside is protected from the outside. With greater cyber risks on the horizon, this approach needs to evolve.
In the case of zero trust, trust is dynamic and no longer assumed – even within the network. Instead, the structure acts as if there are already attackers present in the system. The first step is network access control (NAC) – identifying objects and authenticating connected users. The first level of macro-segmentation is set up based on these factors and filters traffic via firewall between different classes of objects and users. For example, you could isolate surveillance cameras and building management sensors.
From there, the second level of filtering is within a segment and based on identification. This second step makes it possible to refine and achieve micro-segmentation. This prevents surveillance cameras from communicating with each other within the same network segment.
The benefits of zero trust
As an intelligent mix between micro-and macro-segmentation, the zero-trust approach builds a restricted and mobile security perimeter around each user and object. It is also essential that organisations assume systems have been breached – a cybersecurity approach Singapore has taken on a national level to stay ahead of cyberattackers. An organisation can then manage NACs, define different authorisations, and secure and contain threats through strong network segmentation.
This segmentation also constantly searches for suspicious behaviour. Cyberattacks are now inevitable and organisations’ damage can be high. Last November, hospitality platform RedDoorz faced a fine of SG$74,000 due to negligence that compromised 5.9 million customer records. This is where zero trust comes in: By requiring identification and authentication of each device and user before allowing network access, network segmentation greatly restricts the range and spread of an attack.
Five steps to zero trust
Building a zero-trust network from scratch is not too challenging. However, most organisations already have an existing network in place. The challenge then, is harmonising approaches and developing the network to meet the organisation’s needs while securing it from attacks.
Here is a five-step how-to for organisations adopting a zero-trust approach to network security:
- Monitor: Identify all equipment, peripherals, and connected devices (from the tablet to the Wi-Fi vacuum cleaner) and authenticate all employees that have access to the network. An object inventory is created and populated automatically.
- Validate: Control all connected devices and invalidate those which are not justified for the activity, as they increase the possibility of attack. Apply the principle of least privilege: granting the minimum permissions required to perform a task. If the existing network shows non-compliant equipment, implement a restoration or remediation plan.
- 3-Plan: Know all the users’ equipment, workflow, and the traffic generated. Then transform this data into a security policy that intelligently combines macro-segmentation (input/output control) and micro-segmentation (fine-grained security rules).
- Simulate: Apply in parallel identification, authentication, and security policy in “fail open” mode: All equipment will be authorised, and network behaviour logged and indexed, to set up authorisation schemes and an adapted network security policy. This critical step refines the security policy while ensuring normal activity is not impacted.
- Enforce: In this final phase, “fail open” becomes “fail close”. Authentication failures are not tolerated; all unreferenced users or devices are refused, and all illegitimate flows are stopped. Network monitoring is immediate to verify that all devices are identified, users are authenticated to be authorised on the network, or can be quarantined while security checks take place.
Humans are often the weakest link in organisational cybersecurity. Fortunately, organisations are beginning to recognise this. In Singapore, 62% of organisations here have named employees as the number one priority for a zero-trust security approach. Most importantly for organisations, it is to ensure that all IT hardware and peripherals are secured, and employees are protected.
Zero trust is both an authentication strategy and a consistent security policy across the network infrastructure, implemented in line with the needs of users and connected technologies. In an increasingly VUCA (Volatile, Uncertain, Complex, and Ambiguous) world, the zero-trust approach is the most likely to guarantee the security of your networks as well as your business assets.