Decoding ZTA deployment for CIOs, CIOSEA News, ETCIO SEA

The traditional bedrock of cybersecurity for CIOs and CISOs till the early to mid-2010s was the trusted organisational perimeter/ network with implicit trust of constituent users, assets, data, policies for whom information security policies would strictly apply. A combination of tools such as antivirus, anti-malware, email security, web application firewall, firewall management, database security, endpoint encryption and security, intrusion prevention, and data leakage prevention, along with strict cybersecurity policies, best practices, dos and don’ts and escalation matrices would be enforced. For the relatively small percentage of out of office staff, a combination of company provided devices, strict bring your own device (BYOD), VPN and infosec policies would apply.

The increasingly popular trends of cloud adoption, mobility, internet of things (IoT) came along with penetration of information technology in consumer durables, smart cities, healthcare systems, automotive, telecoms, and utilities. On the other hand, there was a growing importance of security, compliance and significant rise of fines and organisational reputation loss from breaches and attacks, thus causing a discernible shift from the traditional trusted network approach.

CISOs and CIOs started evaluating and adopting zero trust architecture and principles, coined by John Kindervag of Forrester Research way back in 2010, which are based on the ethos of “never trust and continuously validate and verify”. This was now proposed as the best way forward to ensure security of the modern hybrid enterprise IT environment, validate users, devices, policies and assets within the network, VPN, cloud and externally along with robust authentication, leveraging network segmentation to curb lateral movement, providing proactive threat prevention and having very granular and minimal access policies.

This had also been exacerbated by the growing sophistication of hackers and their devastating impacts on information technology and critical infrastructure systems, as well as inside breaches even in the pre-COVID times. The Mirai and Triton Malwares, 0XOMAR, CryptoLocker, NotPetya, Bad Rabbit, NSA Leaks, the Yahoo attack, the worldwide WannaCry Microsoft Operating System attack and the multiple Distributed Denial of Service (DDoS) attacks on New Zealand’s stock market are still remembered along with the significant fines and settlements made by Uber, Marriott, Equifax and many others in the late 2010s.

Insider threats and activity also started “contributing” to close to 50% of cyber breaches, as McKinsey mentions in this article . Furthermore, adoption of cryptocurrency, the dark web, more organised and sophisticated cyber criminals and software permeation in IoT and Telecom devices were proving to be big challenges, amidst the clamour of compliance to acts, frameworks and standards such as Federal Information Security Management Act of 2002, the Department of Defense Strategy for Operating in Cyberspace guidelines of 2011, NIST IT and Cybersecurity Framework (CF) standards, the Homeland Security Act and the Cybersecurity National Security Action Plan (CNAP) of the United States, ENISA, the NIS Directive and the EU GDPR.

This resulted in CISOs and CIOs to adopt ZT architecture and principles, and deploy more proactive threat detection-based defence mechanisms as well as behavioural analytics powered insider risk management systems, incorporating artificial intelligence. Companies were establishing inhouse or outsourced Security Operation Centres (SOCs) as well as adopting password-less systems and DevSecOps. Adoption of cybersecurity in the cloud ecosystem was becoming increasingly prevalent especially around technologies such as Cloud Security Posture Management (CSPM), Cloud Access Security Broker (CASB), Security Access Service Edge (SASE) and other cutting-edge technologies.

What has been the impact of the pandemic on zero trust architecture?

The trusted organisational perimeter has become even more sacrosanct and amorphous in the COVID-19 world. The implosion of remote and hybrid working, home Wi-Fi and shared devices, gig and contract workforce, information technology (IT)/ operational technology (OT) convergence, composable architectures such as microservices based, API-first, cloud-native SaaS and headless (MACH) and packaged business capabilities (PBCs), extension of digital first to cover customers and supply chains, multi/ hybrid cloud and cloud native, and the proliferation of 5G and edge computing, has exponentially increasing the volume, variety and velocity of attack surfaces and vulnerabilities.

2020 and 2021 saw an exponential rise of cyber attacks. As per this research by Deloitte early on in the pandemic, cyber-attacks have increased by 3x in some countries covering work from home endpoints, video conferencing services, malware, ransomware and the dark web originated cybercrime. This KPMG research highlights the plethora of COVID-19 based ransomware itself during the early days of the pandemic, luring unsuspecting users to click fraudulent links related to information, vaccines, government assistance, sanitisers, oxygen, collaboration tools, and other bait.

There were several critical attacks and breaches such as the Sunburst SolarWinds attack, the Estee Lauder customer database leakage, the discovery of Facebook and MGM Resorts confidential data on the Dark Web, the resurgence of WannaCry, Revil and other ransomware attacks, along with the Mozi BotNet and others. There have also been widely publicised attacks on critical infrastructures as mentioned in this World Economic Forum article as well. Cybercrime also covered the digital supply chain, especially leveraging vulnerabilities such as Log4j. Gartner predicted that by 2025, 45% of organisations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021. In addition to these high-profile external attacks, in 2020, Gartner had reported a close to 50% increase in insider incidents. Industry experts have also mentioned an 85% likelihood of employee file and data leakage compared to the pre-COVID era.

The trends of the great resignation, quiet quitting and moonlighting extended to the cybersecurity world as well, and there have been shortages of skilled and trained cybersecurity resources, as well as security and compliance teams. Market uncertainties, geopolitical turmoil, intense competition and decreasing customer, supply chain and employee loyalties have resulted in tighter IT spends and pressures on faster payback periods. Leadership teams have realised that they do not have the unlimited budgets, skilled manpower or the preparedness turnaround time to be always technologically ahead and ready to mitigate the cyber threat landscape through investment.

These aspects have necessitated a rising adoption of zero trust architecture and CIOs/ CISOs have embraced ZTA in their move from cyber defence to cyber resilience. This Gartner blog mentions that the SunBurst SolarWinds attack at the end of 2020 necessitated the adoption of zero trust architecture. In May 2021, in response to the SunBurst SolarWinds breach, the Biden administration in the US issued an executive order mandating strict adherence by the U.S. federal agencies to NIST 800-207 as a fundamentally required step for zero trust implementation. As a result of this, the same consideration has applied to private sector and government vendors, customers and other stakeholders. Private enterprises are also ensuring their current and proposed ecosystem partners also follow similar zero trust architectures and these are also in consideration during evaluation and onboarding of newer partners in their ecosystem

This World Economic Forum article in mid-2021 highlights the timelines of evolution of the zero trust architecture, right from the Jericho Forum of Deperimeterisation, the Forrester coined term of zero trust, Google’s Beyond Corp, Forrester and Gartner’s published guidelines right up to the release of the zero trust architecture by the US National Institute of Standards and Technology and its adoption by the US federal government.

This LinkedIn article mentions the importance of zero trust 2.0 in prevention of an information technology Black Swan event in the post COVID world. Similarly, McKinsey here highlights trust architecture amongst the top trends in technology. Gartner lists zero trust in its cloud security hype cycle as depicted here.

What is the ZT market size?

This research by Deloitte estimates the worldwide zero trust market to grow to almost USD 40 billion by 2024, with a 20% increase from 2019. Gartner’s paper here estimated that ZT Network Access as the fastest-growing segment in network security, rising 36% in 2022 and 31% in 2023, respectively. This would be predominantly driven by continued hybrid/ remote working and the CIOs reduce dependence on VPNs for secure access, thus making ZT a standard for in office and remote workforce alike. Furthermore, Gartner predicts that by 2025, at least 70% of new remote access deployments will be largely catered to by ZTNA vis-a-vis VPN services, up from less than 10% at the end of 2021.

What are the considerations for decoding ZTA deployment?

Zero trust is a fundamental tenet of cyber security and defence in the cyber resilience age, as this LinkedIn article mentions. The underlying principles of ZT have been:

1. Consistency and comprehension of all digital resources, data and workloads, users, architectures, policies, of the extended enterprise (covering on-premise, cloud and container environments, IoT devices, network devices, firewalls, users, endpoints, routers and so on).
2. Holistic and hierarchical enterprise security framework covering the layers of physical facility and virtual infrastructure layer, platforms, applications, users and management system security.
3. Secure communication and micro segmentation-based traffic flow.
4. Protection/ encryption/ anonymisation of data.
5. Least privilege user access and multi-factor authentication.
6. Watertight password management of users and IoT devices: Leveraging password less, blockchain, RPA and other technologies.
7. Working with other processes such as DevSecOps and NoOps.
8. Automation, orchestration, observability and monitoring, of all assets, loads and health.
9. Dashboards and analytics, as well as artificial intelligence powered tools for external and internal threats detection, management and remediation.
10. An underlying ethos of the guiding principles of never trusting, continuously verifying and assuming attack and breach. Furthermore, Limiting the blast radius in case a breach actually occurs.

Zero Trust Architecture hence encompasses networks and infrastructure across on-premise/ hybrid clouds, identity and access management, secure communications, applications and data, micro segmentation, automation and orchestration across the hybrid extended enterprise. CIOs must carefully consider and incorporate robust enterprise architecture design, workflows and categorisation, device/ user access levels, framing of policies, micro-segmentation, and deploying dashboards, analytics, automation and orchestration. It is also of paramount importance to apply these principles to collaborative organisations, extended supply chains and public facing channels.

CIOs are increasingly deploying solutions such as digital risk protection services (DRPS), external attack surface management (EASM) technologies, cyber asset attack surface management (CAASM), internal risk management (IRM), identity threat detection and response (ITDR), extended detection and response (XDR), along with wider adoption of security access service edge (SASE) and cloud native application protection platforms (CNAPP). Since assets, users and entities are now across on-premise, data centres and the cloud across the extended enterprise, decentralised risk and decision making, moving from compliance and security functions to security behaviour and culture programs (SBCPs), consolidation and convergence of cyber security solutions and of vendors along with cybersecurity mesh architecture (CSMA) help provide a proactive, uniform and integrated security framework and posture based on ZT.

NIST has specified tenets for robust ZT deployment, and organisations also need to fine-tune these principles and models aligning with their business, industry type, operations and security controls as well.

What about the human aspects?

Successful ZTA deployments need to be people and process centric as well. CHROs are working with CIOs and CISOs in having clear communication and collaborative culture, whilst reinforcing common sense, best practices, awareness, unintentional carelessness, feedback, escalation and reporting mechanisms.

With continuing remote/ gig working and digital supply chains, there needs to be continuous embedding of InfoSec practices including Zero Trust Architecture and considerations, along with the basic Dos and Don’ts of devices, surfing, installing, working, day to day common work practices, checklists, software updates and procedure to follow in case of any breach along with Support and escalation matrix

Manuals, policies, joining kits, hotline and support desk, training, communications, up-skilling, assessments, rewards and recognition programmes, contests and similar initiatives are fostering Self-learning, high levels of curiosity, engagement and adoption from the employees.

What is the path forward?

As per this research by Gartner in this post COVID-19 recovery phase, 75% of organisations will restructure risk and security governance and continue deploying zero trust and resilient cybersecurity frameworks and strategies. Moreover, with employees, contractors and customers spending at least one hour on the metaverse, the breadth and scale of vulnerabilities and threats to company networks will continue to escalate.

In the top cybersecurity and risk management trends for 2022 highlighted here, Gartner mentions the adoption of zero trust network access (ZTNA) and identity threat detection and response (ITDR) systems along with the zero trust cybersecurity mesh architecture. This EY article highlights that the ZTA model, should be considered all across the organisational IT footprint and roadmap, thus helping in standardising access control enforcement across all extended enterprise resources with business continuity, superior customer, employee and supply chain experiences and improved compliance.

A robust ZT deployment hence brings about immense future proofing, resilience while designing, monitoring, managing and enhancing integrated & uniform security posture and strategies across all people, processes, data and other assets whether they are in the network, in data centres or on the cloud. This is so critical in creating secure, resilient, compliant, agile and responsive organisations with acceptable risk appetite, innovation, customer centricity and maintaining organisational reputation.