Connect with us

Interviews

Zero Trust Will Become Even More Widely Adopted

Published

on

Debanjali Ghosh, the Technical Evangelist at ManageEngine, says companies are adopting various technologies to improve their security posture and reduce the risk of a breach

How has the Zero Trust Network Architecture evolved since it was first coined in 2010?
Initially introduced as the concept of de-perimeterisation by Jericho Forum in 2003, it has since evolved into the current Zero Trust model, a term coined by Forrester analyst John Kindervag. Today’s Zero Trust Network Access (ZTNA) is a comprehensive approach to network security that goes beyond access control to incorporate advanced threat detection and response capabilities such as behavioral analytics, machine learning, and artificial intelligence.

The increasing adoption of cloud-based ZTNA solutions has provided organizations with greater scalability, flexibility, and cost-effectiveness compared to traditional on-premise solutions, allowing them to extend their security perimeter to cover all their devices, applications, and services. The continuous improvement of Zero Trust has evolved beyond micro-segmentation and software-defined perimeter into adaptive identity-based security solutions.

Do you believe that technologies that support zero trust are moving into the mainstream?
The Zero Trust security model, which relies on several key technologies including MFA and IAM is becoming increasingly mainstream. As organizations recognize the need for stronger security measures to protect their data and systems, many. In addition, many vendors are now offering Zero Trust solutions and integrating Zero Trust principles into their products. As the threat landscape continues to evolve, it is likely that Zero Trust will become even more widely adopted in the coming years.

Do you believe that enterprise IT departments today require a new way of thinking because the castle itself no longer exists in isolation as it once did?
The traditional idea of an enclosed network within a building is no longer applicable due to recent trends such as cloud computing, IoT, BYOD, and hybrid work. These trends have brought new threats, making traditional security perimeters inadequate for comprehensive network security. With hybrid work, security professionals need to change their approach towards perimeter-based security models, where everyone within the corporate perimeter is trusted by default.

Zero Trust emerges as a solution to this problem. The Zero Trust security model considers all resources as untrusted and requires strict authentication for access. In this model, trust is based on fine-grained access control and contextual authentication, ensuring that all inbound traffic and systems are authenticated before access is granted.

How can companies get started with zero trust?
The enterprise should decide on the migration strategy depending on its current cybersecurity posture. Most organizations do not realize that they already have elements of Zero Trust in their security infrastructure. The enterprise needs to have complete information about its resources and infrastructure to align with the tenets of Zero Trust. The enterprise has to identify the workflows and then map their transaction flows.

One of the foundational elements of zero trust is identity and access controls. Companies can start by implementing multi-factor authentication, role-based access controls, and continuous authentication to ensure that only authorized users have access to critical data and assets. The Zero Trust journey begins by adhering to the principles, building the infrastructure, and putting in place the components required for the enterprise’s secure operation.

Industry experts have warned that cyber-attacks will be focused on techniques that zero trust controls can’t mitigate. What according to you can be done to address this?
Zero trust controls provide a robust foundation for network security, but a comprehensive and adaptive approach is required for complete protection against all cyber threats. To enhance security, organizations must adopt a multi-layered approach that includes advanced threat detection and response capabilities such as behavioral analytics, machine learning, and artificial intelligence. Regular testing and evaluation of security controls are necessary to ensure they function correctly.

What, according to you, are the limitations of zero trust?
The Zero Trust security model can help reduce the risk of cyberattacks, but the complete elimination of risk is not realistic. There are challenges to implementing Zero Trust, such as policy gaps created by legacy solutions. Proper training of cybersecurity professionals is necessary to configure and monitor the policy engines. Denial-of-Service attacks can disrupt enterprise operations by blocking traffic to policy enforcement points.

Attackers target metadata stored by security analytic solutions to gain insights into the enterprise architecture. Zero Trust architecture relies on artificial intelligence and software-based agents, but authentication of these components is an issue. Attackers can launch botnet attacks by gaining access to software agent credentials.

Interviews

Zero Trust is Not a One-Time Project

Published

on

Deepa Kuppuswamy, the Director of Security at Zoho, says the technologies supporting Zero Trust are very much in mainstream adoption

How has the Zero Trust Network Architecture evolved since it was first coined in 2010?
In the cybersecurity domain, Zero Trust is no more a buzzword, it is a decade-old concept that has been evolving for a while. It started as a concept introduced in 2010 in a Forrester research, by 2014 we had Google’s Beyondcorp initiative which reimagined the security architecture and was one of the earliest enterprise deployments of the Zero trust. In 2019 we saw the expansion of Zero Trust to SASE and ZTNA.

The pandemic period was when Zero Trust gained major traction fueled by the aspects of fast-paced digital transformation, and shift to cloud, and remote work. We also saw the evolution of standards and regulations related to Zero Trust – NIST published SP 800-207 as a unified framework for establishing Zero Trust architecture and last year we have the US government executive order mandating the adoption of Zero Trust principles for federal agencies.

Do you believe that technologies that support zero trust are moving into the mainstream?
The basic building blocks for implementing Zero Trust revolve around user identity management and device trust and identity. The technology solutions in these domains like SSO, MFA, Cloud-based directory services, PAM, Unified endpoint management, MDM, EDR, and XDR are already well mature and are an existing part of the security stack of many organizations.

The other crucial component of the Zero Trust Network Access (ZTNA) is the policy decision engine and policy enforcement engine. We have many existing security vendors extending their existing stack to provide agent-based or gateway-based ZTNA architecture solutions. The technologies supporting Zero Trust are very much in mainstream adoption.

Do you believe that enterprise IT departments today require a new way of thinking because the castle itself no longer exists in isolation as it once did?
Today’s digital-first enterprises are no longer operating within the confines of a traditional network perimeter. Apps are
everywhere and users are everywhere. With more than 80% of organisations adopting a cloud strategy, the business apps are hosted outside the organization network boundary.

The hybrid model of work is here to stay, and employees want seamless access to the business apps without any difference in experience based on the location from which they connect. BYOD is becoming a norm, with business data being accessed from personal devices that have lower security postures.

The traditional method of using network location, ownership, and control of physical assets as parameters for implicit trust is a flawed security paradigm. “Never Trust, Always Verify” should be the philosophy the IT department should internalise, implement and practice. Traditional tools like VPN are not designed to support remote access of this scale and do not offer flexible options for adaptive access control. It is imperative that the IT and Security departments work together to reinvent the security architecture in line with the current evolving business models.

How can companies get started with zero trust?
Moving from theory to practice has been challenging with Zero trust. To many organizations, zero-trust implementation is seen as a huge, expensive, and complex project. As it touches everything from user to device to network it involves various stakeholders within the organization. What works out practically is to start small, start from where you are, and start with what you have as the current technology stack.

To initiate zero-trust implementation, organizations can start by defining a strategy and baseline prior to embarking on a wider zero-trust technology implementation. There should be an overall phased approach – Assess, focus on the top critical use cases, break into smaller achievable milestones, implement, and optimize over time.

We followed what we call the “Crawl, Walk, and Run” approach in our organization. The initial crawl phase involved strengthening the identity and device pillar focusing on the below activities

a.Implement SSO
b.Enforce MFA
c.Enrol corporate devices in UEM and MDM
d.Conditional access based on device certificates

This served as a good starting point and helped us to show the value early on to the users and the various stakeholders.

Industry experts have warned that cyber-attacks will be focused on techniques that zero trust controls can’t mitigate. What according to you can be done to address this?
Zero trust is not a single silver bullet solution to all your security risks. There are other areas outside the scope of Zero trust like API security, hardware and software vulnerabilities, insider threats, and supply chain attacks. Multi-layered approach and defence in-depth controls are very much needed besides implementing Zero Trust. Security awareness training, incident response planning, regular monitoring and patching of systems and applications, comprehensive SOC capabilities, and threat intelligence are required to tackle the current cybersecurity challenges faced by organizations.

What according to you are the limitations of zero trust?
Zero Trust as a cybersecurity paradigm is a great evolution, but where we see limitations are in the practical implementation and deployment. With any new security model we experience challenges as the scope is expanded we try to increase the granularity of controls. Zero trust is not immune to this.

Zero trust is not a one-time project, it is a continuous journey toward better security. It is also not a one size fits all approach. Not every organization can follow the exact Beyondcorp approach, the strategy, and roadmap need to be evolved according to the business need. Organizations should build a solid strategy and plan and invest in resources and people to succeed with Zero Trust.

Continue Reading

Interviews

“Don’t Be Afraid to Speak Up”

Published

on

Julie Davila, the Vice President of Global Field CTO Operations at Sophos, says that to start a career in cybersecurity, review the different aspects of the field to get an overview
(more…)

Continue Reading

Interviews

“Gain Practical Experience and Learn the Fundamentals”

Published

on

Subhalakshmi Ganapathy, the Product Evangelist for IT Security at ManageEngine, says there is no substitute for hard work and talent, and the results definitely prove it  

Can you share a little bit about what it is that you do and what a typical day for you is like?
I joined ManageEngine, the enterprise IT management division of Zoho Corporation, in 2013. Being a computer science engineer, I was intrigued by the technicalities of this domain. Having initially focused on log management, I extended my interest and delved deep into the SIEM and CASB fields of cybersecurity. Today, I manage the research and product marketing team for ManageEngine’s SIEM solution.

What obstacles did you have to overcome?
In the early days of my career, when I used to represent the company at trade shows or industry events, I sensed that those who came to our booth or attended a presentation either took me lightly or had some reservations regarding my technical knowledge. At the very least, they were surprised to hear me talk about cybersecurity. Now, we see a lot of women in cybersecurity, specifically in leadership roles. There is no substitute for hard work and talent, and the results definitely prove it.

What advice would you give to women considering a career in the industry you represent?
I believe that cybersecurity is a field that challenges you constantly. It is rapidly evolving and requires continuous learning and adaptation to stay ahead of new threats, techniques, and technologies. My advice for aspirants would be to gain practical experience and learn the fundamentals thoroughly while in their initial job and keep up with the latest industry developments through networking and professional development opportunities. It’s also important to have a passion for the field as well as strong analytical and problem-solving skills.

Why do you love your job? 
I love the dynamic nature of the job and the limitless learning opportunities it provides. I get to learn something new every day. I’ve received my bachelor’s in computer science engineering and it fascinates me to read about the intricacies of different attack techniques and how adversaries manipulate and exploit vulnerabilities. The best part is, I get to translate this knowledge into a workable security strategy that guides enterprises to step up their defenses and build a proactive and secure environment.

Continue Reading
Advertisement

Follow Us

Trending

Copyright © 2021 Security Review Magazine. Rysha Media LLC. All Rights Reserved.