The global pandemic pushed companies to adjust to several ‘new normals’ and transformed businesses like never before. At the same time, as remote and hybrid workers start connecting to the corporate network from anywhere, it has posed new security challenges for organizations. This is when security vendors and business decision makers are betting big on zero trust and other integrated security approach security approaches to increase cyber security efficacy. In a recent conversation with CXOToday, Kartik Shahani, Country Manager at Tenable India discusses the cyber security landscape, the importance of zero trust and ways in which organizations can secure their remote and hybrid workplace strategies.
Why is zero-trust becoming more important than ever in the new digital era?
Factors such as digital transformation, the push to modernize legacy systems and large operational shifts to facilitate hybrid and remote work have made the need to implement zero trust principles more apparent. Users and endpoints, critical business-impacting data and applications that were once confined within the network perimeter now reside outside of those perimeters. Zero Trust assumes that untrusted actors already exist both inside and outside of your network and follows the mantra “Never trust, always verify”. It replaces the belief that everything behind the corporate firewall is safe and instead assumes that users, assets and applications are breached and should not be trusted regardless of where they are located, or what resources they have access to.
How can the security team make the C-suite see how zero trust helps the business?
Framing zero trust as a cyber security strategy for reducing business risk is a surefire way to get your executive leadership to take notice. When an attack occurs, the C-suite is interested in the scale of its impact on delivering its business objectives. Using business terms, CISOs need to address how a zero trust approach is best suited to adapt to the complexities of today’s business environment and how it can prevent costly data breaches A cyber security leader who can articulate a practical plan to stop data breaches will get the time and attention of the board.
How should CISOs go about securing their shadow IT?
Security teams should embrace the fact that employees will continue to use unapproved services that allow them to perform their tasks more efficiently. Hence, CISOs should implement a security program that enables IT and the business to focus on the overarching goals and encourage innovation. Good security starts with great visibility. Security teams need to adopt a risk-based vulnerability management approach to identify weaknesses on the network and develop a more robust security policy, offering user education or implementing additional controls that lessen the probability of a cyber threat.
How Active Directory is at the center of enabling trust?
Most organizations grant user access and privileges based on the notion that some users are fundamentally more trustworthy than others. This could be based on their standing within the organization.With a zero trust approach, there would be systematic and continuous evaluation of users and their privileges regardless of their standing within the organizations. Active Directory can be used to achieve zero trust security by enabling the evaluation of users’ rights.
How can cyber hygiene fundamentals make zero trust security possible?
Adopting a zero-trust model where no one is trusted and everything must be validated is built upon cyber best practices and sound cyber hygiene, such as vulnerability management, proactive patching and continuous monitoring. Identifying each and every user in the network provides full visibility into the attack surface including IT, OT and IoT. Once security teams know how data flows within the organization, identifying critical assets that need to be secured becomes easier. Limiting access to these assets reduces the attack pathways and allows ease in monitoring the attack surface, identifying end-point vulnerabilities and patching them regularly.
How feasible is it for smaller organizations to implement a zero trust architecture?
There’s a misconception that zero trust is only suitable for enterprises but that’s not the case. A zero trust approach to cyber security within smaller organizations will add a critical layer of protection for their applications and data deployed across multiple platforms and cloud services. SMEs can start by identifying which applications, devices and users exist and understanding critical data and processes that are more likely to be targeted during security breaches.
What is your advice to organizations that are going for zero-trust architecture?
A zero trust journey cannot begin without visibility. Organizations need to identify what workflows fulfill the core mission and objective and who owns these workflows. It is important to understand how data flows within the organization as it allows security teams visibility into who has access to high-value assets. By limiting access to these assets and performing regular audits on user permissions, organizations can gain full visibility into IT, IoT and OT assets. In a distributed environment, end-points must be free of vulnerabilities and mis-configuration must be mitigated in a way that they can defend themselves against attacks. This is basic cyber hygiene and no zero trust architecture can be constructed without a solid foundation.