Future Proofing Organizations with Zero-trust Approach
by Mechelle Buys Du Plessis, Managing Director – UAE, Dimension Data
2018 will see a vast change in internal security procedures moving towards what is called a zero-trust security model. IT departments of organizations are spending millions of dollars while witnessing successful breach of their defences. Increasingly, the consensus appears to be that the IT industry with its sets of sophisticated best practices, compliance and guidance directives, is in some way today, losing the game to smarter and innovative groups of dispersed threats actors.
This is driving 2018 to be the comeback year of the zero-trust security approach. IT departments will do a reset of all end-user access registers, and assume that any end-user cannot be trusted till they explicitly establish their identity before any requested access. This is the zero-base sum-game, where end-users will see themselves restarting their data access requests from a base-zero position and any previous credentials will need to be explicitly re-established.
The zero-trust security approach does not reject the flexibility of personal choice of devices awarded to end-users though the BYOD policy. Almost ten years ago, the zero-trust security approach would have meant a strict ‘corporate device only’ usage policy. A lot has happened since then and end-users can now select their secondary device of choice.
But it does mean that whichever device is being used, verification of access to data by the device will be much more rigorous, though multiple layers of security credentials. Vigorous authentication of end-users and their devices and their entitlement to access corporate data, will soon become the norm in the year ahead.
However, there is a critical rider in all this. Implementation of the zero-trust security approach will fail unless IT departments revisit and review their cybersecurity policies end-to-end as well. This will be taking into consideration, large scale adoption of hybrid cloud and access into multi-cloud applications by end-users. Such a ground-up review of cybersecurity policies will help realign existing gaps between on-premises and in-cloud access, amongst others.
It will rigorously apply micro-segmentation for growing multi-cloud access that is responsible for driving digital transformation and development of innovative and new business processes by decision makers, leading to net new revenue. The result – a new generation of cybersecurity policies that have been revamped and made future-ready for an organizations digital journey and digital transformation.
A valid counter argument often cited to such a wide scale and profound, zero-trust approach in the past, were the delays in user access and reductions of user productivity due to system and network infrastructure latencies and non-responsiveness. However, with cloud hosted security and identity authentication solutions, compute latency is a non-issue, while network latency is now better controlled through service level agreements with providers.
Once a zero-trust security policy has been developed and pursued, the organization is now better equipped to move to the next levels of enablement and implementation. Two opportunities abound for such cybersecurity future-ready organizations. These include working with managed security service providers and the adoption of block chain technologies.
A well-reviewed, ground-up, pan-organization wide, cybersecurity policy, enables an organization to engage extensively with best-of-breed external managed security services providers. This approach of working with best-of-breed partners, will help organizations to enhance and reinforce their cybersecurity profiles in areas they consider as required and necessary, rather than pursuing an adhoc, vague and diffuse, pellet-gun approach.
A well-reviewed and prepared cybersecurity policy can also be enhanced by the usage of blockchain technologies. Blockchain technology builds a ledger of identified transactions that cannot be altered and is accessible and visible across an open platform of a network of systems. Using an organizations blockchain solution to keep a record of user authentication and access requests is a huge leap into path breaking standards of compliance and audits. No longer can log data go missing or be compromised by accidental or intentional efforts of cover ups.
Blockchain technology and usage of an external managed security service provider, marries the best of both internal and external best practices, and hugely elevates an organizations cybersecurity profile and preparedness. Both are essential components in the successful closure of an organization’s zero-trust security approach exercise.