Plagued with shortages in skilled staff, budget and resources, organizations across Asia Pacific are struggling to fully commit to the ‘zero trust’ plunge.
Organizations are now exposed to cyberthreat actors due to the widened attack surface brought on by cloud-based services. According to Forrester, 68% of enterprises in Asia Pacific suffered at least one security breach in 2021.
In Asia Pacific, 39% of organizations have already adopted a ‘zero trust’ model within the last 12 months as part of ongoing efforts to strengthen their cyber-defense capabilities. Yet, in reality, many security teams continue to try and weave an array of products from multiple vendors into tightly integrated platforms that span remote sites, corporate facilities, and multi-cloud deployments.
This approach is hopelessly ill-suited to today’s highly distributed networks. While the zero-trust model is the way forward in today’s cybersecurity landscape, there are still many misconceptions about how this approach encompassing the entire organization actually works.
CybersecAsia interviewed Adrian Hia, Senior Regional Vice President, ASEAN & GCR, Zscaler, to clarify zero trust for organizations in Asia Pacific.
What are some misconceptions about zero trust? Adrian Hia (AH): The zero trust security model is not new. Having roots of the concept dating as far back as 1994 and being applied to cybersecurity in 2010, it is centered around the belief that no user or application should be inherently trusted, even those already inside the network perimeter.
Over the years, zero trust has already been embraced by large companies such as Google to combat the growing threat of cyber-attacks. However, there are still roadblocks and misconceptions around zero trust that are impeding its mainstream adoption.
- Myth 1: Zero trust is a product
Zero trust is a strategic approach to cybersecurity that eliminates implicit trust and validates continuously at every stage of a digital interaction. It is not a product, but rather, a philosophy — a collection of security principles that are implemented within a zero trust network architecture. It is a bottom-up approach that organises data, data classification, authorisation, and the mapping of key assets on the network. By ensuring that all systems, even non-security ones, are aligned with its core goal, can organisations fully benefit from the zero trust implementation. - Myth 2: Zero trust is only for large organisations
Zero trust is often labeled as an expensive and hard-to-implement model suitable only for large organizations; often the result of large enterprises implementing the zero trust model, for example, Microsoft bringing zero trust to Windows 11. But in reality, small businesses are the ones most in need of it. 43% of all cyber-attacks in 2019 targeted small businesses, and 61% of small-medium enterprises experienced a cyberattack in the last year. Not only that, 60% of small businesses fold within 6 months of a cyberattack. Zero trust must be a consideration for smaller organisations because they are exposed to the same cyber threats but lack sufficient resources to recover as compared to larger players. - Myth 3: You don’t trust your own employees
When a company implements zero trust, employees often misinterpret the transition as a move to make IT systems more trustworthy, resulting from a lack of trust in employees. On the contrary, the zero trust model does not make IT systems trustworthy. In fact, it eliminates the concept of trust from them. It is trust that is frequently exploited in data breaches — and therefore, only by distrusting IT systems can the goal of preventing data breaches be attainable.
What are the benefits of implementing a zero-trust model for cybersecurity?
AH: Before we can understand the advantages of a zero-trust security model, it’s important to understand the pitfalls of other remote access technologies — particularly virtual private networks (VPNs).
Many businesses have responded to the growing complexities of network security by deploying VPNs as their solution of choice. At first glance, VPNs may seem like a worthy answer to the increasingly critical need to gain secure remote access for all users and endpoints at your company. They allow you to funnel access through a private connection over an unsecured network, thus encrypting the user’s online activity.
However, VPNs are simply insufficient for the needs of a modern enterprise. According to Zscaler’s latest VPN Risk Report, we have seen an increase in VPN attacks due to the sharp spike in the popularity of VPN-targeted attacks among cybercriminals. In fact, 97% of companies know that their VPNs are vulnerable to cyber-attacks and exploits yet still leverage this technology while aware of the risk.
In contrast to VPNs, the benefits of implementing a zero-trust model are a reduced business and organisational risk. Zero trust stops all applications and services from communicating until they are verified by their identity attributes, such as authentication and authorisation requirements. By revealing all assets on the network and how they interact and communicate with one another, the zero-trust strategy eliminates overprovisioned software and services and inhibits an attacker’s ability to move laterally within the network.
It grants organizations access control over cloud and container environments. There is no denying that access management and loss of visibility are security practitioners’ greatest fears when considering a move to the cloud. In fact, 36% of organizations cite the loss of control as a major barrier to cloud adoption.
With a zero-trust security architecture, security policies are applied based on the identity of communicating workloads and tied directly to the workloads themselves. This keeps security as close as possible to the assets that need protection, unaffected by network constructs like IP addresses, ports, and protocols. Protection travels with the workload and remains constant even as the environment changes.
By shielding all user and workload connections from the internet, zero trust also prevents assets from being exposed or exploited. It is this invisibility that makes it easier for organisations to demonstrate compliance with privacy standards and regulations (e.g., PCI DSS, NIST 800-207), and results in fewer findings during audits.
What are some key challenges organizations in Asia Pacific face when adopting a zero-trust strategy?
AH: 49% of APAC organizations have a zero trust strategy in place today. And while the trajectory for adoption is an upward one, we need to overcome three key challenges to make zero trust a global standard.
- Lack of applicable information on zero trust. Zero trust has picked up a lot of steam in the last two years to become a buzzword, and CISOs were bombarded by different cybersecurity vendors offering them zero trust solutions. However, the lack of applicable information has resulted in the inability of organisations to implement zero trust. Forrester revealed that most organisations in the APAC region have cited shortages in budget, skilled staff and resources as a deterrent in investing in zero trust. That said, 80% of organizations are shifting towards zero-trust adoption. The move to continued education about zero trust will therefore be integral to the wider adoption of zero trust.
- Shortage of skills. The lack of skills to execute zero trust strategy poses the biggest risk to an organisation’s cyber defence. In fact, 44% of APAC organisations cite talent and skill shortage to be the greatest challenge in adopting a zero trust security infrastructure. This is further exacerbated by the fact that IT teams tend to operate in silos, reducing opportunities for knowledge and skills sharing within the organisation. Executive leadership needs to drive a culture of skill development within the organisation — and to bring siloed teams (e.g., networking, security, strategy, architecture) together to collectively upskill their organisation.
- Choosing the right technology partner. The lack of staff and skills in cybersecurity as well as the knowledge needed to implement zero trust lead many organisations, especially SMEs, to offload these tasks to solution providers. The biggest priorities for organisations to embrace zero trust include increased productivity, simplified IT, reduced costs, and an increase in business agility — factors that the right technology partner must fulfil. Furthermore, in the era of cloud adoption, a solution provider’s ability to navigate and overcome cyber security pain points in the cloud will also be key to an organisation’s consideration.
How different is Security Service Edge from Secure Access Service Edge?
AH: In the Secure Access Service Edge (SASE) framework, network and security services are consumed through a unified, cloud-delivered approach.
The networking and security aspects of SASE solutions focus on improving the user-to-app experience while reducing costs and complexity. Security Service Edge (SSE) is a subset of SASE that consolidates network security services delivered from a unified cloud platform, and focuses on unifying all security services, including secure web gateway (SWG), cloud access security broker (CASB), and zero trust network access (ZTNA).
How can organizations leverage Security Service Edge to strengthen their cyber-defense capabilities?
AH: Delivered from a unified cloud-centric platform, SSE enables organisations to break free from the challenges of traditional network security. It strengthens an organisation’s cyber-defence capabilities through four primary advantages:
- Better risk reduction
SSE enables unified cybersecurity services to be delivered from a cloud platform that can follow user-to-app connections anywhere, instead of being tied to a network. This eliminates the gaps often seen between point products, reducing risk. SSE also improves visibility across users and data in any location, regardless of the channels accessed. Additionally, SSE automatically enforces security updates across the cloud without the lag time of manual IT administration. - Zero-trust access
SSE platforms (along with SASE) should grant least-privileged access anchored in zero trust policy—with authentication based on user, device, application, and content. Securely connecting users and apps over the internet, never your network, ensures a more secure remote experience. Meanwhile, threats can’t move laterally, and apps aren’t exposed to the internet, so they can’t be discovered, reducing your attack surface and risk alike. - Enhanced user experience
An effective SSE architecture must be distributed across a global footprint of data centers, rather than hosted in IaaS, and purpose-built for inspection in every single one. Performing decryption and inspection—including TLS/SSL inspection—closer to end users improves performance and reduces latency. Combined with peering across the platform, this gives mobile users the best experience, avoiding VPNs and offering fast, seamless access to cloud apps. - Consolidation advantages
A unified, cloud-delivered platform reduces costs and complexity. SSE can deliver many key services —secure web gateway (SWG), cloud access security broker (CASB), zero trust network access (ZTNA), cloud firewall (FWaaS), cloud sandbox, cloud data loss prevention (DLP), cloud security posture management (CSPM), and cloud browser isolation (CBI) — which can all be activated later if you don’t need them at first. Ultimately, this brings together all protection under one policy, ensuring that all channels your users and data traverse offer the same protection.