A UAE-based corporate and retail bank became the first bank in the UAE and the Middle East region to open a virtual Metaverse location in Decentraland, a popular blockchain-based virtual world. What such moves by organizations foretell is the growing trend toward the adoption of a digital economy that embraces the use of technologies such as blockchain, virtual assets, artificial intelligence, mixed reality, and so on, both in a business environment and everyday consumer services.
As global enterprises become increasingly reliant on information and technology assets, they are also becoming vulnerable to constant and evolving cybersecurity threats.
Fortinet’s global 2022 State of Operational Technology and Cybersecurity Report reveals that industrial control environments continue to be targets for cybercriminals – with 93% of Operational Technology (OT) organizations experiencing an intrusion in the past year. The report uncovered widespread gaps in industrial security, including ill-designed Programmable Logic Controller (PLC) security, a lack of centralized visibility across OT activities and growing connectivity to OT. As such, OT security is a mounting concern for executive leaders, prompting the need for organizations to move toward full protection of their industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems. OT incorporates hardware and software that detects or initiates change through the direct monitoring and/or control of physical devices, processes and events in asset-centric enterprises, particularly in production and operations.
One of the best practices for OT security challenges is the establishment of Zero Trust Access (ZTA) to prevent possible breaches. With more industrial systems being connected to the network, ZTA solutions ensure that any user, device or application without proper credentials and permissions is denied access to critical assets. To advance OT security efforts, ZTA solutions can further defend against both internal and external threats. The ZT concept may be traced back most prominently in 2009, when Google implemented a Zero Trust architecture referred to as BeyondCorp. And in 2010, analyst John Kindervag of Forrester Research used the term to denote stricter cybersecurity programs and access control within corporations. Their most recent update on the revision reads thus: “Zero Trust is an information security model that denies access to applications and data by default. Threat prevention is achieved by only granting access to networks and workloads utilizing policy informed by continuous, contextual, risk-based verification across users and their associated devices.”
This simply means that Zero Trust is a security strategy that by default denies implicit trust to a user, device or application based on their property specs such as network location, identity, etc.
Zero Trust is not something that can simply be delivered by implementing a new piece of technology, nor is it a point product or service that can be bought. The validation of ZT warrants the below considerations:
Organizations are increasingly transitioning from perimeter security of networks using firewalls and thus stopping malicious actors at the access points. The sole reason for such a move is that network perimeters are no longer defined by the four walls of a company building. Employees are now working remotely, and the hybrid cloud is the preeminent platform for enterprises. It’s an increasingly complex task to define a perimeter.
Secondly, the concept of trust in the context of computer security is based on a human definition of “trust” and is therefore vulnerable to the inherent limitations, particularly in an environment where attack strategies are becoming increasingly sophisticated. Attackers are using social engineering to trick unsuspecting employees to gain access to corporate networks. Without a Zero Trust model, once the attacker is in the corporate network, they can move laterally to new systems with relative ease.
Zero Trust strategy has 3 core principles:
Firstly, the defining principle of ZTS is “never trust, always verify”. Hence every time a user, device or application tries to establish a connection, that attempt should be strictly authenticated and authorized, and not simply greenlighted because it is coming from inside the corporate network.
A second practice is that of “least privilege access” where users and applications are given the minimum amount of access they require to perform their job effectively and no more. Privilege access management is a hands-on method of implementing the least privilege concept for admin users of IT networks and applications.
Third, being ever mindful of the worst-case breach scenario will motivate IT teams to build robust and tested incident response plans so that when attacks occur, the initiation of response is rapid and well-rehearsed. This principle encourages organizations to shrink the target and impact zone of an attack through networking principles such as micro-segmentation, etc.
In general, organizations need to understand Zero Trust is not an end-to-end solution, but rather a logical approach to looking at variant parameters of network security. It will likely require significant upgrades or policy and application changes across the infrastructure. The many categories and use case scenarios should motivate organizations to prioritize why and how a ZT should be deployed in their cases.
Dealing with the dynamics
The ever-changing threat landscape of our hyper-connected world will require network service providers to recognize the varied and unique requirements of clients in the deployment of ZTS. Experts have suggested four primary actionable goals be incorporated into the ZT format; 1) reduce the risk of insider threat; 2) secure the remote workforce; 3) preserve customer privacy; and 4) protect the hybrid cloud ecosystem. Despite advancements in network security practices, there is no 100% guarantee that modern network systems will not get attacked or breached. However, preparing for the worst will go a long way in mitigating the risk of potential data and digital asset losses.
The adoption of robust Enterprise mobility management (EMM) – a set of technology, processes and policies to secure and manage the use of corporate- and employee-owned mobile devices within an organization – can be a good place to start.
Also read: SASE: Future of network security
