Chapter III: Zero Trust— the vigilant enterprise

Cybersecurity is now one of the biggest global business risks. With an increasing number of enterprises adopting an always-online mode, especially after the pandemic, there is an increased need and urgency for cybersecurity. 

Cyber-attacks cause losses of   ̴US$6 trillion per year globally, according to a leading technology company’s estimates. This may cross US $10 trillion by 2025. India reported 14,02,809 and 674,021 cybersecurity incidents in 2021 and 2022 (till June), according to the Computer Emergency Response Team (CERT). Another report finds that data breaches cost Indian businesses an average of INR 17.6 crore in FY2022 — the highest ever reported. 

Today’s hyper-connected enterprises, work-from-home, and cloud-first approaches have made old cyber defense strategies inadequate. Moreover, with the deperimeterization of enterprise IT architectures, companies now need to extend their security blanket to other stakeholders — from vendors to customers and employees.

Traditional cyber defense models based on risk have been fragile in the face of new attacks. IT departments that were used to building defense architectures based on a clearly delineated enterprise perimeter are now faced with rising incidence of supply chain viruses and malware inserted into trusted software platforms. Zero Trust Architecture (ZTA) principle, which is a radical departure from trusted access that depended on identifying the entity accessing the system and then defining its permitted access. 

The Zero Trust Architecture

In the traditional system of trusted access, a high-security clearance person entity could access the entire IT system or most of it depending on the job’s requirement. However, ZTA operates on a ‘Deny by Default’ and ‘Always Verify’ principles. This means that access needs to be defined for not only the person entity but also for the non-person entity (device, network, application and data being accessed); and is limited to that specific purpose. The access is continuously evaluated throughout its process lifecycle in terms of trust and the risk associated. Based on the changes in metrics, the ZTA dynamically enforces the privilege associated with each access.

Every time a person or a non-person entity with elevated privileges seeks access, ZTA allows a continuously evaluated access lifecycle based on a combination of historical and current trust scores. For instance, the principle treats application access as separate from network access; connecting to a network does not mean access to an application too. This prevents malicious actors’ lateral movement and contains the blast radius of a potential breach. Even if the malicious actor is in possession of leaked person entity credentials, the approach of “Never Trust, Always Verify” limits the damage and prevents a potential breach.

ZTA protects a firm from external as well as internal threats. Segmenting the network into countless micro-perimeters prevents infiltrators from progressing towards the core data. In addition, it constantly verifies users and devices.

Cyber AI and ML further strengthen ZTA’s ability to continuously evaluate the trust associated with each access and enforce dynamic policies to create a more robust cyber defense architecture. This results in an enhanced user experience, agility, and adaptability while making policy management stronger. Cloud-based ZTA also increases scalability and ease of adoption.

Implementing ZTA

According to Gartner, 60% of organizations will embrace ZTA as a starting point for security by 2025. However, the approach requires a cultural shift in thinking and communication, as it is not a single technology, product, or service. Instead, it is a mix of products, processes, and people. This requires long-term commitment, which calls for financial and non-financial resources, along with prioritization and support throughout the organization. Therefore, companies should communicate the business relevance of ZTA by aligning resilience and agility. 

The framework of adopting ZTA needs to be based on visibility, analytics, and control. Key control elements include robust security posture management and cyber detection and response. As organizations mature in their journey towards ZT and cloud adoption driven by digital transformation initiatives, they will need to add a pillar of ‘Code Trust’ to the existing ZTA principle.

The first step towards ZT is to have a clear plan for the framework that suits the enterprise. Companies can frame a policy engine that defines access policies. There will also be behavioral monitoring tools to execute the decisions made by the policy engine. 

There needs to be a stage-wise shifting to ZTA. One way to deploy the technologies is to start with smaller use cases and then expand. This will help employees adapt to the system. The organization must align the deployment with new technologies and its digital transformation. For instance, organizations moving to cloud will store data outside their perimeter, so it would be difficult to apply a single security control system across the entire network.

Threatscapes will progress over time. Therefore, organizations should consider ZTA as a journey to enhanced security, where every stakeholder has a role to play, rather than a destination.