Cybersecurity: Zero trust is your castle’s new moat

11 Oct 2023 | Attributed: John Karabin, Senior Director: Go-to-Market Security, NTT LTD

Highlights

The fundamental idea of a zero-trust security framework is: never trust, always verify.

In the past, security followed the castle-and-moat model, where nothing outside the network could access data on the inside. When you were at the office – and therefore inside the network – you were inside the “castle”, and everything you did was trusted because of that.

The fundamental idea of a zero-trust security framework is: never trust, always verify.

In the past, security followed the castle-and-moat model, where nothing outside the network could access data on the inside. When you were at the office – and therefore inside the network – you were inside the “castle”, and everything you did was trusted because of that.

Virtual private networks worked well enough to facilitate remote working when 10% or at most 20% of an organisation’s workforce worked from home and the rest were at the office – safe inside the castle.

But the COVID-19 lockdowns changed all that. As more people started working from remote locations, organisations needed a new way to connect them securely to the systems and data they needed.

For example, Universal Robina Corporation (URC) Vietnam is a leader in the food and beverage industry in Vietnam with a key focus on using the cloud to adapt quickly to their changing business needs.

This includes giving their distributed workforce across the country seamless and secure access to their data and applications, wherever they are, while following a cloud-first strategy that also incorporates on-premises infrastructure.

It’s no longer enough to be connected to the network

Now, simply being connected to the network no longer matters. Instead, every time you connect to anything, the security system will check who you are, what application or data you’re connecting to, when you’re connecting, where the data resides, why the data is being accessed (the context) and how the data is being accessed.

Zero trust security constantly checks who you are and what you’re trying to access. These are the two most prominent factors it takes into account.

In a recent report titled Cyber without Perimeters, Everest Group estimates that about 65% of clients opt for an identity-based zero trust implementation. The subject’s identity is the primary component of this approach, and factors such as device location, device status, user privileges and patterns of behaviour alter the policy engine’s overall confidence level.

For URC Vietnam, a zero-trust environment was ideal to give all their users secure access to their data and applications – but first they needed a partner with expertise in creating and managing a future-proof IT and security infrastructure, which can be a complex undertaking.

The architecture behind the acronyms

Vendors that provide zero trust security operate in an environment that is complicated by many different acronyms.

The overall zero trust layer is made up of policies and procedures – such as making sure not only that users have access to applications but that those applications are allowed to interact too. An attacker who gets into your network might get one application to speak to another if you have not implemented full zero trust.

Shifting the security barrier to the cloud

Many organisations’ legacy technology solutions allowed them to follow the VPN-based castle-and-moat approach. Users with a token on their phones would log in and access the entire network.

To make zero trust security work, organisations had to segment their network environments and break down the singular-trust approach into smaller zones of implicit trust. This meant employees in HR could use only HR applications, and similar limitations applied to people in other departments.

A fundamental issue with zero trust in the beginning was the suggestion to segment the network by putting more and more firewalls inside a data center. However, the network itself often ran at far higher speeds than the internal firewalls, which caused delays – so no one bought the firewalls.

Now, we've moved large volumes of data from internal data centers to the cloud, where we have virtual firewalls connected to virtual networks with virtual data centers in a virtual computing space. In this environment, you’re limited only by the budget required to gain the speed and computing power you need.

Effectively, we’ve shifted the security barrier to a different area – but you still need to have technical controls in place.

Your management console must be the same version or higher than the firewalls you’re trying to manage. There’s always a need for patches and updates. But if the management console is supported and run from the cloud, then you don’t need to keep updating it. You always have the latest version, so there’s much less need for change management.

Your old firewall just won’t do

Because we all want access to the internet, security teams have to follow the zero trust approach to make sure we don’t connect to anything malicious.

We also want to make sure that our business applications are secure. So, when it comes to sharing information between colleagues and with authorised third parties, like customers, we need a control layer to direct them only to what they are allowed to access.

In this environment, some security controls have now moved closer to the websites or applications they protect, or to the cloud itself.

This shift in location means that your traditional firewall is likely to be in the wrong place and too slow to keep up with the load.

Even so, you might believe your firewall is still serviceable. But imagine you have an old phone and can’t update the operating software anymore. When your Facebook app stops working as it’s no longer supported, suddenly your phone becomes far less useful.

In the world of security, if a firewall can’t be updated anymore, it can’t protect you against every new threat coming your way. Also, in highly regulated environments such as financial services, you may not even be allowed to have unsupported devices in your network because of corporate governance.

Sustainability is another consideration: a server you bought six years ago might be the same size as the one you’ll buy now, but the new one uses less power and is probably several times faster, so you need fewer servers altogether to achieve the same outcome.

ALSO READ → Rethink your network security to fend off cyberthreats

Assessments without backup expertise are pointless

There are many complexities at play here. You may have bought your technology from multiple vendors, using different budgets linked to teams in your business that still work in silos. For example, the cloud team won’t necessarily inform the security team about changes in the cloud, and the security team’s efforts may then not extend to the virtual cloud network.

This is why organisations choose to work with an experienced third party to complete a cloud and cybersecurity assessment. Our approach at NTT is to identify key areas in your organisation to establish how secure you are now, where the pain points are, and what level of security you need – and, of course, how that aligns with your technology and cloud strategy.

About NTT Ltd

As part of NTT DATA, a USD 30 billion IT services provider, NTT Ltd. is a leading IT infrastructure and services company serving 65% of the Fortune Global 500 and more than 75% of the Fortune Global 100. We lay the foundation for organizations’ edge-to-cloud networking ecosystem, simplify the complexity of their workloads across multi-cloud environments, and innovate at the edge of their IT environments where networks, cloud, and applications converge. We offer tailored infrastructure and ensure consistent best practices in design and operations across all of our secure, scalable, and customizable data centers. On the journey towards a software-defined future, we support organizations with our platform-delivered infrastructure services. We enable a connected future. 

Click here or contact NTT LTD today to find out more about how the team can collaborate and work with you on secure and innovative solutions for your organization.

Meet the team for the NTT Ltd sponsored ACS Leadership lunch with C-Level Executives on 7 Nov 2023, 12:00 PM AEDT, and bring your questions for discussion.

ACS Leadership Series: Cultivating Australia’s role as a cyber leader

When: 7 Nov 2023, 12:00 PM - 2:30 PM

Where: National Press Club Canberra

Registration: Click here to register early to secure a seat or table

About the ACS Canberra Hub

The Hub is a custom-built collaborative space for members to drop by and use as a hotspot for meetings and events. Meeting room hire is also available to members and non-members. 

Click here to find out more about the room hire rate or click here to book a room for your next meeting/event. 

Find out more about what ACS can do for you, your membership benefits, and what upcoming events we have planned for you.