Since the pandemic that forced millions of office workers to connect from home, zero-trust access has become a key way forward for businesses seeking to securely enable remote work and reframe efforts to keep out the bad guys.
Instead of placing barriers to external threats, the zero-trust cybersecurity approach calls for access to networks, assets and other digital connections to be strictly checked and authenticated against.
This big overhaul from a perimeter defence is best attempted step by step, striking a balance between rigid security protocols and an intuitive, user-friendly environment, says Vincent Lomba, chief technical security officer of Alcatel-Lucent Enterprise (ALE).
And even when the zero-trust environment is eventually set up, there are threat actors employing social engineering and AI that will look for loopholes and weak links, he notes.
Cybersecurity should not be just an IT concern but also a fundamental business strategy, he tells Techgoondu, in this month’s Q&A. “Only through this lens can organisations truly appreciate the gravity of potential threats and adequately fortify their defences.”
NOTE: Responses have been edited for brevity and style.
Q: Zero-trust has been seen as the way forward in a porous digital environment where you can’t simply defend your perimeters. What are the biggest issues that organisations have in trying to transition over?
A: Reimagining and transitioning networks demand meticulous reconfiguration, tailoring access levels based on function, privileges, and usage requirements.
It is a departure from the one-size-fits-all approach, and often the biggest challenge lies in ensuring closer alignment between IT departments and end users, in grasping the unique security demands of every device that is added to the network.
In the post-pandemic era, normalising new working arrangements such as remote work or BYOD (Bring Your Own Device) necessitates implementing dedicated policies for device analysis, potential antivirus installations, and user compliance to secure devices before network authorization.
Restricting the privileges of BYOD devices, for example, is crucial to contain potential risks associated with personal equipment on the corporate network.
Campus deployments for universities, such as our work in modernising the network infrastructure of the University of Technology Sydney, is a great example of the need for dedicated policies.
It has to cater to a student population highly likely to be using laptops and tablets of their own choice, while at the same time simplified to ensure ease of use and an improved user experience for students, faculty, as well as guests.
While Virtual Private Network (VPN) solutions can help fill the gap security-wise, their utility can be a double-edged sword, often viewed as an encumbrance due to the added passwords required to connect.
The zero-trust journey boils down to striking a balance between rigid security protocols and an intuitive, user-friendly environment. Simplifying the cybersecurity landscape is imperative, but at the same time, end users should not be burdened with having to be security experts.
Q: Broadly, what is ALE’s guidance to customers when moving forward to zero-trust?
A: Businesses need to acknowledge that moving towards zero-trust is a journey that demands strict adherence to dedicated processes to achieve success.
At ALE, we employ a multi-step process to help our customers get started, starting by building a map and inventory of what you have in your network and recognising their varied security needs and use cases.
This is critical, especially in specialised verticals like healthcare, where today’s medical devices such as infusion pumps, pacemakers and diagnostic imaging equipment are increasingly cloud-connected, increasing the risk of attack.
These findings then need to be validated and assessed against the needs of the business. The security considerations for supply-chain logistics, for example, will be vastly different from that for healthcare.
From here, IT teams can translate this knowledge into a set of authentication and security policies to implement the required architecture, to ensure that connected devices are only allowed to do what they are meant to do.
Such an approach, often referring to RBAC (Role Based Access Control) offer the possibility to automate most of the enrolment process, leveraging pre-established rules. Patient management devices issues to nursing staff, for example, should not have direct access to the pharmacy to prescribe medication. What follows then is the process of putting these policies into practice, and to fine tune them along the way.
More importantly, however, the executive committee must have a clear understanding of the role of security. Decision-makers must have the view of security as a cultural pillar, instead of being just an operational matter.
The public sector, for example, already has an inherent understanding of the importance of security. The Singapore government has already moved to adopt the Zero Trust framework, formally dubbed GovZTA, so that government agencies can adopt a risk-informed stance when enhancing the user experience, the speed of implementation strategies, and cyber resiliency.
At the end of the day, bridging the gap between users and IT, and fostering a culture of security education and awareness, is the key to a collectively safeguarding networks and operations from potential threats.
Q: Does this migration to zero-trust start with a big overhaul or can you do things piece by piece over time, to minimise disruption and even out costs?
A: The step-by-step approach is always the best. This centres on understanding that the journey demands a risk-based approach, which starts by identifying where most of the risks are coming from, and then implementing the right solutions to solve for those risks.
On a broader scale, we are seeing the global cybersecurity landscape unfolding according to different maturity tiers concerning zero-trust adoption.
In the Asia-Pacific (APAC) region, this transition is nascent but gaining momentum. Regulatory oversight is beginning to take root, driven by the bottom line.
Organisations are now weighing the cost of a major outage or data breach against the investment required to implement the right security measures.
The emergence of cybersecurity insurance is playing a pivotal role too, demanding proof of robust security measures before insurers will consent to provide cyber insurance for organisations.
This cascading effect, dictated by both regulatory and business imperatives, highlights the crucial need to emphasise and validate the proactive adoption of security measures.
Being proactive yet consistently progressing in cybersecurity is not just good practice; it is a pathway to ensuring business continuity and market viability.
Q: Even with practices such as multi-factor authentication, we have seen sophisticated scams involving social engineering. Will zero-trust face the same challenges, as AI is being geared up to create more elaborate and hard-to-defend phishing scams?
A: In the realm of cybersecurity, social engineering and the human factor remain the major point of attention. The onus falls on organisations to cultivate a culture of cybersecurity awareness and education among their staff.
However, the abundance of information available on the Web, and worse, the dark Web, amplifies these threats. Open-source intelligence (OSINT) databases and tools grant access to a treasure trove of personal data, a lucrative opportunity for cybercriminals.
The intersection of artificial AI and OSINT further complicates matters. AI algorithms can sift through massive datasets, profiling individuals to pinpoint weaknesses, leading to insights that help optimize attack strategies.
Hackers are also employing AI to orchestrate attacks tailored to exploit specific vulnerabilities. This raises two critical issues with AI: Its potential misuse for malicious intent, and the unpredictability of AI-generated outcomes.
Security measures must then evolve beyond safeguarding network access; they must also encompass user training, reducing the risk of oversharing online and promoting responsible online behaviour.
What is more, despite the omnipresence of cyberattacks, not all organisations comprehend the extent of their vulnerability. This lack of awareness, combined with the misconception that only high-profile entities face cyber threats, leads to complacency. The reality is that any organisation, irrespective of its size or prominence, is a potential target.
The key lies in amplifying awareness regarding the evolving cyber landscape and fostering a proactive cybersecurity stance — a fundamental shift from ‘It won’t happen to us’ to ‘We must prepare for any eventuality.’
It is a paradigm shift where cybersecurity is not just an IT concern but a fundamental business strategy. Only through this lens can organisations truly appreciate the gravity of potential threats and adequately fortify their defences.