High speed wireless connections and devices are redefining the digital landscape, and the zero-trust cybersecurity paradigm must keep up.
The promise of 5G conjures images of smart cities and flying cars, and the reality is happening sooner than most people think. The US and UK are already offering it in select cities, while South Korea is expected to reach nationwide 5G coverage in two to three years.
The widespread deployment of 5G networks will accelerate the development of industrial IoT and industry 4.0 and along with the benefits, also create complexity in security with more devices and users connected to the network.
Ubiquitous mobility, IoT and cloud access Extends the network beyond the corporate boundary, are certain to cause network security concern. The 2019 Annual Cybercrime Report from Cybersecurity Ventures predicts that cybercrime will cost the world US$6 trillion annually by 2021, up from US$3 trillion in 2015.
With new cyberthreats and data leakage in the headlines on a regular basis, enterprises need to adopt a zero-trust model that assumes that nothing inside or outside of the enterprise perimeters should be trusted.
The network must verify anyone and anything trying to connect to its systems before granting access. Connectivity is only granted after identity is authenticated, the security posture of the connected device is verified, and the user or thing is authorized to access the desired application, service or information.
Increased security spending is good but…
According to Mr Sudhakar Ramakrishna, CEO of security consultants, Pulse Secure, “Cybersecurity spend has been increasing generally, projected to grow by double-digits. A premium is being placed on cybersecurity, in that sense. But it could be more effective, because it’s being approached by most enterprises in a siloed manner. So, what that does is actually increase its cost at one level, but it doesn’t necessarily mean greater security.”
Sudhakar is referring to the reality that cybersecurity spend has been based on fear – like insurance. This mindset can lead to poor investment choices and even impair productivity. Instead, enterprises can adopt a motivation mindset that integrates risk management and compliance instead of silo-ing them. This would underline security without compromising worker productivity.
“I would say (go for) more progressive ways of thinking about security and access as opposed to trying to lock everything down because locking everything down will kill productivity and not necessarily improve security.”
Sudhakar was alluding to the trend that enterprises are still stuck in the old zero-trust paradigm of not trusting access from outside the system and trusting internal access. However, with the widespread need to access the network via smart devices, cloud services and IoT/5G, the attack surfaces presented will become too large to control.
“Take a simple example: if you are at home with a laptop and the laptop gets infected and then you log on and connect it to the (corporate) network, then technically you could be infecting everything from inside the network,” Mr Sudhakar explained.
Widening the perimeters of zero-trust
In essence, digital transformation trends mean that the enterprise’s network perimeters are now constantly changing and moving. Corporate resources are now being deployed in multiple clouds, data centers and so on. In effect, using the traditional definition of zero trust to define and guard perimeters or boundaries will become a challenge.
Sudhakar proposes a new perspective of the zero-trust paradigm: one that leverages cloud and virtualization technologies and integrates authentication and authorization directly into the architecture, so as to simplify end-user web application access, enable more dynamic access provisioning, and ensure granular access control based on “zero trust”. This is what he calls the Software-defined Perimeter (SDP).
SDP is designed to securely connect various internal or external user types and their devices with cloud infrastructure and applications. To ensure security, rigorous authentication and authorization are built into the architecture before and during a connection – and each connection is one-to-one and secured on-demand.
By securely exposing access to resources to authorized users and devices, the SDP access model renders other applications and resources invisible or “dark”, thereby reducing the attack surface dramatically.
To embark on SDP, enterprises need to educate and instill awareness: “Explain to customers and partners the relevance of zero trust and why they need to start protecting against challenges that might be caused because they don’t understand zero-trust,” said Sudhakar.
He walks the talk by delivering cost-effective solutions that are simple to deploy, because “if delivered solutions require fundamental change of behavior by customers, you will face resistance. So our approach is very much one of evolution and taking customers from the models that they have today, to the zero-trust model without significant and fundamental change in infrastructure.”